Skip to content

Commit

Permalink
Add tests for ORB nosniff and status conditions.
Browse files Browse the repository at this point in the history
Differential Revision: https://phabricator.services.mozilla.com/D162822

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1802088
gecko-commit: c1a849c20687395a364be52b21a228b6c7e41ece
gecko-reviewers: sefeng
  • Loading branch information
farre authored and pull[bot] committed Jul 24, 2023
1 parent 20f92ef commit 1253158
Show file tree
Hide file tree
Showing 5 changed files with 113 additions and 0 deletions.
Binary file added fetch/orb/resources/sound.mp3
Binary file not shown.
4 changes: 4 additions & 0 deletions fetch/orb/resources/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ function contentType(type) {
return header("Content-Type", type);
}

function contentTypeOptions(type) {
return header("X-Content-Type-Options", type);
}

function fetchORB(file, options, ...pipe) {
return fetch(`${file}${pipe.length ? `?pipe=${pipe.join("|")}` : ""}`, {
...(options || {}),
Expand Down
59 changes: 59 additions & 0 deletions fetch/orb/tentative/nosniff.sub.any.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
// META: script=/fetch/orb/resources/utils.js

const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";

promise_test(
t =>
promise_rejects_js(
t,
TypeError,
fetchORB(
`${path}/text.txt`,
null,
contentType("text/plain"),
contentTypeOptions("nosniff")
)
),
"ORB should block opaque text/plain with nosniff"
);

promise_test(
t =>
promise_rejects_js(
t,
TypeError,
fetchORB(
`${path}/data.json`,
null,
contentType("application/json"),
contentTypeOptions("nosniff")
)
),
"ORB should block opaque-response-blocklisted MIME type with nosniff"
);

promise_test(
t =>
promise_rejects_js(
t,
TypeError,
fetchORB(
`${path}/data.json`,
null,
contentType(""),
contentTypeOptions("nosniff")
)
),
"ORB should block opaque response with empty Content-Type and nosniff"
);

promise_test(
() =>
fetchORB(
`${path}/image.png`,
null,
contentType(""),
contentTypeOptions("nosniff")
),
"ORB shouldn't block opaque image with empty Content-Type and nosniff"
);
33 changes: 33 additions & 0 deletions fetch/orb/tentative/status.sub.any.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
// META: script=/fetch/orb/resources/utils.js

const path = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/orb/resources";

promise_test(
t =>
promise_rejects_js(
t,
TypeError,
fetchORB(
`${path}/data.json`,
null,
contentType("application/json"),
"status(206)"
)
),
"ORB should block opaque-response-blocklisted MIME type with status 206"
);

promise_test(
t =>
promise_rejects_js(
t,
TypeError,
fetchORB(
`${path}/data.json`,
null,
contentType("application/json"),
"status(302)"
)
),
"ORB should block opaque response with non-ok status"
);
17 changes: 17 additions & 0 deletions fetch/orb/tentative/status.sub.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
'use strict';

<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<div id=log></div>
<script>
async_test(function(t) {
let url = "http://{{domains[www1]}}:{{ports[http][0]}}"
url = `${url}/fetch/orb/resources/sound.mp3?pipe=status(301)|header(Content-Type,)`

const video = document.createElement("video");
video.src = url;
video.onerror = t.step_func_done();
video.onload = t.unreached_func("Unexpected error event");
document.body.appendChild(video);
}, "ORB should block initial media requests with status not 200 or 206");
</script>

0 comments on commit 1253158

Please sign in to comment.