mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1450304 [wpt PR 10254] - Make CORB MIME type classification consistent with the web specs., a=testonly 

Automatic update from web-platform-testsMake CORB MIME type classification consistent with the web specs.

https://tools.ietf.org/html/rfc7303 says that if "new media type is
introduced for an XML-based format, the name of the media type SHOULD
end with '+xml'".

https://tools.ietf.org/html/rfc6839 covers '+xml' and '+json' suffixes.

https://mimesniff.spec.whatwg.org/#xml-mime-type says "An XML MIME type
is any MIME type whose subtype ends in '+xml' or whose essence is
'text/xml' or 'application/xml'. [RFC7303]".

https://mimesniff.spec.whatwg.org/#json-mime-type says "A JSON MIME type
is any MIME type whose subtype ends in '+json' or whose essence is
'application/json' or 'text/json'."

There are no occurences of "application/xml+", "text/xml+",
"application/json+", "text/json+" or "text/x-json" in the specs above
and on various lists of MIME types like:
-
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types
- https://en.wikipedia.org/wiki/Media_type
- https://www.freeformatter.com/mime-types-list.html
- https://www.sitepoint.com/mime-types-complete-list/

Bug: 826756
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ied30f9728bd4f082bb620fea150f342457ea4833
Reviewed-on: https://chromium-review.googlesource.com/985211
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nick Carter <nick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547565}

wpt-commits: 24f7e6d2f6d2377c15332de4668ffeea399ae6eb
wpt-pr: 10254
wpt-commits: 24f7e6d2f6d2377c15332de4668ffeea399ae6eb
wpt-pr: 10254
This commit is contained in:
Lukasz Anforowicz 2018-04-09 21:31:10 +00:00 коммит произвёл James Graham
Родитель e89fc29570
Коммит 4e0901086f
5 изменённых файлов: 119 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

23
testing/web-platform/meta/MANIFEST.json
Просмотреть файл

@ -285679,6 +285679,11 @@
{}
]
],
"images/green-96x96.svg": [
[
{}
]
],
"images/green.png": [
[
{}
@ -326446,6 +326451,12 @@
{}
]
],
"fetch/corb/img-mime-types-coverage.tentative.sub.html": [
[
"/fetch/corb/img-mime-types-coverage.tentative.sub.html",
{}
]
],
"fetch/corb/preload-image-png-mislabeled-as-html-nosniff.tentative.sub.html": [
[
"/fetch/corb/preload-image-png-mislabeled-as-html-nosniff.tentative.sub.html",
@ -552519,6 +552530,10 @@
"699a8b2c8bb1f089f3ef1827bf8cfe1873849bf8",
"reftest"
],
"fetch/corb/img-mime-types-coverage.tentative.sub.html": [
"ccceb2eab638a0e7c88c6e3eed45c51148e0f406",
"testharness"
],
"fetch/corb/img-png-mislabeled-as-html-nosniff.tentative.sub-expected.html": [
"1980633a4167993d90636be2ebba2aa8d72299b7",
"support"
@ -552716,7 +552731,7 @@
"testharness"
],
"fetch/nosniff/image.html": [
"2b31b5f05d843c55640943e68224cb36a1670a5e",
"568ae12edabc343cddbef7cb41acde20955fc8bb",
"testharness"
],
"fetch/nosniff/importscripts.html": [
@ -552736,7 +552751,7 @@
"support"
],
"fetch/nosniff/resources/image.py": [
"015a20158bb41f02a1fa30214060f522f32f6249",
"82bd978c186e3b468d5e3a15623718484fec926e",
"support"
],
"fetch/nosniff/resources/js.py": [
@ -573275,6 +573290,10 @@
"5c43c80281b17b20173a2c7aceb873d8ad60d5d2",
"support"
],
"images/green-96x96.svg": [
"b41390669cc5a9a03700ab429ee9f54977575e87",
"support"
],
"images/green.png": [
"ef91d21307a12b2cfaf33a90dffe16aa1cba42c9",
"support"

75
testing/web-platform/tests/fetch/corb/img-mime-types-coverage.tentative.sub.html Normal file
Просмотреть файл

@ -0,0 +1,75 @@
<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
MIME type is covered by CORB and 2) allowed otherwise.
This test is very similar to fetch/nosniff/images.html, except that
1) it deals with cross-origin images (CORB ignores same-origin fetches),
2) it focuses on MIME types relevant to CORB.
There are opportunities to unify the test here with nosniff tests *if*
we can also start blocking same-origin (or cors-allowed) images. We
should try to gather data to quantify the impact of such change.
-->
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<div id=log></div>
<script>
var passes = [
// Empty or non-sensical MIME types
null, "", "x", "x/x",
// MIME-types not protected by CORB
"image/gif", "image/png", "image/png;blah", "image/svg+xml",
"application/javascript", "application/jsonp",
// MIME types that may seem to be JSON or XML, but really aren't - i.e.
// these MIME types are not covered by:
// - https://mimesniff.spec.whatwg.org/#json-mime-type
// - https://mimesniff.spec.whatwg.org/#xml-mime-type
// - https://tools.ietf.org/html/rfc6839
// - https://tools.ietf.org/html/rfc7303
"text/x-json", "text/json+blah", "application/json+blah",
"text/xml+blah", "application/xml+blah",
"application/blahjson", "text/blahxml",
var fails = [
// CORB-protected MIME-types - i.e. ones covered by:
// - https://mimesniff.spec.whatwg.org/#html-mime-type
// - https://mimesniff.spec.whatwg.org/#json-mime-type
// - https://mimesniff.spec.whatwg.org/#xml-mime-type
"text/html",
"text/json", "application/json", "text/xml", "application/xml",
"application/blah+json", "text/blah+json",
"application/blah+xml", "text/blah+xml",
"TEXT/HTML", "TEXT/JSON", "TEXT/BLAH+JSON", "APPLICATION/BLAH+XML"]
const get_url = (mime) => {
// www1 is cross-origin, so the HTTP response is CORB-eligible -->
url = "http://{{domains[www1]}}:{{ports[http][0]}}"
url = url + "/fetch/nosniff/resources/image.py"
if (mime != null) {
url += "?type=" + encodeURIComponent(mime)
}
return url
}
passes.forEach(function(mime) {
async_test(function(t) {
var img = document.createElement("img")
img.onerror = t.unreached_func("Unexpected error event")
img.onload = t.step_func_done(function(){
assert_equals(img.width, 96)
})
img.src = get_url(mime)
document.body.appendChild(img)
}, "CORB should allow the response if Content-Type is: '" + mime + "'. ")
})
fails.forEach(function(mime) {
async_test(function(t) {
var img = document.createElement("img")
img.onerror = t.step_func_done()
img.onload = t.unreached_func("Unexpected load event")
img.src = get_url(mime)
document.body.appendChild(img)
}, "CORB should block the response if Content-Type is: '" + mime + "'. ")
})
</script>

14
testing/web-platform/tests/fetch/nosniff/image.html
Просмотреть файл

@ -3,7 +3,19 @@
<div id=log></div>
<script>
// Note: images get always sniffed, nosniff doesn't do anything
var passes = [null, "", "x", "x/x", "image/gif", "image/png", "image/png;blah"]
// (but note the tentative Cross-Origin Read Blocking (CORB) tests
// - for example wpt/fetch/corb/img-mime-types-coverage.tentative.sub.html).
var passes = [
// Empty or non-sensical MIME types
null, "", "x", "x/x",
// Image MIME types
"image/gif", "image/png", "image/png;blah", "image/svg+xml",
// CORB-protected MIME types (but note that CORB doesn't apply here,
// because CORB ignores same-origin requests).
"text/html", "application/xml", "application/blah+xml"
]
const get_url = (mime) => {
let url = "resources/image.py"

8
testing/web-platform/tests/fetch/nosniff/resources/image.py
Просмотреть файл

@ -3,7 +3,13 @@ import os.path
def main(request, response):
type = request.GET.first("type", None)
body = open(os.path.join(os.path.dirname(__file__), "../../../images/blue96x96.png"), "rb").read()
if type != None and "svg" in type:
filename = "green-96x96.svg"
else:
filename = "blue96x96.png"
path = os.path.join(os.path.dirname(__file__), "../../../images", filename)
body = open(path, "rb").read()
response.add_required_headers = False
response.writer.write_status(200)

3
testing/web-platform/tests/images/green-96x96.svg Normal file
Просмотреть файл

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96">
<rect fill="lime" width="96" height="96"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 116 B