OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <script src="/resources/testharness.js"></script> | 2 <script src="/resources/testharness.js"></script> |
3 <script src="/resources/testharnessreport.js"></script> | 3 <script src="/resources/testharnessreport.js"></script> |
4 <script src="./resources/helper.js"></script> | 4 <script src="./resources/helper.js"></script> |
5 <body> | 5 <body> |
6 <script> | 6 <script> |
7 // We're injecting markup via `srcdoc` so, confusingly, we need to | 7 // We're injecting markup via `srcdoc` so, confusingly, we need to |
8 // entity-escape the "raw" content, and double-escape the "escaped" | 8 // entity-escape the "raw" content, and double-escape the "escaped" |
9 // content. | 9 // content. |
10 var rawBrace = "<"; | 10 var rawBrace = "<"; |
11 var escapedBrace = "&lt;"; | 11 var escapedBrace = "&lt;"; |
12 var rawNewline = " "; | 12 var rawNewline = " "; |
13 var escapedNewline = "&#10;"; | 13 var escapedNewline = "&#10;"; |
14 | 14 |
15 var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAA
ACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CY
II="; | 15 var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAA
ACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CY
II="; |
16 var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n"); | 16 var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n"); |
17 | 17 |
18 var should_block = [ | 18 var should_block = [ |
19 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im
g=a${rawNewline}b${rawBrace}c">`, | 19 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?da
ta=1${rawNewline}b">`, |
| 20 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im
g=2${rawNewline}b${rawBrace}c">`, |
20 ` | 21 ` |
21 <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?i
mg=a | 22 <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?i
mg=3 |
22 b${rawBrace}c | 23 b${rawBrace}c |
23 "> | 24 "> |
24 `, | 25 `, |
| 26 `<img id="dangling" src="${abeSizedPngWithNewline}">`, |
25 ]; | 27 ]; |
26 | 28 |
27 should_block.forEach(markup => { | 29 should_block.forEach(markup => { |
28 async_test(t => { | 30 async_test(t => { |
29 var i = createFrame(`${markup}`); | 31 var i = createFrame(`${markup}`); |
30 assert_img_not_loaded(t, i); | 32 assert_img_not_loaded(t, i); |
31 }, markup.replace(/[\n\r]/g, '')); | 33 }, markup.replace(/[\n\r]/g, '')); |
32 }); | 34 }); |
33 | 35 |
34 var should_load = [ | 36 var should_load = [ |
35 | 37 // Brace alone doesn't block: |
36 // `data:` and `javascript:` URLs don't check the content: | 38 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&
img=${rawBrace}b">`, |
37 `<img id="dangling" src="${abeSizedPngWithNewline}">`, | |
38 | |
39 // Just one or the other isn't enough: | |
40 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?da
ta=a${rawNewline}b">`, | |
41 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im
g=a${rawBrace}b">`, | |
42 | 39 |
43 // Entity-escaped characters don't trigger blocking: | 40 // Entity-escaped characters don't trigger blocking: |
44 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?da
ta=a${escapedNewline}b">`, | 41 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&
data=${escapedNewline}b">`, |
45 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im
g=a${escapedBrace}b">`, | 42 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&
img=${escapedBrace}b">`, |
46 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?im
g=a${escapedNewline}b${escapedBrace}c">`, | 43 `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&
img=${escapedNewline}b${escapedBrace}c">`, |
47 | 44 |
48 // Leading and trailing whitespace is stripped: | 45 // Leading and trailing whitespace is stripped: |
49 ` | 46 ` |
50 <img id="dangling" src=" | 47 <img id="dangling" src=" |
51 http://127.0.0.1:8000/security/resources/abe.png | 48 http://127.0.0.1:8000/security/resources/abe.png?8 |
52 "> | 49 "> |
53 <input type=hidden name=csrf value=sekrit> | 50 <input type=hidden name=csrf value=sekrit> |
54 `, | 51 `, |
55 ` | 52 ` |
56 <img id="dangling" src=" | 53 <img id="dangling" src=" |
57 http://127.0.0.1:8000/security/resources/abe.png?img=${escapedBrace} | 54 http://127.0.0.1:8000/security/resources/abe.png?9&img=${escapedBrace} |
58 "> | 55 "> |
59 <input type=hidden name=csrf value=sekrit> | 56 <input type=hidden name=csrf value=sekrit> |
60 `, | 57 `, |
61 ` | 58 ` |
62 <img id="dangling" src=" | 59 <img id="dangling" src=" |
63 http://127.0.0.1:8000/security/resources/abe.png?img=${escapedNewline} | 60 http://127.0.0.1:8000/security/resources/abe.png?10&img=${escapedNewline} |
64 "> | 61 "> |
65 <input type=hidden name=csrf value=sekrit> | 62 <input type=hidden name=csrf value=sekrit> |
66 `, | 63 `, |
67 ]; | 64 ]; |
68 | 65 |
69 should_load.forEach(markup => { | 66 should_load.forEach(markup => { |
70 async_test(t => { | 67 async_test(t => { |
71 var i = createFrame(`${markup} <element attr="" another=''>`); | 68 var i = createFrame(`${markup} <element attr="" another=''>`); |
72 assert_img_loaded(t, i); | 69 assert_img_loaded(t, i); |
73 }, markup.replace(/[\n\r]/g, '')); | 70 }, markup.replace(/[\n\r]/g, '')); |
74 }); | 71 }); |
75 </script> | 72 </script> |
76 | 73 |
OLD | NEW |