Skip to content

Commit

Permalink
Fix up wpt/preload
Browse files Browse the repository at this point in the history 
 - Some tests in wpt/preload use Resource Timing entries to make sure
   that no requests are made. We're changing that (Resource Timing
   entries should be created even when blocked by CSP - see
   whatwg/fetch#1215). Stop using
   Resource Timing entries and check that with server side scripts.
 - http/tests/preload/preload-csp.html is covered by some WPTs. Let's
   remove it.

Change-Id: I3c2cdfa2459d212657be7569c5290c48b39d6f05
Bug: 1275564
  • Loading branch information
@yutakahirano @chromium-wpt-export-bot
yutakahirano authored and chromium-wpt-export-bot committed Jun 30, 2022
1 parent b489bce commit 5795662
Show file tree
Hide file tree
Showing 10 changed files with 269 additions and 198 deletions.
65 changes: 38 additions & 27 deletions preload/dynamic-adding-preload-nonce.html
View file
Original file line number Diff line number Diff line change
@@ -1,39 +1,50 @@
<!DOCTYPE html>
<script nonce="abc" src="/resources/testharness.js"></script>
<script nonce="abc" src="/resources/testharnessreport.js"></script>
<script nonce="abc" src="/common/utils.js"></script>
<script nonce="abc" src="/preload/resources/preload_helper.js"></script>
<body>
<script nonce="abc">

async_test(function(t) {
verifyPreloadAndRTSupport();
var link = document.createElement("link");
link.as = "script";
link.rel = "preload";
link.href = "resources/dummy.js?with-nonce";
link.nonce = "abc";
link.onload = link.onerror = t.step_func(function() {
t.step_timeout(function() {
verifyNumberOfResourceTimingEntries("resources/dummy.js?with-nonce", 1);
t.done();
}, 0);
});
document.body.appendChild(link);
promise_test(async (t) => {
verifyPreloadAndRTSupport();
const id = token();
const link = document.createElement("link");
link.as = "script";
link.rel = "preload";
link.href = stashPutUrl(id);
link.nonce = "abc";

const load = new Promise((resolve) => {
link.onload = resolve;
});
link.onerror = t.unreached_func("link.onerror");

document.body.appendChild(link);
await load;

const arrived = await hasArrivedAtServer(id);
assert_true(arrived, "The preload should've arrived at the server.");
}, "link preload with nonce attribute");

async_test(function(t) {
verifyPreloadAndRTSupport();
var link = document.createElement("link");
link.as = "script";
link.rel = "preload";
link.href = "resources/dummy.js?without-nonce";
link.onload = link.onerror = t.step_func(function() {
t.step_timeout(function() {
verifyNumberOfResourceTimingEntries("resources/dummy.js?without-nonce", 0);
t.done();
}, 0);
});
document.body.appendChild(link);
promise_test(async (t) => {
verifyPreloadAndRTSupport();
const id = token();
const link = document.createElement("link");
link.as = "script";
link.rel = "preload";
link.href = stashPutUrl(id);

const error = new Promise((resolve) => {
link.onerror = resolve;
});
link.onload = t.unreached_func("link.onload");

document.body.appendChild(link);
await error;

const arrived = await hasArrivedAtServer(id);
assert_false(arrived, "The preload should've arrived at the server.");
}, "link preload without nonce attribute");

</script>
Expand Down
70 changes: 45 additions & 25 deletions preload/link-header-preload-nonce.html
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,53 @@
<!DOCTYPE html>
<title>Makes sure that Link headers preload resources with CSP nonce</title>
<script nonce="abc" src="/resources/testharness.js"></script>
<script nonce="abc" src="/resources/testharnessreport.js"></script>
<script nonce="abc" src="/preload/resources/preload_helper.js"></script>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/preload/resources/preload_helper.js"></script>
<body>
<script nonce="abc">
setup({single_test: true});
<script>

var iterations = 0;
async_test(t => {
const id = token();
const pageUrl =
'/common/blank.html?pipe=' +
'|header(content-security-policy, script-src \'nonce-abc\')' +
`|header(link, <${encodedStashPutUrl(id)}>;rel=preload;as=script)`;

function check_finished() {
if (numberOfResourceTimingEntries("resources/dummy.js?from-header&without-nonce") == 0 &&
numberOfResourceTimingEntries("resources/dummy.js?from-header&with-nonce") == 1) {
done();
}
iterations++;
if (iterations == 10) {
// At least one is expected to fail, but this should give details to the exact failure(s).
verifyNumberOfResourceTimingEntries("resources/dummy.js?from-header&without-nonce", 0);
verifyNumberOfResourceTimingEntries("resources/dummy.js?from-header&with-nonce", 1);
done();
} else {
step_timeout(check_finished, 500);
}
const w = window.open(pageUrl);
t.add_cleanup(() => w.close());

step_timeout(async () => {
try {
const arrived = await hasArrivedAtServer(id);
assert_false(arrived, 'The preload should be blocked.');
t.done();
} catch (e) {
t.step(() => {throw e;});
}
}, 3000);
}, 'without nonce');

async_test(t => {
const id = token();
const pageUrl =
'/common/blank.html?pipe=' +
'|header(content-security-policy, script-src \'nonce-az\')' +
`|header(link, <${encodedStashPutUrl(id)}>;rel=preload;as=script;nonce=az)`;
const w = window.open(pageUrl);
t.add_cleanup(() => w.close());

// TODO: Use step_wait after
// https://github.com/web-platform-tests/wpt/pull/34289 is merged.
step_timeout(async () => {
try {
const arrived = await hasArrivedAtServer(id);
assert_true(arrived, 'The preload should have arrived at the server.');
t.done();
} catch (e) {
t.step(() => {throw e;});
}
}, 3000);
}, 'with nonce');

window.addEventListener("load", function() {
verifyPreloadAndRTSupport();
step_timeout(check_finished, 500);
});
</script>
</body>
3 changes: 0 additions & 3 deletions preload/link-header-preload-nonce.html.headers
View file

This file was deleted.

70 changes: 25 additions & 45 deletions preload/preload-csp.sub.html
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,35 @@
<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; font-src 'none'; style-src 'none'; img-src 'none'; media-src 'none'; connect-src 'none'">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; font-src 'none'; style-src 'none'; img-src 'none'; media-src 'none';">
<title>Makes sure that preload requests respect CSP</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/preload/resources/preload_helper.js"></script>
<link rel=preload href="{{host}}:{{ports[http][1]}}/preload/resources/dummy.js" as=style>
<link rel=preload href="resources/dummy.css" as=style>
<link rel=preload href="resources/square.png" as=image>
<link rel=preload href="/fonts/CanvasTest.ttf" as=font crossorigin>
<link rel=preload href="resources/white.mp4" as=video>
<link rel=preload href="resources/sound_5.oga" as=audio>
<link rel=preload href="resources/foo.vtt" as=track>
<link rel=preload href="resources/dummy.xml?foo=bar" as=foobarxmlthing>
<link rel=preload href="resources/dummy.xml">
<link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}">
<body>
<script>
setup({single_test: true});

var iterations = 0;

function check_finished() {
if (numberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js") == 0 &&
numberOfResourceTimingEntries("resources/dummy.css") == 0 &&
numberOfResourceTimingEntries("resources/square.png") == 0 &&
numberOfResourceTimingEntries("/fonts/CanvasTest.ttf") == 0 &&
numberOfResourceTimingEntries("resources/white.mp4") == 0 &&
numberOfResourceTimingEntries("resources/sound_5.oga") == 0 &&
numberOfResourceTimingEntries("resources/foo.vtt") == 0 &&
numberOfResourceTimingEntries("resources/dummy.xml") == 0) {
done();
}
iterations++;
if (iterations == 10) {
// At least one is expected to fail, but this should give details to the exact failure(s).
verifyNumberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js", 0);
verifyNumberOfResourceTimingEntries("resources/dummy.css", 0);
verifyNumberOfResourceTimingEntries("resources/square.png", 0);
verifyNumberOfResourceTimingEntries("/fonts/CanvasTest.ttf", 0);
verifyNumberOfResourceTimingEntries("resources/white.mp4", 0);
verifyNumberOfResourceTimingEntries("resources/sound_5.oga", 0);
verifyNumberOfResourceTimingEntries("resources/foo.vtt", 0);
verifyNumberOfResourceTimingEntries("resources/dummy.xml", 0);
done();
} else {
step_timeout(check_finished, 500);
}
promise_test(async (t) => {
verifyPreloadAndRTSupport();
const keys = [];
const links = document.querySelectorAll('link');
for (const link of links) {
if (link.rel === 'preload') {
const r = /\?key=([a-zA-Z0-9\-]+)$/;
keys.push(link.href.match(r)[1]);
}
}
await new Promise((resolve) => step_timeout(resolve, 3000));

window.addEventListener("load", function() {
verifyPreloadAndRTSupport();
step_timeout(check_finished, 500);
});
for (const key of keys) {
assert_false(await hasArrivedAtServer(key));
}
}, 'Preload requests are blocked by CSP.');
</script>

68 changes: 24 additions & 44 deletions preload/preload-default-csp.sub.html
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,35 @@
<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src 'none'">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src 'none'; connect-src 'self';">
<title>Makes sure that preload requests respect CSP</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/preload/resources/preload_helper.js"></script>
<link rel=preload href="{{host}}:{{ports[http][1]}}/preload/resources/dummy.js" as=style>
<link rel=preload href="resources/dummy.css" as=style>
<link rel=preload href="resources/square.png" as=image>
<link rel=preload href="/fonts/CanvasTest.ttf" as=font crossorigin>
<link rel=preload href="resources/white.mp4" as=video>
<link rel=preload href="resources/sound_5.oga" as=audio>
<link rel=preload href="resources/foo.vtt" as=track>
<link rel=preload href="resources/dummy.xml?foo=bar" as=foobarxmlthing>
<link rel=preload href="resources/dummy.xml">
<link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing>
<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}">
<body>
<script>
setup({single_test: true});

var iterations = 0;

function check_finished() {
if (numberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js") == 0 &&
numberOfResourceTimingEntries("resources/dummy.css") == 0 &&
numberOfResourceTimingEntries("resources/square.png") == 0 &&
numberOfResourceTimingEntries("/fonts/CanvasTest.ttf") == 0 &&
numberOfResourceTimingEntries("resources/white.mp4") == 0 &&
numberOfResourceTimingEntries("resources/sound_5.oga") == 0 &&
numberOfResourceTimingEntries("resources/foo.vtt") == 0 &&
numberOfResourceTimingEntries("resources/dummy.xml") == 0) {
done();
}
iterations++;
if (iterations == 10) {
// At least one is expected to fail, but this should give details to the exact failure(s).
verifyNumberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js", 0);
verifyNumberOfResourceTimingEntries("resources/dummy.css", 0);
verifyNumberOfResourceTimingEntries("resources/square.png", 0);
verifyNumberOfResourceTimingEntries("/fonts/CanvasTest.ttf", 0);
verifyNumberOfResourceTimingEntries("resources/white.mp4", 0);
verifyNumberOfResourceTimingEntries("resources/sound_5.oga", 0);
verifyNumberOfResourceTimingEntries("resources/foo.vtt", 0);
verifyNumberOfResourceTimingEntries("resources/dummy.xml", 0);
done();
} else {
step_timeout(check_finished, 500);
}
promise_test(async (t) => {
verifyPreloadAndRTSupport();
const keys = [];
const links = document.querySelectorAll('link');
for (const link of links) {
if (link.rel === 'preload') {
const r = /\?key=([a-zA-Z0-9\-]+)$/;
keys.push(link.href.match(r)[1]);
}
}
await new Promise((resolve) => step_timeout(resolve, 3000));

window.addEventListener("load", function() {
verifyPreloadAndRTSupport();
step_timeout(check_finished, 500);
});
for (const key of keys) {
assert_false(await hasArrivedAtServer(key));
}
}, 'Preload requests are blocked by CSP ("default-src \'none\').');
</script>

54 changes: 0 additions & 54 deletions preload/preload-strict-dynamic.html
View file

This file was deleted.

Loading

0 comments on commit 5795662

Please sign in to comment.