| <!DOCTYPE html> |
| <!-- Test verifies CORB will block responses with types that do not |
| require confirmation sniffing. |
| |
| We assume that: |
| 1) it is unlikely that images, other media, scripts, etc. will be mislabelled |
| as the |protected_mime_types| below, |
| 2) the |protected_mime_types| below are likely to contain sensitive, |
| credentialled data. |
| --> |
| <meta charset="utf-8"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/common/utils.js"></script> |
| <div id=log></div> |
| <script> |
| setup({allow_uncaught_exception : true, single_test : true}); |
| |
| function test(mime_type, is_blocking_expected) { |
| var action = is_blocking_expected ? "blocks" : "does not block"; |
| |
| async_test(function(t) { |
| var script = document.createElement("script") |
| var script_has_run_token = "script_has_run" + token(); |
| |
| // With and without CORB there should be no error, but without CORB the |
| // original script body will be preserved and |window.script_has_run| will |
| // be set. |
| window[script_has_run_token] = false; |
| script.onload = t.step_func_done(function(){ |
| if (is_blocking_expected) { |
| assert_false(window[script_has_run_token]); |
| } else { |
| assert_true(window[script_has_run_token]); |
| } |
| }); |
| addEventListener("error",function(e) { |
| t.step(function() { |
| assert_unreached("Unexpected error: " + e); |
| t.done(); |
| }) |
| }); |
| |
| // www1 is cross-origin, so the HTTP response is CORB-eligible. |
| var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py"; |
| body = `window['${script_has_run_token}'] = true;` |
| script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body); |
| document.body.appendChild(script) |
| }, "CORB " + action + " '" + mime_type + "'"); |
| } |
| |
| // Some mime types should be protected by CORB without any kind |
| // of confirmation sniffing. |
| protected_mime_types = [ |
| "application/gzip", |
| "application/msexcel", |
| "application/mspowerpoint", |
| "application/msword", |
| "application/msword-template", |
| "application/pdf", |
| "application/vnd.ces-quickpoint", |
| "application/vnd.ces-quicksheet", |
| "application/vnd.ces-quickword", |
| "application/vnd.ms-excel", |
| "application/vnd.ms-excel.sheet.macroenabled.12", |
| "application/vnd.ms-powerpoint", |
| "application/vnd.ms-powerpoint.presentation.macroenabled.12", |
| "application/vnd.ms-word", |
| "application/vnd.ms-word.document.12", |
| "application/vnd.ms-word.document.macroenabled.12", |
| "application/vnd.msword", |
| "application/vnd.openxmlformats-officedocument.presentationml.presentation", |
| "application/vnd.openxmlformats-officedocument.presentationml.template", |
| "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", |
| "application/vnd.openxmlformats-officedocument.spreadsheetml.template", |
| "application/vnd.openxmlformats-officedocument.wordprocessingml.document", |
| "application/vnd.openxmlformats-officedocument.wordprocessingml.template", |
| "application/vnd.presentation-openxml", |
| "application/vnd.presentation-openxmlm", |
| "application/vnd.spreadsheet-openxml", |
| "application/vnd.wordprocessing-openxml", |
| "application/x-gzip", |
| "application/x-protobuf", |
| "application/x-protobuffer", |
| "application/zip", |
| "multipart/byteranges", |
| "multipart/signed", |
| "text/event-stream", |
| "text/csv", |
| ] |
| protected_mime_types.forEach(function(type) { |
| test(type, true /* is_blocking_expected */); |
| }); |
| |
| // Other mime types. |
| other_mime_types = [ |
| // These content types are legitimately allowed in 'no-cors' fetches. |
| "application/javascript", |
| |
| // Confirmation sniffing will fail and prevent CORB from blocking the |
| // response. |
| "text/html", |
| |
| // Unrecognized content types. |
| "application/blah" |
| ] |
| other_mime_types.forEach(function(type) { |
| test(type, false /* is_blocking_expected */); |
| }); |
| </script> |