In [15]:
%load_ext autoreload
%autoreload 2

In [44]:
import pandas as pd
import re

from utils import get_data, Config

## Load Data + Preprocessing

In [321]:
# Load all data
initial_data = """
SELECT "Result".*, 
"Response".raw_header, "Response".status_code, "Response".label, "Response".resp_type,
"Browser".name, "Browser".version, "Browser".headless_mode, "Browser".os, "Browser".automation_mode, "Browser".add_info
FROM "Result"
JOIN "Response" ON "Result".response_id = "Response".id JOIN "Browser" ON "Result".browser_id = "Browser".id
WHERE "Response".created_at <= DATE('2023-11-21') and "Browser".name != 'Unknown';
"""
df = get_data(Config(), initial_data)

Connecting to the PostgreSQL database...
Connection successful


In [322]:
# Extra columns
df["outcome_str"] = df["outcome_value"].fillna("None").astype(str)

# Unify outcomes that are the same
# Firefox: {'error': 'object "TypeError: NetworkError when attempting to fetch resource."', 'headers': ''} Chromium: {'error': 'object "TypeError: Failed to fetch"', 'headers': ''}
# Safari: {'error': 'object "TypeError: Load failed"', 'headers': ''}
df["outcome_str"] = df["outcome_str"].replace("{'error': 'object \"TypeError: NetworkError when attempting to fetch resource.\"', 'headers': ''}", "{'error': 'object \"TypeError: Failed to fetch\"', 'headers': ''}")
df["outcome_str"] = df["outcome_str"].replace("{'error': 'object \"TypeError: Load failed\"', 'headers': ''}", "{'error': 'object \"TypeError: Failed to fetch\"', 'headers': ''}")

# For document referrer we do not want to know the exact resp_id and count
# Maybe we even only want to know whether it is a origin or the full URl?
df['outcome_str'] = df['outcome_str'].replace(r'resp_id=\d+', 'resp_id=<resp_id>', regex=True)
df['outcome_str'] = df['outcome_str'].replace(r'count=\d+', 'count=<count>', regex=True)

In [323]:
df["outcome_str"].unique()

array(["{'error': 'null', 'headers': 'access-control-allow-orgin,content-length,date,server,test,'}",
       '{\'error\': \'object "TypeError: Failed to fetch"\', \'headers\': \'\'}',
       "{'error': 'null', 'headers': 'access-control-allow-credentials,content-length,date,server,test,'}",
       "{'error': 'null', 'headers': 'access-control-allow-credentials,access-control-allow-orgin,content-length,date,server,test,'}",
       'message send',
       "{'error': 'null', 'headers': 'access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-orgin,access-control-expose-headers,content-length,date,server,test,'}",
       "{'error': 'null', 'headers': 'cache-control,content-type,'}",
       'message timeout', 'fullscreenEnabled: true',
       'fullscreenEnabled: false', 'window.originAgentCluster: false',
       'window.originAgentCluster: true', "{'requestStart != 0': True}",
       "{'requestStart != 0': False}",
       'document.refe

## Overview

In [324]:
display(df.head(2))
display(df.describe())
display(df.columns)

Unnamed: 0,id,outcome_type,outcome_value,test_name,test_status,test_message,test_stack,org_scheme,org_host,resp_scheme,...,status_code,label,resp_type,name,version,headless_mode,os,automation_mode,add_info,outcome_str
0,1,<class 'dict'>,"{'error': 'null', 'headers': 'access-control-a...",fetch_GET,0,,,http,sub.headers.websec.saarland,http,...,200,CORS,basic,chrome,119,headless-new,Ubuntu 22.04,selenium,,"{'error': 'null', 'headers': 'access-control-a..."
1,2,<class 'dict'>,"{'error': 'null', 'headers': 'access-control-a...",fetch_TEST,0,,,http,sub.headers.websec.saarland,http,...,200,CORS,basic,chrome,119,headless-new,Ubuntu 22.04,selenium,,"{'error': 'null', 'headers': 'access-control-a..."


Unnamed: 0,id,test_status,browser_id,testcase_id,response_id,created_at,updated_at,status_code
count,198664.0,198664.0,198664.0,198664.0,198664.0,198664,198664,198664.0
mean,99332.5,0.000705,55.105263,1.0,78.027927,2023-11-21 12:45:18.583738112,2023-11-21 12:45:18.583738368,215.99847
min,1.0,0.0,5.0,1.0,3.0,2023-11-21 10:34:47.097638,2023-11-21 10:34:47.097641,200.0
25%,49666.75,0.0,13.0,1.0,23.0,2023-11-21 11:38:47.412738560,2023-11-21 11:38:47.412740352,200.0
50%,99332.5,0.0,60.0,1.0,46.0,2023-11-21 12:46:22.775672064,2023-11-21 12:46:22.775673088,200.0
75%,148998.25,0.0,75.0,1.0,151.0,2023-11-21 13:50:22.174202368,2023-11-21 13:50:22.174202368,200.0
max,198664.0,2.0,116.0,1.0,217.0,2023-11-21 15:13:12.751466,2023-11-21 15:13:12.751467,302.0
std,57349.501277,0.037536,40.144439,0.0,66.51863,,,37.093123


Index(['id', 'outcome_type', 'outcome_value', 'test_name', 'test_status',
       'test_message', 'test_stack', 'org_scheme', 'org_host', 'resp_scheme',
       'resp_host', 'relation_info', 'browser_id', 'testcase_id',
       'response_id', 'status', 'full_url', 'created_at', 'updated_at',
       'raw_header', 'status_code', 'label', 'resp_type', 'name', 'version',
       'headless_mode', 'os', 'automation_mode', 'add_info', 'outcome_str'],
      dtype='object')

In [325]:
# Collected results per browser
df.groupby(["name", "version", "os", "headless_mode", "automation_mode"])["id"].count().sort_values(ascending=False).to_frame()

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,id
name,version,os,headless_mode,automation_mode,Unnamed: 5_level_1
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,headless-new,selenium,10456
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,xvfb,selenium,10456
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,headless-new,selenium,10456
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,xvfb,selenium,10456
brave,1.60.118 (119.0.6045.163),macOS 14.0,headless-new,selenium,10456
brave,1.60.118 (119.0.6045.163),macOS 14.0,real,selenium,10456
chrome,119,Ubuntu 22.04,headless-new,selenium,10456
chrome,119,Ubuntu 22.04,xvfb,selenium,10456
chrome,119,macOS 14.0,headless-new,selenium,10456
chrome,119,macOS 14.0,real,selenium,10456


In [326]:
# Timeouts
display(df.groupby(["name", "version", "os", "headless_mode", "automation_mode"])["test_status"].value_counts().to_frame())

display(df.loc[df["test_status"] == 2])

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,Unnamed: 5_level_0,count
name,version,os,headless_mode,automation_mode,test_status,Unnamed: 6_level_1
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,headless-new,selenium,0,10456
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,xvfb,selenium,0,10456
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,headless-new,selenium,0,10456
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,xvfb,selenium,0,10456
brave,1.60.118 (119.0.6045.163),macOS 14.0,headless-new,selenium,0,10456
brave,1.60.118 (119.0.6045.163),macOS 14.0,real,selenium,0,10456
chrome,119,Ubuntu 22.04,headless-new,selenium,0,10456
chrome,119,Ubuntu 22.04,xvfb,selenium,0,10456
chrome,119,macOS 14.0,headless-new,selenium,0,10456
chrome,119,macOS 14.0,real,selenium,0,10456


Unnamed: 0,id,outcome_type,outcome_value,test_name,test_status,test_message,test_stack,org_scheme,org_host,resp_scheme,...,status_code,label,resp_type,name,version,headless_mode,os,automation_mode,add_info,outcome_str
51278,51391,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
51282,51395,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
51444,51399,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
52107,52079,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
52111,52083,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
62734,62678,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,https,sub.headers.websec.saarland,http,...,302,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
62735,62679,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,https,sub.headers.websec.saarland,https,...,302,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
62736,62680,<class 'NoneType'>,,referrer_iframe,2,Test timed out,,https,sub.headers.websec.saarland,https,...,302,RP,basic,safari,17.0,real,macOS 14.0,selenium,,
153193,153240,<class 'NoneType'>,,perfAPI_img,2,Test timed out,,http,sub.headers.websec.saarland,https,...,200,TAO,basic,edge,119,headless-new,macOS 14.0,selenium,,


In [327]:
#TODO: easy way to redo timed out tests!

In [328]:
# Time taken!
df.groupby(["name", "version", "os", "headless_mode", "automation_mode", "org_scheme"])["created_at"].agg(["min", "max"]).apply(lambda x: x["max"] - x["min"], axis=1).to_frame()

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,Unnamed: 5_level_0,0
name,version,os,headless_mode,automation_mode,org_scheme,Unnamed: 6_level_1
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,headless-new,selenium,http,0 days 00:15:52.729060
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,headless-new,selenium,https,0 days 00:13:28.093020
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,xvfb,selenium,http,0 days 00:15:53.539157
brave,1.59.120 (118.0.5993.88),Ubuntu 22.04,xvfb,selenium,https,0 days 00:13:33.120399
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,headless-new,selenium,http,0 days 00:15:50.330800
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,headless-new,selenium,https,0 days 00:13:29.664335
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,xvfb,selenium,http,0 days 00:16:01.039583
brave,1.60.114 (119.0.6045.124),Ubuntu 22.04,xvfb,selenium,https,0 days 00:13:30.205549
brave,1.60.118 (119.0.6045.163),macOS 14.0,headless-new,selenium,http,0 days 00:16:00.851072
brave,1.60.118 (119.0.6045.163),macOS 14.0,headless-new,selenium,https,0 days 00:13:17.676180


## Response analysis

- We have 10456 unique tests: (test_name x relation_info) x org_scheme x (resp_scheme x resp_host) x response_id)
- They should all have 10 (num browsers in various settings) outcomes
    -  Due to the HTTPS Upgrade bug many have either 16 or 4 outcomes only (as the 6 http outcomes of Chrome + Brave instead resulted in HTTPS outcomes)
    -  Without org_scheme they should have 20; a couple tests have less than 20 (due to the Firefox errors and/or timeouts?)

In [329]:
# Unique tests
tests = {
    "Fetch": [4, 2, 8, 6], 
    "Framing": [9, 2, 8, 35], # 7+11+17
    "PP": [4, 2, 8, 24],
    "OAC": [3, 2, 8, 14],
    "TAO": [1, 2, 8, 13],
    "RP": [2, 2, 8, 16],
    "CSP-SCRIPT": [2, 2, 8, 17],
    "COEP": [2, 2, 8, 11],
    "CORP": [4, 2, 8, 11],
    "CSP-IMG": [1, 2, 8, 17],
    "HSTS": [2, 1, 2, 14],
    "COOP": [1, 2, 8, 11],
}
tests = pd.DataFrame.from_dict(tests, columns=["tests", "org_origins", "resp_origins", "responses"], orient="index")
tests["All tests"] = tests.prod(axis=1)
tests.loc["Sum"] = tests.sum(axis=0)
tests

Unnamed: 0,tests,org_origins,resp_origins,responses,All tests
Fetch,4,2,8,6,384
Framing,9,2,8,35,5040
PP,4,2,8,24,1536
OAC,3,2,8,14,672
TAO,1,2,8,13,208
RP,2,2,8,16,512
CSP-SCRIPT,2,2,8,17,544
COEP,2,2,8,11,352
CORP,4,2,8,11,704
CSP-IMG,1,2,8,17,272


In [330]:
# SELECT count(*) as c2, count(DISTINCT browser_id), count(DISTINCT outcome_value) as c1, test_name, org_scheme, org_host, resp_scheme, resp_host, relation_info, response_id 
# FROM "Result" GROUP by test_name, org_scheme, org_host, resp_scheme, resp_host, relation_info, response_id order by c1 DESC, c2 DESC

res = df.groupby(["test_name", "org_scheme", "org_host", "resp_scheme", "resp_host", "relation_info", "response_id"])[["browser_id", "outcome_str"]].agg(["count", "nunique"])
display(res)
display(res.value_counts().to_frame())

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,Unnamed: 4_level_0,Unnamed: 5_level_0,Unnamed: 6_level_0,browser_id,browser_id,outcome_str,outcome_str
Unnamed: 0_level_1,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,count,nunique,count,nunique
test_name,org_scheme,org_host,resp_scheme,resp_host,relation_info,response_id,Unnamed: 7_level_2,Unnamed: 8_level_2,Unnamed: 9_level_2,Unnamed: 10_level_2
accesswindow_direct,http,sub.headers.websec.saarland,http,headers.webappsec.eu,direct,70,19,19,19,1
accesswindow_direct,http,sub.headers.websec.saarland,http,headers.webappsec.eu,direct,71,19,19,19,2
accesswindow_direct,http,sub.headers.websec.saarland,http,headers.webappsec.eu,direct,72,19,19,19,2
accesswindow_direct,http,sub.headers.websec.saarland,http,headers.webappsec.eu,direct,73,19,19,19,1
accesswindow_direct,http,sub.headers.websec.saarland,http,headers.webappsec.eu,direct,74,19,19,19,1
...,...,...,...,...,...,...,...,...,...,...
upgradeHSTS_subdomain,http,sub.headers.websec.saarland,https,sub.headers.websec.saarland,subdomain,138,19,19,19,1
upgradeHSTS_subdomain,http,sub.headers.websec.saarland,https,sub.headers.websec.saarland,subdomain,139,19,19,19,1
upgradeHSTS_subdomain,http,sub.headers.websec.saarland,https,sub.headers.websec.saarland,subdomain,140,19,19,19,1
upgradeHSTS_subdomain,http,sub.headers.websec.saarland,https,sub.headers.websec.saarland,subdomain,141,19,19,19,1


Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,count
"(browser_id, count)","(browser_id, nunique)","(outcome_str, count)","(outcome_str, nunique)",Unnamed: 4_level_1
19,19,19,1,8279
19,19,19,2,1878
19,19,19,3,294
19,19,19,4,5


### Differences:
- COOP (accesswindow_direct):
    - [ ] Edge + Firefox: redirect first
    - [ ] Brave + Chrome: COOP first?
-  Framing:
    -  [ ] framing_iframe_sandbox: CSP-FA *; Firefox allows, all other browsers deny?
- PP not supported in Firefox
- OAC not supported in Firefox
    - [ ] Also random/caching behavior?
- PerfAPI:
    - [ ] Chrome/Firefox have different rules when to create an entry at all?
- COEP (CORP):
    - [ ] Firefox incorrect behavior for same-origin (applies same-site?)
- CORP:
    - [ ] same-origin: Edge does not check the scheme?
    - [x] Firefox applies CORP on object tags (even though it should not!)
    - [ ] Some other CORP and/or COEP strange stuff (Firefox)
- Referrer Policy: different default in Brave (unsafe-url is never allowed)
- Subresource-loading (CSP): differences due to HTTPS Upgrades
- Script Execution (CSP):
    - [ ] Safari sandbox bug?! (maybe related https://bugs.webkit.org/show_bug.cgi?id=223848 unsure though)
- Upgrade (HSTS):
    - [ ] Safari bug?

In [331]:
def get_uniques(df):
    browsers = f"{df['name'].unique().tolist()}"
    try:
        outcome = unique_outcomes[df.name[0]]
    except KeyError:
        outcome = {}
        #outcome = []
    outcome[browsers] = df.name[1]
    #outcome.append(f"{df.name[1]} ({browsers})")
    unique_outcomes[df.name[0]] = outcome

for grouping, group in df.groupby(["test_name", "relation_info"]):
    
    unique_outcomes = {}
    group.groupby(["name"])["outcome_str"].value_counts(normalize=True).reset_index().groupby(["outcome_str", "proportion"], group_keys=True).apply(get_uniques)
    d = pd.DataFrame.from_dict(unique_outcomes, orient="index")
    if d.shape[1] != 1:
        print(grouping)
        # display(unique_outcomes)
        display(group.groupby(["name"])["outcome_str"].value_counts(normalize=True).to_frame().unstack(0))
        for value, dic in unique_outcomes.items():
            values = [f"{v} ({k})" for k,v in dic.items()]
            # print(f"{value}: {values}")
        display(d)
        print()


('accesswindow_direct', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
{'window.open.opener': 'null'},0.340909,0.261364,0.181818,0.181818,0.181818
"{'window.open.opener': 'object ""[object Window]""'}",0.659091,0.738636,0.818182,0.818182,0.818182


Unnamed: 0,"['edge', 'firefox', 'safari']",['chrome'],['brave']
{'window.open.opener': 'null'},0.181818,0.261364,0.340909
"{'window.open.opener': 'object ""[object Window]""'}",0.818182,0.738636,0.659091



('framing_embed', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.332143,0.332143,0.332143,0.332143,
message timeout,0.667857,0.667857,0.667857,0.667857,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.332143,
message timeout,0.667857,1.0



('framing_embed', 'nested')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.214286,0.214286,0.214286,0.214286,
message timeout,0.785714,0.785714,0.785714,0.785714,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.214286,
message timeout,0.785714,1.0



('framing_embed', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.214286,0.214286,0.214286,0.214286,
message timeout,0.785714,0.785714,0.785714,0.785714,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.214286,
message timeout,0.785714,1.0



('framing_iframe', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.157143,0.157143,0.157143,0.171429,0.157143
message timeout,0.842857,0.842857,0.842857,0.828571,0.842857


Unnamed: 0,"['brave', 'chrome', 'edge', 'safari']",['firefox']
message send,0.157143,0.171429
message timeout,0.842857,0.828571



('framing_object', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.332143,0.332143,0.332143,0.332143,
message timeout,0.667857,0.667857,0.667857,0.667857,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.332143,
message timeout,0.667857,1.0



('framing_object', 'nested')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.214286,0.214286,0.214286,0.214286,
message timeout,0.785714,0.785714,0.785714,0.785714,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.214286,
message timeout,0.785714,1.0



('framing_object', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.214286,0.214286,0.214286,0.214286,
message timeout,0.785714,0.785714,0.785714,0.785714,1.0


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox']",['safari']
message send,0.214286,
message timeout,0.785714,1.0



('fullscreen_iframe', 'child')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
fullscreenEnabled: false,0.403646,0.403646,0.403646,0.34375,0.34375
fullscreenEnabled: true,0.054688,0.054688,0.054688,0.114583,0.114583
message timeout,0.541667,0.541667,0.541667,0.541667,0.541667


Unnamed: 0,"['firefox', 'safari']","['brave', 'chrome', 'edge']","['brave', 'chrome', 'edge', 'firefox', 'safari']"
fullscreenEnabled: false,0.34375,0.403646,
fullscreenEnabled: true,0.114583,0.054688,
message timeout,,,0.541667



('fullscreen_iframe', 'child_allow')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
fullscreenEnabled: false,0.294271,0.294271,0.294271,,
fullscreenEnabled: true,0.164062,0.164062,0.164062,0.458333,0.458333
message timeout,0.541667,0.541667,0.541667,0.541667,0.541667


Unnamed: 0,"['brave', 'chrome', 'edge']","['firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox', 'safari']"
fullscreenEnabled: false,0.294271,,
fullscreenEnabled: true,0.164062,0.458333,
message timeout,,,0.541667



('fullscreen_iframe', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
fullscreenEnabled: false,0.369792,0.369792,0.369792,,
fullscreenEnabled: true,0.317708,0.317708,0.317708,0.6875,0.6875
message timeout,0.3125,0.3125,0.3125,0.3125,0.3125


Unnamed: 0,"['brave', 'chrome', 'edge']","['firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox', 'safari']"
fullscreenEnabled: false,0.369792,,
fullscreenEnabled: true,0.317708,0.6875,
message timeout,,,0.3125



('imgloading_iframe', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
error,0.194853,0.194853,0.194853,0.242647,0.242647
load,0.422794,0.422794,0.422794,0.375,0.375
message timeout,0.382353,0.382353,0.382353,0.382353,0.382353


Unnamed: 0,"['brave', 'chrome', 'edge']","['firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox', 'safari']"
error,0.194853,0.242647,
load,0.422794,0.375,
message timeout,,,0.382353



('oac_iframe', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message timeout,0.357143,0.357143,0.357143,0.357143,0.357143
window.originAgentCluster: false,0.36756,0.245536,0.245536,,
window.originAgentCluster: true,0.275298,0.397321,0.397321,,
window.originAgentCluster: undefined,,,,0.642857,0.642857


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox', 'safari']","['chrome', 'edge']",['brave'],"['firefox', 'safari']"
message timeout,0.357143,,,
window.originAgentCluster: false,,0.245536,0.36756,
window.originAgentCluster: true,,0.397321,0.275298,
window.originAgentCluster: undefined,,,,0.642857



('oac_iframe', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message timeout,0.357143,0.357143,0.357143,0.357143,0.357143
window.originAgentCluster: true,0.642857,0.642857,0.642857,,
window.originAgentCluster: undefined,,,,0.642857,0.642857


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox', 'safari']","['brave', 'chrome', 'edge']","['firefox', 'safari']"
message timeout,0.357143,,
window.originAgentCluster: true,,0.642857,
window.originAgentCluster: undefined,,,0.642857



('oac_window.open', 'window.open')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message timeout,0.142857,0.142857,0.142857,0.142857,0.142857
window.originAgentCluster: false,0.340774,0.285714,0.459821,,
window.originAgentCluster: true,0.516369,0.571429,0.397321,,
window.originAgentCluster: undefined,,,,0.857143,0.857143


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox', 'safari']",['chrome'],['brave'],['edge'],"['firefox', 'safari']"
message timeout,0.142857,,,,
window.originAgentCluster: false,,0.285714,0.340774,0.459821,
window.originAgentCluster: true,,0.571429,0.516369,0.397321,
window.originAgentCluster: undefined,,,,,0.857143



('perfAPI_img', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
No performance entry,0.25,0.25,0.25,,
,,,0.001202,,
{'requestStart != 0': False},0.442308,0.442308,0.442308,0.581731,0.581731
{'requestStart != 0': True},0.307692,0.307692,0.30649,0.418269,0.418269


Unnamed: 0,"['brave', 'chrome', 'edge']",['edge'],"['firefox', 'safari']","['brave', 'chrome']"
No performance entry,0.25,,,
{'requestStart != 0': False},0.442308,,0.581731,
,,0.001202,,
{'requestStart != 0': True},,0.30649,0.418269,0.307692



('referrer_iframe', 'iframe')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
,,,,,0.160156
document.referrer:,0.054688,0.054688,0.054688,0.054688,0.054688
document.referrer: http://headers.webappsec.eu/,0.044922,0.035156,0.035156,0.046875,0.046875
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,0.001953,0.011719,0.011719,,
document.referrer: http://headers.websec.saarland/,0.044922,0.035156,0.035156,0.035156,0.035156
document.referrer: http://headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,0.001953,0.011719,0.011719,0.011719,0.011719
document.referrer: http://sub.headers.websec.saarland/,0.011719,0.011719,0.011719,0.011719,0.011719
document.referrer: http://sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,0.039062,0.039062,0.039062,0.039062,0.039062
document.referrer: http://sub.sub.headers.websec.saarland/,0.044922,0.035156,0.035156,0.035156,0.035156
document.referrer: http://sub.sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,0.001953,0.011719,0.011719,0.011719,0.011719


Unnamed: 0,['safari'],"['brave', 'chrome', 'edge', 'firefox', 'safari']","['chrome', 'edge']",['brave'],"['firefox', 'safari']","['chrome', 'edge', 'firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox']"
,0.160156,,,,,,
message timeout,0.402344,,,,,,0.5625
document.referrer:,,0.054688,,,,,
document.referrer: http://sub.headers.websec.saarland/,,0.011719,,,,,
document.referrer: http://sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,,0.039062,,,,,
document.referrer: https://sub.headers.websec.saarland/,,0.011719,,,,,
document.referrer: https://sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=https://sub.headers.websec.saarland&element=iframe&resp=1,,0.039062,,,,,
document.referrer: http://headers.webappsec.eu/,,,0.035156,0.044922,0.046875,,
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,,,0.011719,0.001953,,,
document.referrer: https://headers.webappsec.eu/,,,0.035156,0.044922,0.046875,,



('referrer_iframe', 'window.open')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
,,,0.000977,,0.105469
document.referrer:,0.427083,0.289062,0.242188,0.242188,0.242188
document.referrer: http://headers.webappsec.eu/,,0.035156,0.070312,0.070312,0.09375
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=window.open&resp=1,,0.005859,0.011719,0.011719,
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=https://sub.headers.websec.saarland&element=window.open&resp=1,,0.005859,0.011719,0.011719,
document.referrer: http://headers.websec.saarland/,,0.035156,0.070312,0.070312,0.070312
document.referrer: http://headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=window.open&resp=1,,0.005859,0.011719,0.011719,0.011719
document.referrer: http://headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=https://sub.headers.websec.saarland&element=window.open&resp=1,,0.005859,0.011719,0.011719,0.011719
document.referrer: http://sub.headers.websec.saarland/,0.042318,0.041016,0.046875,0.046875,0.046875
document.referrer: http://sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=window.open&resp=1,0.004557,0.025391,0.039062,0.039062,0.039062


Unnamed: 0,['edge'],['safari'],"['edge', 'firefox', 'safari']",['chrome'],['brave'],"['edge', 'firefox']","['chrome', 'edge', 'firefox', 'safari']","['brave', 'chrome', 'firefox']"
,0.000977,0.105469,,,,,,
message timeout,0.124023,0.019531,,,,,,0.125
document.referrer: http://headers.webappsec.eu/,,0.09375,,0.035156,,0.070312,,
document.referrer: https://headers.webappsec.eu/,,0.0625,,0.064453,0.092448,0.042969,,
document.referrer:,,,0.242188,0.289062,0.427083,,,
document.referrer: http://headers.websec.saarland/,,,0.070312,0.035156,,,,
document.referrer: http://headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=window.open&resp=1,,,0.011719,0.005859,,,,
document.referrer: http://headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=https://sub.headers.websec.saarland&element=window.open&resp=1,,,0.011719,0.005859,,,,
document.referrer: http://sub.headers.websec.saarland/,,,0.046875,0.041016,0.042318,,,
document.referrer: http://sub.headers.websec.saarland/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=window.open&resp=1,,,0.039062,0.025391,0.004557,,,



('script_execution_iframe', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message send,0.496324,0.496324,0.496324,0.496324,0.485294
message timeout,0.503676,0.503676,0.503676,0.503676,0.514706


Unnamed: 0,['safari'],"['brave', 'chrome', 'edge', 'firefox']"
message send,0.485294,0.496324
message timeout,0.514706,0.503676



('subresourceloadingCOEP_img', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message timeout,0.386364,0.386364,0.386364,0.386364,0.386364
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.005682,0.005682,0.005682,0.005682,0.011364
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.011364,0.011364,0.011364,,0.028409
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.147727,0.147727,0.147727,0.147727,0.142045
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.295455,0.295455,0.295455,0.183239,0.329545
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'load'}, 'window.crossOriginIsolated': False}",0.153409,0.153409,0.153409,0.276989,0.102273


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox']",['safari'],"['brave', 'chrome', 'edge']",['firefox']
message timeout,0.386364,,,,
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,0.005682,0.011364,,
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,0.147727,0.142045,,
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,,0.028409,0.011364,
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,,0.329545,0.295455,0.183239
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'load'}, 'window.crossOriginIsolated': False}",,,0.102273,0.153409,0.276989



('subresourceloadingCOEP_img', 'sandbox')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
message timeout,0.386364,0.386364,0.386364,0.386364,0.386364
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.022727,0.022727,0.022727,0.022727,0.045455
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",0.590909,0.590909,0.590909,0.590909,0.568182


Unnamed: 0,"['brave', 'chrome', 'edge', 'firefox', 'safari']","['brave', 'chrome', 'edge', 'firefox']",['safari']
message timeout,0.386364,,
"{'image-events': {'swag.jpg': 'error', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,0.022727,0.045455
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'error', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",,0.590909,0.568182



('subresourceloadingCORP_img', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
error,0.295455,0.295455,0.295455,0.301136,0.301136
load,0.704545,0.704545,0.704545,0.698864,0.698864


Unnamed: 0,"['brave', 'chrome', 'edge']","['firefox', 'safari']"
error,0.295455,0.301136
load,0.704545,0.698864



('subresourceloadingCORP_object', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
error,0.25,0.25,0.25,0.431818,
load,0.75,0.75,0.75,0.568182,
timeout: no event fired,,,,,1.0


Unnamed: 0,"['brave', 'chrome', 'edge']",['firefox'],['safari']
error,0.25,0.431818,
load,0.75,0.568182,
timeout: no event fired,,,1.0



('upgradeHSTS_direct', 'direct')


Unnamed: 0_level_0,proportion,proportion,proportion,proportion,proportion
name,brave,chrome,edge,firefox,safari
outcome_str,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2
{'response.redirected': False},0.821429,0.821429,0.821429,0.821429,0.785714
{'response.redirected': True},0.178571,0.178571,0.178571,0.178571,0.214286


Unnamed: 0,['safari'],"['brave', 'chrome', 'edge', 'firefox']"
{'response.redirected': False},0.785714,0.821429
{'response.redirected': True},0.214286,0.178571





In [334]:
def make_clickable(url):
    # Clickable links for debugging; set browser_id=2 (unknown) to not count them in our real data collection
    url = re.sub(r"browser_id=(\d+)", "browser_id=2", url)
    return f'<a href="{url}" target="_blank">{url}</a>'

test_name_seen = set()
for test_name, org_scheme, org_host, resp_scheme, resp_host, relation_info, response_id in res.loc[res[("outcome_str", "nunique")] != 1].index:
    # Only look at each feature group once
    if test_name in test_name_seen:
        continue
    test_name_seen.add(test_name)
    print(test_name)
    rows = df.loc[(df["org_scheme"] == org_scheme) & (df["test_name"] == test_name) & (df["resp_scheme"] == resp_scheme) & (df["resp_host"] == resp_host) & (df["relation_info"] == relation_info) & (df["response_id"] == response_id)]
    with pd.option_context("display.max_colwidth", 200):
        #display(rows[["outcome_str", "name", "headless_mode", "os", "version"]].value_counts().to_frame())
        display(rows[["outcome_str", "name"]].value_counts().to_frame())
        disp = rows.drop_duplicates(subset="outcome_str")[["browser_id", "headless_mode", "name", "outcome_str", "raw_header", "test_name", "org_scheme", "org_host", "resp_scheme", "relation_info", "resp_host", "full_url"]]
        disp = disp.style.format({'full_url': make_clickable})
        display(disp)
        
    

accesswindow_direct


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
{'window.open.opener': 'null'},brave,6
"{'window.open.opener': 'object ""[object Window]""'}",edge,4
"{'window.open.opener': 'object ""[object Window]""'}",firefox,4
{'window.open.opener': 'null'},chrome,2
"{'window.open.opener': 'object ""[object Window]""'}",chrome,2
"{'window.open.opener': 'object ""[object Window]""'}",safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
8245,13,headless-new,chrome,{'window.open.opener': 'null'},"[['Cross-Origin-Opener-Policy', 'same-origin-allow-popups']]",accesswindow_direct,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/window-references-coop.sub.html?resp_type=basic&browser_id=2&label=COOP&first_id=71&last_id=71&scheme=http
13276,5,real,chrome,"{'window.open.opener': 'object ""[object Window]""'}","[['Cross-Origin-Opener-Policy', 'same-origin-allow-popups']]",accesswindow_direct,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/window-references-coop.sub.html?resp_type=basic&browser_id=2&label=COOP&first_id=71&last_id=71&scheme=http


framing_embed


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
message send,brave,6
message send,chrome,4
message send,edge,4
message send,firefox,4
message timeout,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
417,13,headless-new,chrome,message send,"[['x-frame-options', 'INVALID']]",framing_embed,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=XFO&first_id=5&last_id=5&scheme=http
45426,7,real,safari,message timeout,"[['x-frame-options', 'INVALID']]",framing_embed,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=XFO&first_id=5&last_id=5&scheme=http


framing_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
message timeout,brave,6
message send,firefox,4
message timeout,chrome,4
message timeout,edge,4
message timeout,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
1203,13,headless-new,chrome,message timeout,"[['Content-Security-Policy', 'frame-ancestors *']]",framing_iframe,http,sub.headers.websec.saarland,http,sandbox,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=CSP-FA&first_id=18&last_id=18&scheme=http
21446,14,headless,firefox,message send,"[['Content-Security-Policy', 'frame-ancestors *']]",framing_iframe,http,sub.headers.websec.saarland,http,sandbox,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=CSP-FA&first_id=18&last_id=18&scheme=http


framing_object


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
message send,brave,6
message send,chrome,4
message send,edge,4
message send,firefox,4
message timeout,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
416,13,headless-new,chrome,message send,"[['x-frame-options', 'INVALID']]",framing_object,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=XFO&first_id=5&last_id=5&scheme=http
45425,7,real,safari,message timeout,"[['x-frame-options', 'INVALID']]",framing_object,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=basic&browser_id=2&label=XFO&first_id=5&last_id=5&scheme=http


fullscreen_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
fullscreenEnabled: false,brave,6
fullscreenEnabled: false,chrome,4
fullscreenEnabled: false,edge,4
fullscreenEnabled: true,firefox,4
fullscreenEnabled: true,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
2898,13,headless-new,chrome,fullscreenEnabled: false,"[['Permissions-Policy', 'fullscreen=()']]",fullscreen_iframe,http,sub.headers.websec.saarland,http,child_allow,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/fullscreen-api-pp.sub.html?resp_type=basic&browser_id=2&label=PP&first_id=166&last_id=166&scheme=http
23717,14,headless,firefox,fullscreenEnabled: true,"[['Permissions-Policy', 'fullscreen=()']]",fullscreen_iframe,http,sub.headers.websec.saarland,http,child_allow,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/fullscreen-api-pp.sub.html?resp_type=basic&browser_id=2&label=PP&first_id=166&last_id=166&scheme=http


imgloading_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
load,brave,6
error,firefox,4
load,chrome,4
load,edge,4
error,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
7931,13,headless-new,chrome,load,"[['Content-Security-Policy', 'img-src https://sub.headers.websec.saarland']]",imgloading_iframe,http,sub.headers.websec.saarland,https,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-csp.sub.html?resp_type=basic&browser_id=2&label=CSP-IMG&first_id=114&last_id=114&scheme=http
29304,14,headless,firefox,error,"[['Content-Security-Policy', 'img-src https://sub.headers.websec.saarland']]",imgloading_iframe,http,sub.headers.websec.saarland,https,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-csp.sub.html?resp_type=basic&browser_id=2&label=CSP-IMG&first_id=114&last_id=114&scheme=http


oac_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
window.originAgentCluster: false,brave,6
window.originAgentCluster: false,chrome,4
window.originAgentCluster: false,edge,4
window.originAgentCluster: undefined,firefox,4
window.originAgentCluster: undefined,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
3511,13,headless-new,chrome,window.originAgentCluster: false,"[['origin-agent-cluster', '*']]",oac_iframe,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/originAgentCluster-oac.sub.html?resp_type=basic&browser_id=2&label=OAC&first_id=145&last_id=145&scheme=http
24943,14,headless,firefox,window.originAgentCluster: undefined,"[['origin-agent-cluster', '*']]",oac_iframe,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/originAgentCluster-oac.sub.html?resp_type=basic&browser_id=2&label=OAC&first_id=145&last_id=145&scheme=http


oac_window.open


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
window.originAgentCluster: false,edge,4
window.originAgentCluster: undefined,firefox,4
window.originAgentCluster: true,brave,4
window.originAgentCluster: false,chrome,2
window.originAgentCluster: false,brave,2
window.originAgentCluster: true,chrome,2
window.originAgentCluster: undefined,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
3513,13,headless-new,chrome,window.originAgentCluster: true,"[['origin-agent-cluster', '*']]",oac_window.open,http,sub.headers.websec.saarland,http,window.open,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/originAgentCluster-oac.sub.html?resp_type=basic&browser_id=2&label=OAC&first_id=145&last_id=145&scheme=http
8711,5,real,chrome,window.originAgentCluster: false,"[['origin-agent-cluster', '*']]",oac_window.open,http,sub.headers.websec.saarland,http,window.open,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/originAgentCluster-oac.sub.html?resp_type=basic&browser_id=2&label=OAC&first_id=145&last_id=145&scheme=http
24945,14,headless,firefox,window.originAgentCluster: undefined,"[['origin-agent-cluster', '*']]",oac_window.open,http,sub.headers.websec.saarland,http,window.open,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/originAgentCluster-oac.sub.html?resp_type=basic&browser_id=2&label=OAC&first_id=145&last_id=145&scheme=http


perfAPI_img


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
{'requestStart != 0': True},brave,6
{'requestStart != 0': True},chrome,4
{'requestStart != 0': True},firefox,4
{'requestStart != 0': True},edge,3
,edge,1
{'requestStart != 0': True},safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
3825,13,headless-new,chrome,{'requestStart != 0': True},"[['Timing-Allow-Origin', '*']]",perfAPI_img,http,sub.headers.websec.saarland,https,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/perfAPI-tao.sub.html?resp_type=basic&browser_id=2&label=TAO&first_id=205&last_id=205&scheme=http
153193,115,headless-new,edge,,"[['Timing-Allow-Origin', '*']]",perfAPI_img,http,sub.headers.websec.saarland,https,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/perfAPI-tao.sub.html?resp_type=basic&browser_id=2&label=TAO&first_id=205&last_id=205&scheme=http


referrer_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
document.referrer: http://headers.webappsec.eu/,brave,5
document.referrer: http://headers.webappsec.eu/,firefox,4
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,edge,4
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,chrome,4
document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=<resp_id>&count=<count>&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,brave,1
document.referrer: http://headers.webappsec.eu/,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
3941,13,headless-new,chrome,document.referrer: http://headers.webappsec.eu/_hp/server/responses.py?feature_group=rp&resp_id=&count=&nest=1&origin=http://sub.headers.websec.saarland&element=iframe&resp=1,"[['Referrer-Policy', 'no-referrer-when-downgrade']]",referrer_iframe,http,sub.headers.websec.saarland,http,iframe,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/referrer-access-rp.sub.html?resp_type=basic&browser_id=2&label=RP&first_id=191&last_id=191&scheme=http
26369,14,headless,firefox,document.referrer: http://headers.webappsec.eu/,"[['Referrer-Policy', 'no-referrer-when-downgrade']]",referrer_iframe,http,sub.headers.websec.saarland,http,iframe,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/referrer-access-rp.sub.html?resp_type=basic&browser_id=2&label=RP&first_id=191&last_id=191&scheme=http


script_execution_iframe


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
message timeout,brave,6
message timeout,edge,4
message timeout,chrome,4
message timeout,firefox,4
message send,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
4674,13,headless-new,chrome,message timeout,"[['Content-Security-Policy', ""script-src 'self'""]]",script_execution_iframe,http,sub.headers.websec.saarland,http,sandbox,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/script-execution-csp.sub.html?resp_type=basic&browser_id=2&label=CSP-SCRIPT&first_id=94&last_id=94&scheme=http
52788,7,real,safari,message send,"[['Content-Security-Policy', ""script-src 'self'""]]",script_execution_iframe,http,sub.headers.websec.saarland,http,sandbox,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/script-execution-csp.sub.html?resp_type=basic&browser_id=2&label=CSP-SCRIPT&first_id=94&last_id=94&scheme=http


subresourceloadingCOEP_img


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",brave,6
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",chrome,4
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",edge,4
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'load'}, 'window.crossOriginIsolated': False}",firefox,3
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",firefox,1
"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}",safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
5550,13,headless-new,chrome,"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'error'}, 'window.crossOriginIsolated': False}","[['Cross-Origin-Embedder-Policy', 'unsafe-none']]",subresourceloadingCOEP_img,http,sub.headers.websec.saarland,http,direct,headers.websec.saarland,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-coep.sub.html?resp_type=basic&browser_id=2&label=COEP&first_id=57&last_id=57&scheme=http
31614,6,real,firefox,"{'image-events': {'swag.jpg': 'load', 'swag-same-site.jpg': 'load', 'swag-cross-site.jpg': 'load', 'swag-same-origin.jpg': 'load'}, 'window.crossOriginIsolated': False}","[['Cross-Origin-Embedder-Policy', 'unsafe-none']]",subresourceloadingCOEP_img,http,sub.headers.websec.saarland,http,direct,headers.websec.saarland,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-coep.sub.html?resp_type=basic&browser_id=2&label=COEP&first_id=57&last_id=57&scheme=http


subresourceloadingCORP_img


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
load,brave,6
error,firefox,4
load,chrome,4
load,edge,4
error,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
18735,13,headless-new,chrome,load,"[['Cross-Origin-Resource-Policy', 'same-origin']]",subresourceloadingCORP_img,https,sub.headers.websec.saarland,http,direct,sub.headers.websec.saarland,https://sub.headers.websec.saarland/_hp/tests/subresource-loading-corp.sub.html?resp_type=basic&browser_id=2&label=CORP&first_id=45&last_id=45&scheme=https
39941,14,headless,firefox,error,"[['Cross-Origin-Resource-Policy', 'same-origin']]",subresourceloadingCORP_img,https,sub.headers.websec.saarland,http,direct,sub.headers.websec.saarland,https://sub.headers.websec.saarland/_hp/tests/subresource-loading-corp.sub.html?resp_type=basic&browser_id=2&label=CORP&first_id=45&last_id=45&scheme=https


subresourceloadingCORP_object


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
load,brave,6
load,chrome,4
load,edge,4
load,firefox,4
timeout: no event fired,safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
6617,13,headless-new,chrome,load,"[['Cross-Origin-Resource-Policy', 'unsafe-none']]",subresourceloadingCORP_object,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-corp.sub.html?resp_type=basic&browser_id=2&label=CORP&first_id=44&last_id=44&scheme=http
54381,7,real,safari,timeout: no event fired,"[['Cross-Origin-Resource-Policy', 'unsafe-none']]",subresourceloadingCORP_object,http,sub.headers.websec.saarland,http,direct,headers.webappsec.eu,http://sub.headers.websec.saarland/_hp/tests/subresource-loading-corp.sub.html?resp_type=basic&browser_id=2&label=CORP&first_id=44&last_id=44&scheme=http


upgradeHSTS_direct


Unnamed: 0_level_0,Unnamed: 1_level_0,count
outcome_str,name,Unnamed: 2_level_1
{'response.redirected': False},brave,6
{'response.redirected': False},chrome,4
{'response.redirected': False},edge,4
{'response.redirected': False},firefox,4
{'response.redirected': True},safari,1


Unnamed: 0,browser_id,headless_mode,name,outcome_str,raw_header,test_name,org_scheme,org_host,resp_scheme,relation_info,resp_host,full_url
9260,13,headless-new,chrome,{'response.redirected': False},"[['Strict-Transport-Security', 'max-age=20, max-age=20; includeSubDomains, includeSubDomains, , max-age=20; includeSubDomains; preload, max-age=0, max-age=-5']]",upgradeHSTS_direct,http,sub.headers.websec.saarland,https,direct,sub.headers.websec.saarland,http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=basic&browser_id=2&label=HSTS&first_id=139&last_id=139&scheme=http
55979,7,real,safari,{'response.redirected': True},"[['Strict-Transport-Security', 'max-age=20, max-age=20; includeSubDomains, includeSubDomains, , max-age=20; includeSubDomains; preload, max-age=0, max-age=-5']]",upgradeHSTS_direct,http,sub.headers.websec.saarland,https,direct,sub.headers.websec.saarland,http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=basic&browser_id=2&label=HSTS&first_id=139&last_id=139&scheme=http


# Crash analysis

### Exceptions thrown
- Fixed:
    - Only Firefox; both headless + Xvfb
        - OAC + RP
        - Both on HTTP and HTTPS
        - Response_ids: 185, 186, 341, 342; these are the ones that have status code 302!
        - Reason seems to be that Firefox switches to another tab in these cases and thus the wait for crashes. Solution: forcefully switch back to the original tab before waiting!
    - Only Brave: both headless + Xvfb
        - OAC + RP
        - Both on HTTP and HTTPS
        - Reason seems to be the tab switching, if deactivated no issue occurs

In [147]:
with open("/home/ubuntu/wpt/_hp/tools/crawler/desktop-selenium-2023-11-20 16:09:24.649008.log", "r") as f:
    crashes = []
    for l in f.readlines():
        if "649008: http" in l:
            match = re.match(".*(http|https)://.*browser_id=(\d+)&label=(.*)&first_id=(\d+).*", l)
            crashes.append([match[1], match[2], match[3], match[4]])

In [148]:
crashes = pd.DataFrame(crashes, columns=["scheme", "browser_id", "label", "response_id"]).drop_duplicates()
crashes

Unnamed: 0,scheme,browser_id,label,response_id
0,http,59,RP,172
2,http,59,RP,173
4,https,59,OAC,339
6,https,59,RP,181
8,http,75,RP,171
10,http,75,RP,172
12,https,75,OAC,330
14,https,75,OAC,338
16,https,75,RP,180
18,https,74,OAC,337
