From b9dc4df0c6bdf28698ba6eecda23a5984e79b70e Mon Sep 17 00:00:00 2001
From: Jun Kokatsu <jkokatsu@google.com>
Date: Thu, 15 Feb 2024 09:58:46 -0800
Subject: [PATCH] Add more tests for dangling markup mitigation

Adding more test per request[1].

[1] https://github.com/whatwg/html/pull/10022#pullrequestreview-1841928335

Change-Id: I7d4d3494fa3aa0ac41c48727c2f866ccf3f016d0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5278680
Reviewed-by: Jonathan Hao <phao@chromium.org>
Reviewed-by: Yifan Luo <lyf@chromium.org>
Auto-Submit: Jun Kokatsu <jkokatsu@google.com>
Commit-Queue: Jun Kokatsu <jkokatsu@google.com>
Cr-Commit-Position: refs/heads/main@{#1261160}
---
 ...ngling-markup-mitigation-allowed-apis.html | 26 ++++++++
 ...gling-markup-mitigation-data-url.sub.html} |  0
 ...e.html => dangling-markup-mitigation.html} |  0
 .../dangling-markup-mitigation.https.html     | 61 +++++++++++++++++++
 .../dangling-markup/resources/empty.html      |  1 +
 .../dangling-markup/service-worker.js         | 35 +++++++++++
 6 files changed, 123 insertions(+)
 create mode 100644 fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
 rename fetch/security/dangling-markup/{dangling-markup-mitigation-data-url.tentative.sub.html => dangling-markup-mitigation-data-url.sub.html} (100%)
 rename fetch/security/dangling-markup/{dangling-markup-mitigation.tentative.html => dangling-markup-mitigation.html} (100%)
 create mode 100644 fetch/security/dangling-markup/dangling-markup-mitigation.https.html
 create mode 100644 fetch/security/dangling-markup/resources/empty.html
 create mode 100644 fetch/security/dangling-markup/service-worker.js

diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html b/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
new file mode 100644
index 00000000000000..66456a8876b609
--- /dev/null
+++ b/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  const blank = 'about:blank';
+  const dangling_url = 'resources/empty.html?\n<';
+  const api_calls = [
+    `window.open(\`${dangling_url}\`,'_self')`,
+    `location.replace(\`${dangling_url}\`)`,
+  ];
+
+  api_calls.forEach(call => {
+    async_test(t => {
+      const iframe =
+        document.body.appendChild(document.createElement('iframe'));
+      t.step(() => {
+        iframe.contentWindow.eval(call)
+        t.step_timeout(()=>{
+          assert_false(iframe.contentWindow.location.href.endsWith(blank));
+          t.done();
+        }, 500);
+      });
+    }, `Does not block ${call}`);
+  });
+</script>
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.tentative.sub.html b/fetch/security/dangling-markup/dangling-markup-mitigation-data-url.sub.html
similarity index 100%
rename from fetch/security/dangling-markup/dangling-markup-mitigation-data-url.tentative.sub.html
rename to fetch/security/dangling-markup/dangling-markup-mitigation-data-url.sub.html
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation.tentative.html b/fetch/security/dangling-markup/dangling-markup-mitigation.html
similarity index 100%
rename from fetch/security/dangling-markup/dangling-markup-mitigation.tentative.html
rename to fetch/security/dangling-markup/dangling-markup-mitigation.html
diff --git a/fetch/security/dangling-markup/dangling-markup-mitigation.https.html b/fetch/security/dangling-markup/dangling-markup-mitigation.https.html
new file mode 100644
index 00000000000000..3f038cbb7be452
--- /dev/null
+++ b/fetch/security/dangling-markup/dangling-markup-mitigation.https.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  function get_requests(worker, expected) {
+    return new Promise(resolve => {
+      navigator.serviceWorker.addEventListener('message', function onMsg(evt) {
+        if (evt.data.size >= expected) {
+          navigator.serviceWorker.removeEventListener('message', onMsg);
+          resolve(evt.data);
+        } else {
+          worker.postMessage("");
+        }
+      });
+      worker.postMessage("");
+    });
+  }
+
+  const resources = [
+    x=>`<link rel="stylesheet" href="404/style?${x}">`,
+    x=>`<link rel="prefetch" as="style" href="404/prefetch?${x}">`,
+    x=>`<script src="404/script?${x}"><\/script>`,
+    x=>`<iframe src="404/iframe?${x}"></iframe>`,
+    x=>`<meta http-equiv="refresh" content="0;url=404/meta?${x}">`,
+    x=>`<a href="404/a?${x}">click</a><script>document.querySelector('a').click()<\/script>`,
+    x=>`<base href="404/base?${x}"><a href>me</a><script>document.querySelector('a').click()<\/script>`,
+    x=>`<video controls poster="404/poster?${x}"></video>`,
+    x=>`<input type="image" src="404/input?${x}">`,
+    x=>`<form method="GET" action="404/form?${x}"></form><script>document.querySelector('form').submit()<\/script>`,
+    x=>`<body background="404/body?${x}"></body>`,
+  ];
+
+  async_test(t => {
+    const script = 'service-worker.js';
+    const paths = [];
+    navigator.serviceWorker.register(script);
+    t.step(async () => {
+      const registration = await navigator.serviceWorker.ready;
+      for (const html of resources) {
+        const iframe1 =
+          document.body.appendChild(document.createElement('iframe'));
+        iframe1.src = 'resources.html?html=' + html`%0A<`;
+        const iframe2 =
+          document.body.appendChild(document.createElement('iframe'));
+        iframe2.src = 'resources.html?html=' + html``;
+        const path = html`EOP`;
+        paths.push(path.substring(path.search('404\\/')+4, path.search('EOP')));
+      }
+
+      const requests = await get_requests(registration.active, resources.length);
+      paths.forEach(path => {
+        assert_true(requests.has(path),
+                    `${path} should appear in requests sent`);
+      });
+      await registration.unregister();
+      t.done();
+    });
+  }, 'Only blocks dangling markup requests');
+</script>
diff --git a/fetch/security/dangling-markup/resources/empty.html b/fetch/security/dangling-markup/resources/empty.html
new file mode 100644
index 00000000000000..0e76edd65b7baf
--- /dev/null
+++ b/fetch/security/dangling-markup/resources/empty.html
@@ -0,0 +1 @@
+<!DOCTYPE html>
diff --git a/fetch/security/dangling-markup/service-worker.js b/fetch/security/dangling-markup/service-worker.js
new file mode 100644
index 00000000000000..837e216a013be4
--- /dev/null
+++ b/fetch/security/dangling-markup/service-worker.js
@@ -0,0 +1,35 @@
+const requests = new Set();
+
+addEventListener('install', evt => {
+  evt.waitUntil(self.skipWaiting());
+});
+
+addEventListener('activate', evt => {
+  evt.waitUntil(self.clients.claim());
+});
+
+addEventListener('message', evt => {
+  evt.source.postMessage(requests);
+});
+
+addEventListener('fetch', evt => {
+  const url = new URL(evt.request.url);
+  const path = url.pathname;
+  const search = url.search || "?";
+  if (path.includes('404')) {
+    const dir = path.split('/');
+    const request = dir[dir.length-1] + search;
+    if (!requests.has(request)) {
+      requests.add(request);
+    }
+    evt.respondWith(new Response(""));
+  } else if (path.endsWith('resources.html')) {
+    const html = (new URLSearchParams(search)).get('html');
+    evt.respondWith(new Response(html, {
+      headers: {
+        "Content-Type": "text/html"
+      }
+    }));
+  }
+  return;
+});