Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd "origin" and "same-origin" referrer policies, replacing "origin-only". #11978
Conversation
highfive
commented
Jul 1, 2016
|
Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @mbrubeck (or someone else) soon. |
highfive
commented
Jul 1, 2016
|
Heads up! This PR modifies the following files:
|
|
cc @jdm |
|
Updated with wpt test updates. Commits kept separate to keep things manageable to review -- it's basically only the first that's important. For the record, this is what I did in the second commit: update r? @jdm -- since you've been following along on the issue. |
|
|
|
I'm going to merge #12265 first, since that includes updates to the referrer-policy tests that are duplicated here. We should be able to remove the second commit in this PR, I believe. |
|
Sure, sounds good. But won't I still need to update test expectations for the new tests? It's only this PR that adds the new functionality, and in that PR all the new tests will probably be marked as failing, right? |
|
That's correct. |
|
|
b3fd1b4
to
aadaef0
|
All right! Updated and rebased, should be good to go now. |
|
Hey, just checking in - looking at your branch: |
|
Ah yeah so I did consider doing that, but then told myself that they must be different for a reason, especially considering what @jdm said on the issue about why they existed at all:
If I do as you say and make the two spec.src.json files essentially the same (except one only has iframe-tag), then the generated tests and expectations in the two folders won't be different at all -- one will just be a strict subset of the other. Is that really what we want? Maybe it is, but I'm kinda confused about it all. |
|
Unless something's changed, that is what you want. Basically, the tests in wpt/web-platform-tests are pulled directly from https://github.com/w3c/web-platform-tests. Other browsers use them, so we dont want to make servo-specific changes within those (just updating expectations for what servo doesnt yet support). The issue is that the way that the w3c referrer policy tests implement iframe tags uses some other functionality that servo doesnt support. Because of that, the iframe tests within web-platform-tests that should pass based on the referrer policy implementation will fail (timeout I think). To get around that, the mozilla tests are the same test files, but the actual mechanism iframe uses is different (ie some of the stuff in the generic folder around how these tests are run) |
|
I see, interesting, that makes things a bit clearer -- it's how the tests are run (i.e. the generic folder) that's different. But then there's a small issue: in the mozilla folder, I can't really get away with not updating parts of the generic folder too. This is because the spec.src.json in that folder has some outdated things (such as "http-csp" instead of "http-rp") which, if updated (say to "http-rp"), generate.py wouldn't understand. So I need to |
|
Good call - I think the only changes I made outside of spec.src.json are in this PR: |
|
In an ideal world, I think we would have a script that would copy everything from the upstream tests then apply a set of patches on top of that. |
|
The only files that should have been changed in the modified tests are document.html.template, common.js, and spec.src.json. |
|
Oh, and the addition of stash.py. |
|
Alright then, I'll update only the files you mentioned as well as make the
Lemme know if this sounds good. Also, I wonder if you could describe what that required set of patches would be? Would be good to know. |
|
stash.py was an addition to the mozilla referrer-policy tests. It is not present in the originals. Via the following commands, the current required patches are (not including any changes to spec.src.json):
--- tests/wpt/web-platform-tests/referrer-policy/generic/template/document.html.template 2016-05-12 10:46:08.000000000 -0400
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/template/document.html.template 2016-05-27 11:47:23.000000000 -0400
@@ -4,13 +4,29 @@
<title>This page reports back it's request details to the parent frame</title>
</head>
<body>
<script>
+ function getQueryVariable(variable)
+ {
+ var query = window.location.search.substring(1);
+ var vars = query.split("&");
+ for (var i=0;i<vars.length;i++) {
+ var pair = vars[i].split("=");
+ if(pair[0] == variable){return pair[1];}
+ }
+ return(false);
+ }
+
+ var referrer = 'referrer' in document ? document.referrer : undefined;
+
var result = {
location: document.location.toString(),
- referrer: document.referrer.length > 0 ? document.referrer : undefined,
+ referrer: referrer,
headers: %(headers)s
};
- parent.postMessage(result, "*");
+ var xhr = new XMLHttpRequest();
+ xhr.open('POST', 'stash.py?id=' + getQueryVariable("id"), false);
+ xhr.send(JSON.stringify(result));
+
</script>
</body>
</html>
--- tests/wpt/web-platform-tests/referrer-policy/generic/common.js 2016-05-24 10:09:46.000000000 -0400
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/common.js 2016-05-27 11:47:23.000000000 -0400
@@ -99,17 +99,30 @@
}
}
function queryIframe(url, callback, referrer_policy) {
- var iframe = appendIframeToBody(url, referrer_policy);
- var listener = function(event) {
- if (event.source != iframe.contentWindow)
- return;
-
- callback(event.data, url);
- window.removeEventListener("message", listener);
+ var x = document.createElement('script');
+ x.src = '/common/utils.js';
+ x.onerror = function() { console.log('whoops') };
+ x.onload = function() { doQuery() };
+ document.getElementsByTagName("head")[0].appendChild(x);
+
+ function doQuery() {
+ var id = token();
+ var iframe = appendIframeToBody(url + "&id=" + id, referrer_policy);
+ iframe.addEventListener("load", function listener() {
+ var xhr = new XMLHttpRequest();
+ xhr.open('GET', '/_mozilla/mozilla/referrer-policy/generic/subresource/stash.py?id=' + id, false);
+ xhr.onreadystatechange = function(e) {
+ if (this.readyState == 4 && this.status == 200) {
+ var server_data = JSON.parse(this.responseText);
+ callback(server_data, url);
+ }
+ };
+ xhr.send();
+ iframe.removeEventListener("load", listener);
+ });
}
- window.addEventListener("message", listener);
}
function queryImage(url, callback, referrer_policy) {
decodeImage(url, function(server_data) {
--- tests/wpt/web-platform-tests/referrer-policy/generic/subresource/stash.py 1969-12-31 19:00:00.000000000 -0500
+++ tests/wpt/mozilla/tests/mozilla/referrer-policy/generic/subresource/stash.py 2016-05-27 11:47:23.000000000 -0400
@@ -0,0 +1,6 @@
+def main(request, response):
+ print request.GET['id']
+ if request.method == 'POST':
+ request.server.stash.put(request.GET["id"], request.body)
+ return ''
+ return request.server.stash.take(request.GET["id"]) |
|
Alright whew, just push a bunch of new commits, this time separated more usefully. I note that in my comment above when I said "I'll only update the files you mentioned" really I should've said "I'll take care to preserve differences in the files you mentioned and update everything else". In any case, I looked through all the diffs carefully to double-check and am pretty confident I've made the required updates while preserving all necessary differences. All that is in the second commit -- basically it updates just spec.src.json and generate.py (everything else was either unchanged or had changes that needed to be preserved). In the third commit I just update spec.src.json to remove all but iframe tests. And finally the fourth is the purely mechanical one of generating the new tests plus expectations. The last three should probably be squashed before merging. @rebstar6 would be great if you could sanity-check the second and third commits too :) |
|
I like leaving the commits separate like this. Thanks for doing this! |
|
|
Add "origin" and "same-origin" referrer policies, replacing "origin-only". <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #11384 - [X] There are tests for these changes <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/11978) <!-- Reviewable:end -->
|
|
|
Hooray |
aravind-pg commentedJul 1, 2016
•
edited by larsbergstrom
Adds the "origin" and "same-origin" referrer policy options, with the former replacing "origin-only".
./mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis change is