Add more tests for dangling markup mitigation

Adding more test per request[1]. [1] whatwg/html#10022 (review) Change-Id: I7d4d3494fa3aa0ac41c48727c2f866ccf3f016d0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5278680 Reviewed-by: Jonathan Hao <[email protected]> Reviewed-by: Yifan Luo <[email protected]> Auto-Submit: Jun Kokatsu <[email protected]> Commit-Queue: Jun Kokatsu <[email protected]> Cr-Commit-Position: refs/heads/main@{#1261160}
web-platform-tests · Feb 15, 2024 · b9dc4df · b9dc4df
1 parent de8ec2f
commit b9dc4df
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 0 deletions.
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html b/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  const blank = 'about:blank';
+  const dangling_url = 'resources/empty.html?\n<';
+  const api_calls = [
+    `window.open(\`${dangling_url}\`,'_self')`,
+    `location.replace(\`${dangling_url}\`)`,
+  ];
+
+  api_calls.forEach(call => {
+    async_test(t => {
+      const iframe =
+        document.body.appendChild(document.createElement('iframe'));
+      t.step(() => {
+        iframe.contentWindow.eval(call)
+        t.step_timeout(()=>{
+          assert_false(iframe.contentWindow.location.href.endsWith(blank));
+          t.done();
+        }, 500);
+      });
+    }, `Does not block ${call}`);
+  });
+</script>
diff --git a/...up-mitigation-data-url.tentative.sub.html → ...gling-markup-mitigation-data-url.sub.html b/...up-mitigation-data-url.tentative.sub.html → ...gling-markup-mitigation-data-url.sub.html
diff --git a/...dangling-markup-mitigation.tentative.html → ...ng-markup/dangling-markup-mitigation.html b/...dangling-markup-mitigation.tentative.html → ...ng-markup/dangling-markup-mitigation.html
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation.https.html b/fetch/security/dangling-markup/dangling-markup-mitigation.https.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  function get_requests(worker, expected) {
+    return new Promise(resolve => {
+      navigator.serviceWorker.addEventListener('message', function onMsg(evt) {
+        if (evt.data.size >= expected) {
+          navigator.serviceWorker.removeEventListener('message', onMsg);
+          resolve(evt.data);
+        } else {
+          worker.postMessage("");
+        }
+      });
+      worker.postMessage("");
+    });
+  }
+
+  const resources = [
+    x=>`<link rel="stylesheet" href="404/style?${x}">`,
+    x=>`<link rel="prefetch" as="style" href="404/prefetch?${x}">`,
+    x=>`<script src="404/script?${x}"><\/script>`,
+    x=>`<iframe src="404/iframe?${x}"></iframe>`,
+    x=>`<meta http-equiv="refresh" content="0;url=404/meta?${x}">`,
+    x=>`<a href="404/a?${x}">click</a><script>document.querySelector('a').click()<\/script>`,
+    x=>`<base href="404/base?${x}"><a href>me</a><script>document.querySelector('a').click()<\/script>`,
+    x=>`<video controls poster="404/poster?${x}"></video>`,
+    x=>`<input type="image" src="404/input?${x}">`,
+    x=>`<form method="GET" action="404/form?${x}"></form><script>document.querySelector('form').submit()<\/script>`,
+    x=>`<body background="404/body?${x}"></body>`,
+  ];
+
+  async_test(t => {
+    const script = 'service-worker.js';
+    const paths = [];
+    navigator.serviceWorker.register(script);
+    t.step(async () => {
+      const registration = await navigator.serviceWorker.ready;
+      for (const html of resources) {
+        const iframe1 =
+          document.body.appendChild(document.createElement('iframe'));
+        iframe1.src = 'resources.html?html=' + html`%0A<`;
+        const iframe2 =
+          document.body.appendChild(document.createElement('iframe'));
+        iframe2.src = 'resources.html?html=' + html``;
+        const path = html`EOP`;
+        paths.push(path.substring(path.search('404\\/')+4, path.search('EOP')));
+      }
+
+      const requests = await get_requests(registration.active, resources.length);
+      paths.forEach(path => {
+        assert_true(requests.has(path),
+                    `${path} should appear in requests sent`);
+      });
+      await registration.unregister();
+      t.done();
+    });
+  }, 'Only blocks dangling markup requests');
+</script>
diff --git a/fetch/security/dangling-markup/resources/empty.html b/fetch/security/dangling-markup/resources/empty.html
@@ -0,0 +1 @@
+<!DOCTYPE html>
diff --git a/fetch/security/dangling-markup/service-worker.js b/fetch/security/dangling-markup/service-worker.js
@@ -0,0 +1,35 @@
+const requests = new Set();
+
+addEventListener('install', evt => {
+  evt.waitUntil(self.skipWaiting());
+});
+
+addEventListener('activate', evt => {
+  evt.waitUntil(self.clients.claim());
+});
+
+addEventListener('message', evt => {
+  evt.source.postMessage(requests);
+});
+
+addEventListener('fetch', evt => {
+  const url = new URL(evt.request.url);
+  const path = url.pathname;
+  const search = url.search || "?";
+  if (path.includes('404')) {
+    const dir = path.split('/');
+    const request = dir[dir.length-1] + search;
+    if (!requests.has(request)) {
+      requests.add(request);
+    }
+    evt.respondWith(new Response(""));
+  } else if (path.endsWith('resources.html')) {
+    const html = (new URLSearchParams(search)).get('html');
+    evt.respondWith(new Response(html, {
+      headers: {
+        "Content-Type": "text/html"
+      }
+    }));
+  }
+  return;
+});