third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html - Issue 2794303002: Deprecate resource requests whose URLs contain raw newlines.

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

Issue 2794303002: Deprecate resource requests whose URLs contain raw newlines. (Closed)

Patch Set: Rebase. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/local/absolute-url-strip-whitespace-expected.txt ('k') | third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html b/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

index 7c3639e5dd143c926efd79d72f543ea06f3ecd5e..3c03d5137d548a53f78367ed19a6867a5d42ac38 100644

--- a/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

+++ b/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html

@@ -16,12 +16,14 @@

var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");

var should_block = [

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawNewline}b${rawBrace}c">`,

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=1${rawNewline}b">`,

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=2${rawNewline}b${rawBrace}c">`,

- <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a

+ <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=3

b${rawBrace}c

+ `<img id="dangling" src="${abeSizedPngWithNewline}">`,

];

should_block.forEach(markup => {

@@ -32,35 +34,30 @@

});

var should_load = [

- // `data:` and `javascript:` URLs don't check the content:

- `<img id="dangling" src="${abeSizedPngWithNewline}">`,

- // Just one or the other isn't enough:

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${rawNewline}b">`,

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${rawBrace}b">`,

+ // Brace alone doesn't block:

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&img=${rawBrace}b">`,

// Entity-escaped characters don't trigger blocking:

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=a${escapedNewline}b">`,

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedBrace}b">`,

- `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=a${escapedNewline}b${escapedBrace}c">`,

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&data=${escapedNewline}b">`,

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&img=${escapedBrace}b">`,

+ `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&img=${escapedNewline}b${escapedBrace}c">`,

// Leading and trailing whitespace is stripped:

<img id="dangling" src="

- http://127.0.0.1:8000/security/resources/abe.png

+ http://127.0.0.1:8000/security/resources/abe.png?8

<img id="dangling" src="

- http://127.0.0.1:8000/security/resources/abe.png?img=${escapedBrace}

+ http://127.0.0.1:8000/security/resources/abe.png?9&img=${escapedBrace}

<img id="dangling" src="

- http://127.0.0.1:8000/security/resources/abe.png?img=${escapedNewline}

+ http://127.0.0.1:8000/security/resources/abe.png?10&img=${escapedNewline}