Skip to content

Commit

Permalink
Update dangling markup mitigations.
Browse files Browse the repository at this point in the history 
Still behind a flag, just updating the checks to look for both `\n` and
`<` rather than just the former. This is in line with the patches up at
whatwg/url#284 and
whatwg/fetch#519.

Intent to Remove: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ.

Bug: 680970
Change-Id: Ifda61a0afe1f0e97620acef7dc54b005c6f74840
Reviewed-on: https://chromium-review.googlesource.com/514024
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#474249}
WPT-Export-Revision: 34b8d6ab689b1ecedef332baa2a155b543f50fa7
  • Loading branch information
@mikewest
mikewest authored and Unknown committed May 24, 2017
1 parent 57fa8d0 commit e5e3ecb
Showing 1 changed file with 158 additions and 0 deletions.
158 changes: 158 additions & 0 deletions fetch/dangling-markup-mitigation.tentative.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="./resources/helper.js"></script>
<body>
<script>
function readableURL(url) {
return url.replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
}

var should_load = [
`/images/green-1x1.png`,
`/images/gre\nen-1x1.png`,
`/images/gre\ten-1x1.png`,
`/images/gre\ren-1x1.png`,
`/images/green-1x1.png?img=<`,
`/images/green-1x1.png?img=&lt;`,
`/images/green-1x1.png?img=%3C`,
`/images/gr\neen-1x1.png?img=%3C`,
`/images/gr\reen-1x1.png?img=%3C`,
`/images/gr\teen-1x1.png?img=%3C`,
`/images/green-1x1.png?img=&#10;`,
`/images/gr\neen-1x1.png?img=&#10;`,
`/images/gr\reen-1x1.png?img=&#10;`,
`/images/gr\teen-1x1.png?img=&#10;`,
];
should_load.forEach(url => async_test(t => {
fetch(url)
.then(t.step_func_done(r => {
assert_equals(r.status, 200);
}))
.catch(t.unreached_func("Fetch should succeed."));
}, "Fetch: " + readableURL(url)));

var should_block = [
`/images/gre\nen-1x1.png?img=<`,
`/images/gre\ren-1x1.png?img=<`,
`/images/gre\ten-1x1.png?img=<`,
`/images/green-1x1.png?<\n=block`,
`/images/green-1x1.png?<\r=block`,
`/images/green-1x1.png?<\t=block`,
];
should_block.forEach(url => async_test(t => {
fetch(url)
.then(t.unreached_func("Fetch should fail."))
.catch(t.step_func_done());
}, "Fetch: " + readableURL(url)));


// For each of the following tests, we'll inject a frame containing the HTML we'd like to poke at
// as a `srcdoc` attribute. Because we're injecting markup via `srcdoc`, we need to entity-escape
// the content we'd like to treat as "raw" (e.g. `\n` => `&#10;`, `<` => `&lt;`), and
// double-escape the "escaped" content.
var rawBrace = "&lt;";
var escapedBrace = "&amp;lt;";
var rawNewline = "&#10;";
var escapedNewline = "&amp;#10;";

function appendFrameAndGetElement(test, frame) {
return new Promise((resolve, reject) => {
frame.onload = test.step_func(_ => {
frame.onload = null;
resolve(frame.contentDocument.querySelector('#dangling'));
});
document.body.appendChild(frame);
});
}

function assert_img_loaded(test, frame) {
appendFrameAndGetElement(test, frame)
.then(test.step_func_done(img => {
assert_equals(img.naturalHeight, 1, "Height");
frame.remove();
}));
}

function assert_img_not_loaded(test, frame) {
appendFrameAndGetElement(test, frame)
.then(test.step_func_done(img => {
assert_equals(img.naturalHeight, 0, "Height");
assert_equals(img.naturalWidth, 0, "Width");
}));
}

function createFrame(markup) {
var i = document.createElement('iframe');
i.srcdoc = `${markup}sekrit`;
return i;
}

// The following resources should not be blocked, as their URLs do not contain both a `\n` and `<`
// character in the body of the URL.
var should_load = [
// Brace alone doesn't block:
`<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}b">`,

// Newline alone doesn't block:
`<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}b">`,

// Entity-escaped characters don't trigger blocking:
`<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b">`,
`<img id="dangling" src="/images/green-1x1.png?img=${escapedBrace}b">`,
`<img id="dangling" src="/images/green-1x1.png?img=${escapedNewline}b${escapedBrace}c">`,

// Leading and trailing whitespace is stripped:
`
<img id="dangling" src="
/images/green-1x1.png?img=
">
`,
`
<img id="dangling" src="
/images/green-1x1.png?img=${escapedBrace}
">
`,
`
<img id="dangling" src="
/images/green-1x1.png?img=${escapedNewline}
">
`,

// Data URLs don't trigger blocking:
`<img id="dangling" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,
`<img id="dangling" src="data:image/png;base64,${rawNewline}iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,
`<img id="dangling" src="data:image/png;base64,i${rawNewline}VBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">`,
`<img id="dangling" src="data:image/svg+xml;utf8,
<svg width='1' height='1' xmlns='http://www.w3.org/2000/svg'>
<rect width='100%' height='100%' fill='rebeccapurple'/>
<rect x='10%' y='10%' width='80%' height='80%' fill='lightgreen'/>
</svg>">`
];

should_load.forEach(markup => {
async_test(t => {
var i = createFrame(`${markup} <element attr="" another=''>`);
assert_img_loaded(t, i);
}, readableURL(markup));
});

// The following resources should be blocked, as their URLs contain both `\n` and `<` characters:
var should_block = [
`<img id="dangling" src="/images/green-1x1.png?img=${rawNewline}${rawBrace}b">`,
`<img id="dangling" src="/images/green-1x1.png?img=${rawBrace}${rawNewline}b">`,
`
<img id="dangling" src="/images/green-1x1.png?img=
${rawBrace}
${rawNewline}b
">
`,
];

should_block.forEach(markup => {
async_test(t => {
var i = createFrame(`${markup}`);
assert_img_not_loaded(t, i);
}, readableURL(markup));
});
</script>

0 comments on commit e5e3ecb

Please sign in to comment.