corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d48bff0b3e786cb15c63caa06c0e2380ad84c0ab
tubestation/testing/web-platform/tests/mixed-content/blob.https.sub.html
Frédéric Wang 3840b37274 Bug 1692454 [wpt PR 27604] - Stricter mixed content check for blob and filesystem URLs, a=testonly 
Automatic update from web-platform-tests
Stricter mixed content check for blob and filesystem URLs

The mixed content spec relies on the concept of potentially trustworthy
URLs which checks trustworthiness of blob and filesystem by checking the
origin of the context in which they were created [1] [2]. Concretely,
"blob:https://" is trustworthy while "blob:http://" is not. Currently
Chromium treats any blob: or filesystem: URLs as trustworthy. This CL
updates the behavior to match the stricter rule from the specification.

[1] https://w3c.github.io/webappsec-mixed-content/
[2] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[3] https://groups.google.com/a/chromium.org/g/blink-dev/c/nrpl_ewkmaQ

Bug: 1172988
Change-Id: I6fe6d47d0436d405294194e0fcdd4d48461ad7b5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2662116
Commit-Queue: Frédéric Wang <fwang@igalia.com>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#853814}

--

wpt-commits: 06098389364eb8c5046ea0f62db58fd6b05754cc
wpt-pr: 27604
2021-02-16 12:57:42 +00:00

55 lines
2.1 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>Mixed-Content: blob tests</title>
<meta charset="utf-8">
<meta name="description" content="Test a request to a blob: URL is mixed content if the blob's origin is not potentially trustworthy.">
<meta name="help" href="https://w3c.github.io/webappsec-mixed-content/#should-block-fetch">
<meta name="help" href="https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
async function try_fetch_request(url) {
try {
const response = await fetch(url);
return response.ok;
} catch(e) {
return false;
}
}
function try_script_load(url) {
return new Promise(resolve => {
let script = document.createElement("script");
script.onload = () => resolve(true);
script.onerror = () => resolve(false);
script.src = url;
document.body.appendChild(script);
});
}
const popup_http = "http://{{domains[]}}:{{ports[http][0]}}/mixed-content/resources/blob-popup.html";
const popup_https = "https://{{domains[]}}:{{ports[https][0]}}/mixed-content/resources/blob-popup.html";
[popup_https, popup_http].forEach(popup_url => {
promise_test(t => {
return new Promise(resolve => {
window.addEventListener("message", resolve, {once: true});
window.open(popup_url);
}).then(async function(event) {
let data = event.data;
assert_equals(await try_fetch_request(data.js_blob_url),
data.potentially_trustworthy,
"Fetch request");
assert_equals(await try_script_load(data.js_blob_url),
data.potentially_trustworthy,
"Script load");
event.source.close();
});
});
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink