Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1499834 [wpt PR 13579] - Added 304 CSP test and removed "content-…
…*" prefix from headers to ignore on 304, a=testonly Automatic update from web-platform-testsAdded 304 CSP test and removed "content-*" prefix from headers to ignore on 304 Also updated kNonUpdatedHeaders with more headers from the nsHttpResponseHead file Spec: https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch Spec issue: w3c/webappsec-csp#161 While the spec does not give any list of content headers that should be ignored on a 304 request, some of them are directly dependent on the resource body and as such should not be updated (for example `content-length` cannot be different since the content remains identical). The exact list of ignored headers is identical to the one that firefox uses. Bug: 174301 Change-Id: I8aab863b1f2733d051609e121539ad6acad36c6b Reviewed-on: https://chromium-review.googlesource.com/c/1286427 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#602001} -- wpt-commits: 1b09004d92653856ca896d0f267d42bfda788434 wpt-pr: 13579
- Loading branch information
1 parent
0bcd2b4
commit 4181e13
Showing
3 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
52 changes: 52 additions & 0 deletions
52
...eb-platform/tests/content-security-policy/generic/304-response-should-update-csp.sub.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<script src='/resources/testharness.js'></script> | ||
<script src='/resources/testharnessreport.js'></script> | ||
<title>Test that a 304 response will update the CSP header</title> | ||
</head> | ||
<body> | ||
<script> | ||
var t1 = async_test("Test that the first frame uses nonce abc"); | ||
var t2 = async_test("Test that the first frame does not use nonce def"); | ||
|
||
var t3 = async_test("Test that the second frame uses nonce def"); | ||
var t4 = async_test("Test that the second frame does not use nonce abc"); | ||
|
||
var i1 = document.createElement('iframe'); | ||
// We add a random parameter to avoid previous tests cached requests. | ||
// We want to make sure i1 gets a 200 code and i2 gets a 304 code. | ||
i1.src = "support/304-response.py?{{$id:uuid()}}"; | ||
|
||
var i2 = document.createElement('iframe'); | ||
i2.src = "support/304-response.py?{{$id}}"; | ||
|
||
var load_second_frame = function() { | ||
document.body.appendChild(i2); | ||
} | ||
|
||
window.onmessage = function(e) { | ||
if (e.source == i1.contentWindow) { | ||
if (e.data == "abc_executed") { t1.done(); return; } | ||
if (e.data == "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t2.done(); return; } | ||
|
||
t1.step(function() { assert_unreached("Unexpected message received"); }); | ||
t2.step(function() { assert_unreached("Unexpected message received"); }); | ||
} | ||
|
||
if (e.source == i2.contentWindow) { | ||
if (e.data == "def_executed") { t3.done(); return; } | ||
if (e.data == "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t4.done(); return; } | ||
|
||
t3.step(function() { assert_unreached("Unexpected message received"); }); | ||
t4.step(function() { assert_unreached("Unexpected message received"); }); | ||
} | ||
|
||
}; | ||
|
||
i1.onload = load_second_frame; | ||
document.body.appendChild(i1); | ||
</script> | ||
</body> | ||
|
||
</html> |
33 changes: 33 additions & 0 deletions
33
testing/web-platform/tests/content-security-policy/generic/support/304-response.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
def main(request, response): | ||
if request.headers.get("If-None-Match"): | ||
# we are now receing the second request, we will send back a different CSP | ||
# with the 304 response | ||
response.status = 304 | ||
headers = [("Content-Type", "text/html"), | ||
("Content-Security-Policy", "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"), | ||
("Cache-Control", "private, max-age=0, must-revalidate"), | ||
("ETag", "123456")] | ||
return headers, "" | ||
else: | ||
headers = [("Content-Type", "text/html"), | ||
("Content-Security-Policy", "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"), | ||
("Cache-Control", "private, max-age=0, must-revalidate"), | ||
("Etag", "123456")] | ||
return headers, ''' | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script> | ||
window.addEventListener("securitypolicyviolation", function(e) { | ||
top.postMessage(e.originalPolicy, '*'); | ||
}); | ||
</script> | ||
<script nonce="abc"> | ||
top.postMessage('abc_executed', '*'); | ||
</script> | ||
<script nonce="def"> | ||
top.postMessage('def_executed', '*'); | ||
</script> | ||
</head> | ||
</html> | ||
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters