chromium/third_party/blink/web_tests/external/wpt/fetch/orb/tentative/img-mime-types-coverage.tentative.sub.html

<!-- Test verifies that cross-origin, nosniff images are 1) blocked when their
  MIME type is covered by ORB and 2) allowed otherwise.

  This test is very similar to fetch/orb/img-mime-types-coverage.tentative.sub.html,
  except that it focuses on MIME types relevant to ORB.
-->
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<div id=log></div>
<script>
  var passes = [
    // ORB safelisted MIME-types - i.e. ones covered by:
    // - https://github.com/annevk/orb

    "text/css",
    "image/svg+xml",

    // JavaScript MIME types
    "application/ecmascript",
    "application/javascript",
    "application/x-ecmascript",
    "application/x-javascript",
    "text/ecmascript",
    "text/javascript",
    "text/javascript1.0",
    "text/javascript1.1",
    "text/javascript1.2",
    "text/javascript1.3",
    "text/javascript1.4",
    "text/javascript1.5",
    "text/jscript",
    "text/livescript",
    "text/x-ecmascript",
    "text/x-javascript",
  ]

  var fails = [
    // ORB blocklisted MIME-types - i.e. ones covered by:
    // - https://github.com/annevk/orb

    "text/html",

    // JSON MIME type
    "application/json",
    "text/json",
    "application/ld+json",

    // XML MIME type
    "text/xml",
    "application/xml",
    "application/xhtml+xml",

    "application/dash+xml",
    "application/gzip",
    "application/msexcel",
    "application/mspowerpoint",
    "application/msword",
    "application/msword-template",
    "application/pdf",
    "application/vnd.apple.mpegurl",
    "application/vnd.ces-quickpoint",
    "application/vnd.ces-quicksheet",
    "application/vnd.ces-quickword",
    "application/vnd.ms-excel",
    "application/vnd.ms-excel.sheet.macroenabled.12",
    "application/vnd.ms-powerpoint",
    "application/vnd.ms-powerpoint.presentation.macroenabled.12",
    "application/vnd.ms-word",
    "application/vnd.ms-word.document.12",
    "application/vnd.ms-word.document.macroenabled.12",
    "application/vnd.msword",
    "application/vnd.openxmlformats-officedocument.presentationml.presentation",
    "application/vnd.openxmlformats-officedocument.presentationml.template",
    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
    "application/vnd.openxmlformats-officedocument.spreadsheetml.template",
    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
    "application/vnd.openxmlformats-officedocument.wordprocessingml.template",
    "application/vnd.presentation-openxml",
    "application/vnd.presentation-openxmlm",
    "application/vnd.spreadsheet-openxml",
    "application/vnd.wordprocessing-openxml",
    "application/x-gzip",
    "application/x-protobuf",
    "application/x-protobuffer",
    "application/zip",
    "audio/mpegurl",
    "multipart/byteranges",
    "multipart/signed",
    "text/event-stream",
    "text/csv",
    "text/vtt",
]

  const get_url = (mime) => {
    // www1 is cross-origin, so the HTTP response is ORB-eligible -->
    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
    url = url + "/fetch/nosniff/resources/image.py"
    if (mime != null) {
      url += "?type=" + encodeURIComponent(mime)
    }
    return url
  }

  passes.forEach(function (mime) {
    async_test(function (t) {
      var img = document.createElement("img")
      img.onerror = t.unreached_func("Unexpected error event")
      img.onload = t.step_func_done(function () {
        assert_equals(img.width, 96)
      })
      img.src = get_url(mime)
      document.body.appendChild(img)
    }, "ORB should allow the response if Content-Type is: '" + mime + "'.  ")
  })

  fails.forEach(function (mime) {
    async_test(function (t) {
      var img = document.createElement("img")
      img.onerror = t.step_func_done()
      img.onload = t.unreached_func("Unexpected load event")
      img.src = get_url(mime)
      document.body.appendChild(img)
    }, "ORB should block the response if Content-Type is: '" + mime + "'.  ")
  })
</script>