diff options
Diffstat (limited to 'testing/web-platform/tests/fetch/nosniff')
17 files changed, 280 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/nosniff/image.html b/testing/web-platform/tests/fetch/nosniff/image.html new file mode 100644 index 000000000..e5869d94e --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/image.html @@ -0,0 +1,29 @@ +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var fails = ["", "?type=", "?type=x", "?type=x/x"], + passes = ["?type=image/gif", "?type=image/png", "?type=image/png;blah"] + + fails.forEach(function(urlpart) { + async_test(function(t) { + var img = document.createElement("img") + img.onerror = t.step_func_done(function(){}) + img.onload = t.unreached_func("Unexpected load event") + img.src = "resources/image.py" + urlpart + document.body.appendChild(img) + }, "URL query: " + urlpart) + }) + + passes.forEach(function(urlpart) { + async_test(function(t) { + var img = document.createElement("img") + img.onerror = t.unreached_func("Unexpected error event") + img.onload = t.step_func_done(function(){ + assert_equals(img.width, 96) + }) + img.src = "resources/image.py" + urlpart + document.body.appendChild(img) + }, "URL query: " + urlpart) + }) +</script> diff --git a/testing/web-platform/tests/fetch/nosniff/importscripts.html b/testing/web-platform/tests/fetch/nosniff/importscripts.html new file mode 100644 index 000000000..920b6bdd4 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/importscripts.html @@ -0,0 +1,14 @@ +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + async_test(function(t) { + var w = new Worker("importscripts.js") + w.onmessage = t.step_func(function(e) { + if(e.data == "END") + t.done() + else + assert_equals(e.data, "PASS") + }) + }, "Test importScripts()") +</script> diff --git a/testing/web-platform/tests/fetch/nosniff/importscripts.js b/testing/web-platform/tests/fetch/nosniff/importscripts.js new file mode 100644 index 000000000..aeb615487 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/importscripts.js @@ -0,0 +1,17 @@ +// Testing importScripts() +function log(w) { this.postMessage(w) } +function f() { log("FAIL") } +function p() { log("PASS") } + +["", "?type=", "?type=x", "?type=x/x"].forEach(function(urlpart) { + try { + importScripts("resources/js.py" + urlpart) + } catch(e) { + (e.name == "NetworkError") ? p() : log("FAIL (no NetworkError exception): " + urlpart) + } + +}) +importScripts("resources/js.py?type=text/javascript&outcome=p") +importScripts("resources/js.py?type=text/ecmascript&outcome=p") +importScripts("resources/js.py?type=text/ecmascript;blah&outcome=p") +log("END") diff --git a/testing/web-platform/tests/fetch/nosniff/parsing-nosniff.html b/testing/web-platform/tests/fetch/nosniff/parsing-nosniff.html new file mode 100644 index 000000000..10c5cadfc --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/parsing-nosniff.html @@ -0,0 +1,28 @@ +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var fails = ["first", "uppercase"], + passes = ["last", "quoted", "quoted-single", "no-x"] + + fails.forEach(function(urlpart) { + async_test(function(t) { + var script = document.createElement("script") + script.onerror = t.step_func_done(function(){}) + script.onload = t.unreached_func("Unexpected load event") + script.src = "resources/nosniff-" + urlpart + ".asis" + document.body.appendChild(script) + }, "URL query: " + urlpart) + }) + + passes.forEach(function(urlpart) { + async_test(function(t) { + var script = document.createElement("script") + script.onerror = t.unreached_func("Unexpected error event") + script.onload = t.step_func_done(function(){}) + script.src = "resources/nosniff-" + urlpart + ".asis" + document.body.appendChild(script) + }, "URL query: " + urlpart) + }) + +</script> diff --git a/testing/web-platform/tests/fetch/nosniff/resources/css.py b/testing/web-platform/tests/fetch/nosniff/resources/css.py new file mode 100644 index 000000000..7c4c63b59 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/css.py @@ -0,0 +1,15 @@ +def main(request, response): + outcome = request.GET.first("outcome", "f") + type = request.GET.first("type", None) + + content = "/* nothing to see here */" + + response.add_required_headers = False + response.writer.write_status(200) + response.writer.write_header("x-content-type-options", "nosniff") + response.writer.write_header("content-length", len(content)) + if(type != None): + response.writer.write_header("content-type", type) + response.writer.end_headers() + + response.writer.write(content) diff --git a/testing/web-platform/tests/fetch/nosniff/resources/image.py b/testing/web-platform/tests/fetch/nosniff/resources/image.py new file mode 100644 index 000000000..8fb05edc6 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/image.py @@ -0,0 +1,16 @@ +import os.path + +def main(request, response): + type = request.GET.first("type", None) + + body = open(os.path.join(os.path.dirname(__file__), "../../../images/blue96x96.png"), "rb").read() + + response.add_required_headers = False + response.writer.write_status(200) + response.writer.write_header("x-content-type-options", "nosniff") + response.writer.write_header("content-length", len(body)) + if(type != None): + response.writer.write_header("content-type", type) + response.writer.end_headers() + + response.writer.write(body) diff --git a/testing/web-platform/tests/fetch/nosniff/resources/js.py b/testing/web-platform/tests/fetch/nosniff/resources/js.py new file mode 100644 index 000000000..0c06d9cd2 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/js.py @@ -0,0 +1,17 @@ +def main(request, response): + outcome = request.GET.first("outcome", "f") + type = request.GET.first("type", "Content-Type missing") + + content = "// nothing to see here" + content += "\n" + content += "log('FAIL: " + type + "')" if (outcome == "f") else "p()" + + response.add_required_headers = False + response.writer.write_status(200) + response.writer.write_header("x-content-type-options", "nosniff") + response.writer.write_header("content-length", len(content)) + if(type != "Content-Type missing"): + response.writer.write_header("content-type", type) + response.writer.end_headers() + + response.writer.write(content) diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-first.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-first.asis new file mode 100644 index 000000000..bccc53eef --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-first.asis @@ -0,0 +1,7 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +X-Content-Type-options: nosniff +X-Content-Type-Options: no + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-last.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-last.asis new file mode 100644 index 000000000..e3de0733e --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-last.asis @@ -0,0 +1,7 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +X-Content-Type-Options: no +X-Content-Type-options: nosniff + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-no-x.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-no-x.asis new file mode 100644 index 000000000..329d0f721 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-no-x.asis @@ -0,0 +1,6 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +Content-Type-Options: nosniff + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted-single.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted-single.asis new file mode 100644 index 000000000..501f18999 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted-single.asis @@ -0,0 +1,6 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +X-Content-Type-Options: 'NosniFF' + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted.asis new file mode 100644 index 000000000..c6de62b68 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-quoted.asis @@ -0,0 +1,6 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +X-Content-Type-Options: "nosniFF" + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/nosniff-uppercase.asis b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-uppercase.asis new file mode 100644 index 000000000..8097fddce --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/nosniff-uppercase.asis @@ -0,0 +1,6 @@ +HTTP/1.1 200 YOU HAVE NO POWER HERE +Content-Length: 22 +Content-Type: x/x +X-Content-Type-Options: NOSNIFF + +// nothing to see here diff --git a/testing/web-platform/tests/fetch/nosniff/resources/worker.py b/testing/web-platform/tests/fetch/nosniff/resources/worker.py new file mode 100644 index 000000000..3903ba349 --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/resources/worker.py @@ -0,0 +1,16 @@ +def main(request, response): + type = request.GET.first("type", None) + + content = "// nothing to see here" + content += "\n" + content += "this.postMessage('hi')" + + response.add_required_headers = False + response.writer.write_status(200) + response.writer.write_header("x-content-type-options", "nosniff") + response.writer.write_header("content-length", len(content)) + if(type != None): + response.writer.write_header("content-type", type) + response.writer.end_headers() + + response.writer.write(content) diff --git a/testing/web-platform/tests/fetch/nosniff/script.html b/testing/web-platform/tests/fetch/nosniff/script.html new file mode 100644 index 000000000..667f3c99a --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/script.html @@ -0,0 +1,32 @@ +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var log = function() {}, // see comment below + p = function() {}, // see comment below + fails = ["", "?type=", "?type=x", "?type=x/x"], + passes = ["?type=text/javascript", "?type=text/ecmascript", "?type=text/ecmascript;blah"] + + // Ideally we'd also check whether the scripts in fact execute, but that would involve + // timers and might get a bit racy without cross-browser support for the execute events. + + fails.forEach(function(urlpart) { + async_test(function(t) { + var script = document.createElement("script") + script.onerror = t.step_func_done(function(){}) + script.onload = t.unreached_func("Unexpected load event") + script.src = "resources/js.py" + urlpart + document.body.appendChild(script) + }, "URL query: " + urlpart) + }) + + passes.forEach(function(urlpart) { + async_test(function(t) { + var script = document.createElement("script") + script.onerror = t.unreached_func("Unexpected error event") + script.onload = t.step_func_done(function(){}) + script.src = "resources/js.py" + urlpart + "&outcome=p" + document.body.appendChild(script) + }, "URL query: " + urlpart) + }) +</script> diff --git a/testing/web-platform/tests/fetch/nosniff/stylesheet.html b/testing/web-platform/tests/fetch/nosniff/stylesheet.html new file mode 100644 index 000000000..0ad04038e --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/stylesheet.html @@ -0,0 +1,30 @@ +<!-- quirks mode is important, text/css is already required otherwise --> +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var fails = ["", "?type=", "?type=x", "?type=x/x"], + passes = ["?type=text/css", "?type=text/css;blah"] + + fails.forEach(function(urlpart) { + async_test(function(t) { + var link = document.createElement("link") + link.rel = "stylesheet" + link.onerror = t.step_func_done(function(){}) + link.onload = t.unreached_func("Unexpected load event") + link.href = "resources/css.py" + urlpart + document.body.appendChild(link) + }, "URL query: " + urlpart) + }) + + passes.forEach(function(urlpart) { + async_test(function(t) { + var link = document.createElement("link") + link.rel = "stylesheet" + link.onerror = t.unreached_func("Unexpected error event") + link.onload = t.step_func_done(function(){}) + link.href = "resources/css.py" + urlpart + document.body.appendChild(link) + }, "URL query: " + urlpart) + }) +</script> diff --git a/testing/web-platform/tests/fetch/nosniff/worker.html b/testing/web-platform/tests/fetch/nosniff/worker.html new file mode 100644 index 000000000..466b2075e --- /dev/null +++ b/testing/web-platform/tests/fetch/nosniff/worker.html @@ -0,0 +1,28 @@ +<script src=/resources/testharness.js></script> +<script src=/resources/testharnessreport.js></script> +<div id=log></div> +<script> + var workers = [], + fails = ["", "?type=", "?type=x", "?type=x/x"], + passes = ["?type=text/javascript", "?type=text/ecmascript", "?type=text/ecmascript;yay"] + + fails.forEach(function(urlpart) { + async_test(function(t) { + var w = new Worker("resources/worker.py" + urlpart) + w.onmessage = t.unreached_func("Unexpected message event") + w.onerror = t.step_func_done(function(){}) + workers.push(w) // avoid GC + }, "URL query: " + urlpart) + }) + + passes.forEach(function(urlpart) { + async_test(function(t) { + var w = new Worker("resources/worker.py" + urlpart) + w.onmessage = t.step_func_done(function(e){ + assert_equals(e.data, "hi") + }) + w.onerror = t.unreached_func("Unexpected error event") + workers.push(w) // avoid GC + }, "URL query: " + urlpart) + }) +</script> |