Add WPTs for invalid headers in Early Hints

When an Early Hints response contains an invalid header value the page should not be loaded. Bug: 1305896 Change-Id: Idafca361d186b4f07ab26d7ed16c9bd1cbfd3369 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3552064 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Kenichi Ishibashi <[email protected]> Cr-Commit-Position: refs/heads/main@{#985831}
web-platform-tests · Mar 28, 2022 · e9c5c4c · e9c5c4c
1 parent 7a48508
commit e9c5c4c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/loading/early-hints/invalid-headers-in-early-hints.h2.window.js b/loading/early-hints/invalid-headers-in-early-hints.h2.window.js
@@ -0,0 +1,25 @@
+// META: script=/resources/testharness.js
+// META: script=/resources/testharnessreport.js
+
+async function testInvalidHeader(t, header_value) {
+    const params = new URLSearchParams();
+    params.set("header-value", header_value);
+    const test_url = "resources/invalid-headers-in-early-hints.h2.py?" + params.toString();
+    const opened_window = window.open(test_url, "invalid-header-in-early-hints");
+
+    // Use step_timeout() because neither "load" event nor postMessage() would
+    // work. Opening the test page should result in a network protocol error and
+    // accessing the document of the opened window should throw a SecurityError.
+    await new Promise(resolve => t.step_timeout(resolve, 1000));
+    assert_throws_dom("SecurityError", () => {
+        opened_window.document;
+    }, "window.open() should not load the test page successfully.");
+}
+
+promise_test(async (t) => {
+    await testInvalidHeader(t, "foo\r\nbar");
+}, "Early Hints contains invalid header: newline byte");
+
+promise_test(async (t) => {
+    await testInvalidHeader(t, "foo\x00bar");
+}, "Early Hints contains invalid header: nul byte");
diff --git a/loading/early-hints/resources/invalid-headers-in-early-hints.h2.py b/loading/early-hints/resources/invalid-headers-in-early-hints.h2.py
@@ -0,0 +1,20 @@
+import os
+
+
+def handle_headers(frame, request, response):
+    header_value = request.GET.first(b"header-value")
+    early_hints = [
+        (b":status", b"103"),
+        (b"invalid-header", header_value),
+    ]
+    response.writer.write_raw_header_frame(headers=early_hints,
+                                           end_headers=True)
+
+    response.status = 200
+    response.headers[b"content-type"] = "text/html"
+    response.write_status_headers()
+
+
+def main(request, response):
+    test_content = "<div>This page should not be loaded.</div>"
+    response.writer.write_data(item=test_content, last=True)