third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html - Issue 2895953002: Update dangling markup mitigations.

Unified Diff: third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html

Issue 2895953002: Update dangling markup mitigations. (Closed)

Patch Set: Test. Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « third_party/WebKit/LayoutTests/editing/pasteboard/dragstart-contains-default-content-expected.txt ('k') | third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-canvas-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html

diff --git a/third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html b/third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html

new file mode 100644

index 0000000000000000000000000000000000000000..d3bef91c5e558bab05418e8e34212b74833ad456

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html

@@ -0,0 +1,158 @@

+<!DOCTYPE html>

Mike West 2017/05/24 07:10:48 This is the actual test. The rest of the test file

+<script src="/resources/testharness.js"></script>

+<script src="/resources/testharnessreport.js"></script>

+<script src="./resources/helper.js"></script>

+<body>

+<script>

+ function readableURL(url) {

+ return url.replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");

+ }

+ var should_load = [

+ `/images/green-1x1.png`,

+ `/images/gre\nen-1x1.png`,

+ `/images/gre\ten-1x1.png`,

+ `/images/gre\ren-1x1.png`,

+ `/images/green-1x1.png?img=<`,

+ `/images/green-1x1.png?img=%3C`,

+ `/images/gr\neen-1x1.png?img=%3C`,

+ `/images/gr\reen-1x1.png?img=%3C`,

+ `/images/gr\teen-1x1.png?img=%3C`,

+ `/images/green-1x1.png?img=
`,

+ `/images/gr\neen-1x1.png?img=
`,

+ `/images/gr\reen-1x1.png?img=
`,

+ `/images/gr\teen-1x1.png?img=
`,

+ ];

+ should_load.forEach(url => async_test(t => {

+ fetch(url)

+ .then(t.step_func_done(r => {

+ assert_equals(r.status, 200);

+ }))

+ .catch(t.unreached_func("Fetch should succeed."));

+ }, "Fetch: " + readableURL(url)));

+ var should_block = [

+ `/images/gre\nen-1x1.png?img=<`,

+ `/images/gre\ren-1x1.png?img=<`,

+ `/images/gre\ten-1x1.png?img=<`,

+ `/images/green-1x1.png?<\n=block`,

+ `/images/green-1x1.png?<\r=block`,

+ `/images/green-1x1.png?<\t=block`,

+ ];

+ should_block.forEach(url => async_test(t => {

+ fetch(url)

+ .then(t.unreached_func("Fetch should fail."))

+ .catch(t.step_func_done());

+ }, "Fetch: " + readableURL(url)));

+ // For each of the following tests, we'll inject a frame containing the HTML we'd like to poke at

+ // as a `srcdoc` attribute. Because we're injecting markup via `srcdoc`, we need to entity-escape

+ // the content we'd like to treat as "raw" (e.g. `\n` => `
`, `<` => `<`), and

+ // double-escape the "escaped" content.

+ var rawBrace = "<";

+ var escapedBrace = "&lt;";

+ var rawNewline = "
";

+ var escapedNewline = "&#10;";

+ function appendFrameAndGetElement(test, frame) {

+ return new Promise((resolve, reject) => {

+ frame.onload = test.step_func(_ => {

+ frame.onload = null;

+ resolve(frame.contentDocument.querySelector('#dangling'));

+ });

+ document.body.appendChild(frame);

+ });

+ }

+ function assert_img_loaded(test, frame) {

+ appendFrameAndGetElement(test, frame)

+ .then(test.step_func_done(img => {

+ assert_equals(img.naturalHeight, 1, "Height");

+ frame.remove();

+ }));

+ }

+ function assert_img_not_loaded(test, frame) {

+ appendFrameAndGetElement(test, frame)

+ .then(test.step_func_done(img => {

+ assert_equals(img.naturalHeight, 0, "Height");

+ assert_equals(img.naturalWidth, 0, "Width");

+ }));

+ }

+ function createFrame(markup) {

+ var i = document.createElement('iframe');

+ i.srcdoc = `${markup}sekrit`;

+ return i;

+ }

+ // The following resources should not be blocked, as their URLs do not contain both a `\n` and `<`

+ // character in the body of the URL.

+ var should_load = [

+ // Brace alone doesn't block:

+ `<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}b">`,

+ // Newline alone doesn't block:

+ `<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}b">`,

+ // Entity-escaped characters don't trigger blocking:

+ `<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b">`,

+ `<img id="dangling" src="/images/green-1x1.png?img=${escapedBrace}b">`,

+ `<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b${escapedBrace}c">`,

+ // Leading and trailing whitespace is stripped:

+ `

+ <img id="dangling" src="

+ /images/green-1x1.png?img=

+ ">

+ `,

+ `

+ <img id="dangling" src="

+ /images/green-1x1.png?img=${escapedBrace}

+ ">

+ `,

+ `

+ <img id="dangling" src="

+ /images/green-1x1.png?img=${escapedNewline}

+ ">

+ `,

+ // Data URLs don't trigger blocking:

+ `<img id="dangling" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,

+ `<img id="dangling" src="data:image/png;base64,${rawNewline}iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,

+ `<img id="dangling" src="data:image/png;base64,i${rawNewline}VBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,

+ `<img id="dangling" src="data:image/svg+xml;utf8,

+ <svg width='1' height='1' xmlns='http://www.w3.org/2000/svg'>

+ <rect width='100%' height='100%' fill='rebeccapurple'/>

+ <rect x='10%' y='10%' width='80%' height='80%' fill='lightgreen'/>

+ </svg>">`

+ ];

+ should_load.forEach(markup => {

+ async_test(t => {

+ var i = createFrame(`${markup} <element attr="" another=''>`);

+ assert_img_loaded(t, i);

+ }, readableURL(markup));

+ });

+ // The following resources should be blocked, as their URLs contain both `\n` and `<` characters:

+ var should_block = [

+ `<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}${rawBrace}b">`,

+ `<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}${rawNewline}b">`,

+ `

+ <img id="dangling" src="/images/green-1x1.png?img=

+ ${rawBrace}

+ ${rawNewline}b

+ ">

+ `,

+ ];

+ should_block.forEach(markup => {

+ async_test(t => {

+ var i = createFrame(`${markup}`);

+ assert_img_not_loaded(t, i);

+ }, readableURL(markup));

+ });

+</script>