Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/external/wpt/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html 

<!DOCTYPE html>
<!-- Test verifies CORB will block responses with types that do not
  require confirmation sniffing.

  We assume that:
  1) it is unlikely that images, other media, scripts, etc. will be mislabelled
     as the |protected_mime_types| below,
  2) the |protected_mime_types| below are likely to contain sensitive,
     credentialled data.
-->
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<div id=log></div>
<script>
setup({allow_uncaught_exception : true, single_test : true});

function test(mime_type, is_blocking_expected) {
  var action = is_blocking_expected ? "blocks" : "does not block";

  async_test(function(t) {
    var script = document.createElement("script")
    var script_has_run_token = "script_has_run" + token();

    // With and without CORB there should be no error, but without CORB the
    // original script body will be preserved and |window.script_has_run| will
    // be set.
    window[script_has_run_token] = false;
    script.onload = t.step_func_done(function(){
      if (is_blocking_expected) {
        assert_false(window[script_has_run_token]);
      } else {
        assert_true(window[script_has_run_token]);
      }
    });
    addEventListener("error",function(e) {
      t.step(function() {
        assert_unreached("Unexpected error: " + e);
        t.done();
      })
    });

    // www1 is cross-origin, so the HTTP response is CORB-eligible.
    var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
    body = `window['${script_has_run_token}'] = true;`
    script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
    document.body.appendChild(script)
  }, "CORB " + action + " '" + mime_type + "'");
}

// Some mime types should be protected by CORB without any kind
// of confirmation sniffing.
protected_mime_types = [
  "application/gzip",
  "application/pdf",
  "application/x-gzip",
  "application/x-protobuf",
  "application/zip",
  "multipart/byteranges",
  "multipart/signed",
  "text/csv",
  "text/event-stream",
]
protected_mime_types.forEach(function(type) {
    test(type, true /* is_blocking_expected */);
});

// Other mime types.
other_mime_types = [
  // These content types are legitimately allowed in 'no-cors' fetches.
  "application/javascript",

  // Confirmation sniffing will fail and prevent CORB from blocking the
  // response.
  "text/html",

  // Unrecognized content types.
  "application/blah"
]
other_mime_types.forEach(function(type) {
    test(type, false /* is_blocking_expected */);
});
</script>