fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html - external/w3c/web-platform-tests - Git at Google

 <!DOCTYPE html>
 <!-- Test verifies CORB will block responses with types that do not
   require confirmation sniffing.

   We assume that:
   1) it is unlikely that images, other media, scripts, etc. will be mislabelled
      as the |protected_mime_types| below,
   2) the |protected_mime_types| below are likely to contain sensitive,
      credentialled data.
 -->
 <meta charset="utf-8">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/common/utils.js"></script>
 <div id=log></div>
 <script>
 setup({allow_uncaught_exception : true, single_test : true});

 function test(mime_type, is_blocking_expected) {
   var action = is_blocking_expected ? "blocks" : "does not block";

   async_test(function(t) {
     var script = document.createElement("script")
     var script_has_run_token = "script_has_run" + token();

     // With and without CORB there should be no error, but without CORB the
     // original script body will be preserved and |window.script_has_run| will
     // be set.
     window[script_has_run_token] = false;
     script.onload = t.step_func_done(function(){
       if (is_blocking_expected) {
         assert_false(window[script_has_run_token]);
       } else {
         assert_true(window[script_has_run_token]);
       }
     });
     addEventListener("error",function(e) {
       t.step(function() {
         assert_unreached("Unexpected error: " + e);
         t.done();
       })
     });

     // www1 is cross-origin, so the HTTP response is CORB-eligible.
     var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
     body = `window['${script_has_run_token}'] = true;`
     script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
     document.body.appendChild(script)
   }, "CORB " + action + " '" + mime_type + "'");
 }

 // Some mime types should be protected by CORB without any kind
 // of confirmation sniffing.
 protected_mime_types = [
   "application/gzip",
   "application/msexcel",
   "application/mspowerpoint",
   "application/msword",
   "application/msword-template",
   "application/pdf",
   "application/vnd.ces-quickpoint",
   "application/vnd.ces-quicksheet",
   "application/vnd.ces-quickword",
   "application/vnd.ms-excel",
   "application/vnd.ms-excel.sheet.macroenabled.12",
   "application/vnd.ms-powerpoint",
   "application/vnd.ms-powerpoint.presentation.macroenabled.12",
   "application/vnd.ms-word",
   "application/vnd.ms-word.document.12",
   "application/vnd.ms-word.document.macroenabled.12",
   "application/vnd.msword",
   "application/vnd.openxmlformats-officedocument.presentationml.presentation",
   "application/vnd.openxmlformats-officedocument.presentationml.template",
   "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
   "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
   "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
   "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
   "application/vnd.presentation-openxml",
   "application/vnd.presentation-openxmlm",
   "application/vnd.spreadsheet-openxml",
   "application/vnd.wordprocessing-openxml",
   "application/x-gzip",
   "application/x-protobuf",
   "application/x-protobuffer",
   "application/zip",
   "multipart/byteranges",
   "multipart/signed",
   "text/event-stream",
   "text/csv",
 ]
 protected_mime_types.forEach(function(type) {
     test(type, true /* is_blocking_expected */);
 });

 // Other mime types.
 other_mime_types = [
   // These content types are legitimately allowed in 'no-cors' fetches.
   "application/javascript",

   // Confirmation sniffing will fail and prevent CORB from blocking the
   // response.
   "text/html",

   // Unrecognized content types.
   "application/blah"
 ]
 other_mime_types.forEach(function(type) {
     test(type, false /* is_blocking_expected */);
 });
 </script>
	<!DOCTYPE html>
	<!-- Test verifies CORB will block responses with types that do not
	require confirmation sniffing.

	We assume that:
	1) it is unlikely that images, other media, scripts, etc. will be mislabelled
	as the \|protected_mime_types\| below,
	2) the \|protected_mime_types\| below are likely to contain sensitive,
	credentialled data.
	-->
	<meta charset="utf-8">
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="/common/utils.js"></script>
	<div id=log></div>
	<script>
	setup({allow_uncaught_exception : true, single_test : true});

	function test(mime_type, is_blocking_expected) {
	var action = is_blocking_expected ? "blocks" : "does not block";

	async_test(function(t) {
	var script = document.createElement("script")
	var script_has_run_token = "script_has_run" + token();

	// With and without CORB there should be no error, but without CORB the
	// original script body will be preserved and \|window.script_has_run\| will
	// be set.
	window[script_has_run_token] = false;
	script.onload = t.step_func_done(function(){
	if (is_blocking_expected) {
	assert_false(window[script_has_run_token]);
	} else {
	assert_true(window[script_has_run_token]);
	}
	});
	addEventListener("error",function(e) {
	t.step(function() {
	assert_unreached("Unexpected error: " + e);
	t.done();
	})
	});

	// www1 is cross-origin, so the HTTP response is CORB-eligible.
	var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
	body = `window['${script_has_run_token}'] = true;`
	script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
	document.body.appendChild(script)
	}, "CORB " + action + " '" + mime_type + "'");
	}

	// Some mime types should be protected by CORB without any kind
	// of confirmation sniffing.
	protected_mime_types = [
	"application/gzip",
	"application/msexcel",
	"application/mspowerpoint",
	"application/msword",
	"application/msword-template",
	"application/pdf",
	"application/vnd.ces-quickpoint",
	"application/vnd.ces-quicksheet",
	"application/vnd.ces-quickword",
	"application/vnd.ms-excel",
	"application/vnd.ms-excel.sheet.macroenabled.12",
	"application/vnd.ms-powerpoint",
	"application/vnd.ms-powerpoint.presentation.macroenabled.12",
	"application/vnd.ms-word",
	"application/vnd.ms-word.document.12",
	"application/vnd.ms-word.document.macroenabled.12",
	"application/vnd.msword",
	"application/vnd.openxmlformats-officedocument.presentationml.presentation",
	"application/vnd.openxmlformats-officedocument.presentationml.template",
	"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
	"application/vnd.openxmlformats-officedocument.spreadsheetml.template",
	"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
	"application/vnd.openxmlformats-officedocument.wordprocessingml.template",
	"application/vnd.presentation-openxml",
	"application/vnd.presentation-openxmlm",
	"application/vnd.spreadsheet-openxml",
	"application/vnd.wordprocessing-openxml",
	"application/x-gzip",
	"application/x-protobuf",
	"application/x-protobuffer",
	"application/zip",
	"multipart/byteranges",
	"multipart/signed",
	"text/event-stream",
	"text/csv",
	]
	protected_mime_types.forEach(function(type) {
	test(type, true /* is_blocking_expected */);
	});

	// Other mime types.
	other_mime_types = [
	// These content types are legitimately allowed in 'no-cors' fetches.
	"application/javascript",

	// Confirmation sniffing will fail and prevent CORB from blocking the
	// response.
	"text/html",

	// Unrecognized content types.
	"application/blah"
	]
	other_mime_types.forEach(function(type) {
	test(type, false /* is_blocking_expected */);
	});
	</script>