Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/epochs/three_hourly/2021-09-23_03H
commit617fa69a4969e0765590322112166388471783ed[log] [tgz]
authorDavid Van Cleve <davidvc@chromium.org>Thu Sep 23 02:11:51 2021
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Thu Sep 23 02:24:28 2021
tree33a8aacd66d03238893e984661a809a1462bee67
parent4bffb947f356ab179f50e70bdf637262c6b0bb66 [diff]
css: Use document (not base) URL for inline style preloads' referrers

crrev.com/c/2592447 fixed one code path where setting a document's base
URL (via the HTML <base> tag) led to requests from inline CSS using the
base URL as their referrer, rather than the document URL. This goes
against the recommendation in the Referrer Policy spec that requests
from inline CSS use their documents' referrers. [1] In general, we try
to avoid letting pages override outgoing requests' referrers to
different-origin URLs, even though this is not a hard security boundary.

It turns out a separate code path can also trigger requests from inline
style sheets: in particular, '@import' statements in inline stylesheets
get prefetched by the HTML parser, which currently has separate logic
that explicitly sets those requests' referrers to the document's base
URL.

This change removes that logic. After this change, preload requests from
inline style in the HTML parser will use the document's URL, not its
base URL, when generating their referrers. This CL also adds two new WPTs:
* "stylesheet-with-differentorigin-base-url.html" verifies the referrer
for an inline stylesheet requesting another stylesheet via an @import
statement. There are other tests inspecting the referrers for SVG and
image fetches from inline stylesheets, but not for child stylesheet
fetches. This test passes even without this CL applied (because of
crrev.com/c/2592447).
* "stylesheet-with-differentorigin-base-url-from-preload.html" does the
same thing, except from a srcdoc iframe. Using a srcdoc iframe triggers
the preload code path since the inline stylesheet is hardcoded in a
<style> HTML tag. (In contrast, the test above uses JS to add the style
element to the DOM.) Because this second test exercises the preload
codepath, it fails without this patch's functional changes applied.

With this patch applied, the repro in the linked bug no longer succeeds.

[1] https://www.w3.org/TR/referrer-policy/#integration-with-css

Test: New WPT covers the preload path. Manually tested the bug's repro.
Change-Id: I6bd797978b207a4bc0bb1b35565eb93c7162729f
Fixed: 1233375
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3078937
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#924146}
3 files changed
tree: 33a8aacd66d03238893e984661a809a1462bee67
  1. .github/
  2. .well-known/
  3. accelerometer/
  4. accessibility/
  5. accname/
  6. acid/
  7. ambient-light/
  8. animation-worklet/
  9. annotation-model/
  10. annotation-protocol/
  11. annotation-vocab/
  12. apng/
  13. app-history/
  14. appmanifest/
  15. audio-output/
  16. background-fetch/
  17. BackgroundSync/
  18. badging/
  19. battery-status/
  20. beacon/
  21. bluetooth/
  22. clear-site-data/
  23. client-hints/
  24. clipboard-apis/
  25. common/
  26. compat/
  27. compression/
  28. compute-pressure/
  29. conformance-checkers/
  30. console/
  31. contacts/
  32. content-dpr/
  33. content-index/
  34. content-security-policy/
  35. contenteditable/
  36. cookie-store/
  37. cookies/
  38. core-aam/
  39. cors/
  40. credential-management/
  41. css/
  42. custom-elements/
  43. custom-state-pseudo-class/
  44. delegated-ink/
  45. density-size-correction/
  46. deprecation-reporting/
  47. device-memory/
  48. docs/
  49. document-policy/
  50. dom/
  51. domparsing/
  52. domxpath/
  53. dpub-aam/
  54. dpub-aria/
  55. editing/
  56. element-timing/
  57. encoding/
  58. encoding-detection/
  59. encrypted-media/
  60. entries-api/
  61. event-timing/
  62. eventsource/
  63. eyedropper/
  64. feature-policy/
  65. fetch/
  66. file-system-access/
  67. FileAPI/
  68. focus/
  69. font-access/
  70. fonts/
  71. forced-colors-mode/
  72. fullscreen/
  73. gamepad/
  74. generic-sensor/
  75. geolocation-API/
  76. geolocation-sensor/
  77. graphics-aam/
  78. gyroscope/
  79. hr-time/
  80. html/
  81. html-longdesc/
  82. html-media-capture/
  83. idle-detection/
  84. imagebitmap-renderingcontext/
  85. images/
  86. import-maps/
  87. IndexedDB/
  88. inert/
  89. infrastructure/
  90. input-device-capabilities/
  91. input-events/
  92. installedapp/
  93. interfaces/
  94. intersection-observer/
  95. intervention-reporting/
  96. is-input-pending/
  97. js/
  98. js-self-profiling/
  99. keyboard-lock/
  100. keyboard-map/
  101. largest-contentful-paint/
  102. layout-instability/
  103. lifecycle/
  104. loading/
  105. longtask-timing/
  106. magnetometer/
  107. managed/
  108. mathml/
  109. measure-memory/
  110. media/
  111. media-capabilities/
  112. media-playback-quality/
  113. media-source/
  114. mediacapture-depth/
  115. mediacapture-fromelement/
  116. mediacapture-image/
  117. mediacapture-insertable-streams/
  118. mediacapture-record/
  119. mediacapture-streams/
  120. mediasession/
  121. merchant-validation/
  122. mimesniff/
  123. mixed-content/
  124. mst-content-hint/
  125. native-io/
  126. navigation-timing/
  127. netinfo/
  128. network-error-logging/
  129. notifications/
  130. old-tests/
  131. orientation-event/
  132. orientation-sensor/
  133. origin-policy/
  134. page-lifecycle/
  135. page-visibility/
  136. paint-timing/
  137. payment-handler/
  138. payment-method-basic-card/
  139. payment-method-id/
  140. payment-request/
  141. performance-timeline/
  142. periodic-background-sync/
  143. permissions/
  144. permissions-policy/
  145. permissions-request/
  146. permissions-revoke/
  147. picture-in-picture/
  148. pointerevents/
  149. pointerlock/
  150. portals/
  151. preload/
  152. presentation-api/
  153. priority-hints/
  154. private-click-measurement/
  155. proximity/
  156. push-api/
  157. quirks/
  158. raw-sockets/
  159. referrer-policy/
  160. remote-playback/
  161. reporting/
  162. requestidlecallback/
  163. resize-observer/
  164. resource-timing/
  165. resources/
  166. sanitizer-api/
  167. savedata/
  168. scheduler/
  169. screen-capture/
  170. screen-orientation/
  171. screen-wake-lock/
  172. screen_enumeration/
  173. scroll-animations/
  174. scroll-to-text-fragment/
  175. secure-contexts/
  176. secure-payment-confirmation/
  177. selection/
  178. serial/
  179. server-timing/
  180. service-workers/
  181. shadow-dom/
  182. shape-detection/
  183. signed-exchange/
  184. speech-api/
  185. storage/
  186. storage-access-api/
  187. streams/
  188. subresource-integrity/
  189. svg/
  190. svg-aam/
  191. timing-entrytypes-registry/
  192. tools/
  193. touch-events/
  194. trust-tokens/
  195. trusted-types/
  196. ua-client-hints/
  197. uievents/
  198. upgrade-insecure-requests/
  199. url/
  200. urlpattern/
  201. user-timing/
  202. vibration/
  203. video-rvfc/
  204. virtual-keyboard/
  205. visual-viewport/
  206. wai-aria/
  207. wasm/
  208. web-animations/
  209. web-bundle/
  210. web-locks/
  211. web-nfc/
  212. web-otp/
  213. web-share/
  214. webaudio/
  215. webauthn/
  216. webcodecs/
  217. WebCryptoAPI/
  218. webdriver/
  219. webgl/
  220. webgpu/
  221. webhid/
  222. webidl/
  223. webmessaging/
  224. webmidi/
  225. webrtc/
  226. webrtc-encoded-transform/
  227. webrtc-extensions/
  228. webrtc-ice/
  229. webrtc-identity/
  230. webrtc-priority/
  231. webrtc-stats/
  232. webrtc-svc/
  233. websockets/
  234. webstorage/
  235. webtransport/
  236. webusb/
  237. webvr/
  238. webvtt/
  239. webxr/
  240. workers/
  241. worklets/
  242. x-frame-options/
  243. xhr/
  244. xslt/
  245. .azure-pipelines.yml
  246. .gitattributes
  247. .gitignore
  248. .mailmap
  249. .taskcluster.yml
  250. CODE_OF_CONDUCT.md
  251. CODEOWNERS
  252. CONTRIBUTING.md
  253. LICENSE.md
  254. lint.ignore
  255. README.md
  256. testharness_runner.html
  257. update-built-tests.sh
  258. wpt
  259. wpt.py
README.md

The web-platform-tests Project

Taskcluster CI Status documentation manifest Python 3

The web-platform-tests Project is a cross-browser test suite for the Web-platform stack. Writing tests in a way that allows them to be run in all browsers gives browser projects confidence that they are shipping software that is compatible with other implementations, and that later implementations will be compatible with their implementations. This in turn gives Web authors/developers confidence that they can actually rely on the Web platform to deliver on the promise of working across browsers and devices without needing extra layers of abstraction to paper over the gaps left by specification editors and implementors.

The most important sources of information and activity are:

  • github.com/web-platform-tests/wpt: the canonical location of the project's source code revision history and the discussion forum for changes to the code
  • web-platform-tests.org: the documentation website; details how to set up the project, how to write tests, how to give and receive peer review, how to serve as an administrator, and more
  • wpt.live: a public deployment of the test suite, allowing anyone to run the tests by visiting from an Internet-enabled browser of their choice
  • wpt.fyi: an archive of test results collected from an array of web browsers on a regular basis
  • Real-time chat room: the wpt:matrix.org matrix channel; includes participants located around the world, but busiest during the European working day.
  • Mailing list: a public and low-traffic discussion list
  • RFCs: a repo for requesting comments on substantial changes that would impact other stakeholders or users; people who work on WPT infra are encouraged to watch the repo.

If you'd like clarification about anything, don't hesitate to ask in the chat room or on the mailing list.

Setting Up the Repo

Clone or otherwise get https://github.com/web-platform-tests/wpt.

Note: because of the frequent creation and deletion of branches in this repo, it is recommended to “prune” stale branches when fetching updates, i.e. use git pull --prune (or git fetch -p && git merge).

Running the Tests

See the documentation website and in particular the system setup for running tests locally.

Command Line Tools

The wpt command provides a frontend to a variety of tools for working with and running web-platform-tests. Some of the most useful commands are:

  • wpt serve - For starting the wpt http server
  • wpt run - For running tests in a browser
  • wpt lint - For running the lint against all tests
  • wpt manifest - For updating or generating a MANIFEST.json test manifest
  • wpt install - For installing the latest release of a browser or webdriver server on the local machine.
  • wpt serve-wave - For starting the wpt http server and the WAVE test runner. For more details on how to use the WAVE test runner see the documentation.

Windows Notes

On Windows wpt commands must be prefixed with python or the path to the python binary (if python is not in your %PATH%).

python wpt [command]

Alternatively, you may also use Bash on Ubuntu on Windows in the Windows 10 Anniversary Update build, then access your windows partition from there to launch wpt commands.

Please make sure git and your text editor do not automatically convert line endings, as it will cause lint errors. For git, please set git config core.autocrlf false in your working tree.

Publication

The master branch is automatically synced to wpt.live and w3c-test.org.

Contributing

Save the Web, Write Some Tests!

Absolutely everyone is welcome to contribute to test development. No test is too small or too simple, especially if it corresponds to something for which you've noted an interoperability bug in a browser.

The way to contribute is just as usual:

  • Fork this repository (and make sure you're still relatively in sync with it if you forked a while ago).
  • Create a branch for your changes: git checkout -b topic.
  • Make your changes.
  • Run ./wpt lint as described above.
  • Commit locally and push that to your repo.
  • Create a pull request based on the above.

Issues with web-platform-tests

If you spot an issue with a test and are not comfortable providing a pull request per above to fix it, please file a new issue. Thank you!