feat: improve checking of data URLs

This commit introduces the following checks: - `RSC-029`(new): check that `data` URLs are not used when they would result in a top-level browsing context - check `data` URLs for foreign resource restrictions (fallbacks) An OPFItem instance can now represent a manifest item defined as a data URL. A `hasDataURL()` method will tell if this is the case. Fix #1238, fix #1239.
w3c · Nov 17, 2022 · cbc0b2a · cbc0b2a
1 parent 20b5142
commit cbc0b2a
Show file tree

Hide file tree

Showing 47 changed files with 806 additions and 70 deletions.
diff --git a/src/main/java/com/adobe/epubcheck/messages/DefaultSeverities.java b/src/main/java/com/adobe/epubcheck/messages/DefaultSeverities.java
@@ -340,6 +340,7 @@ private void initialize()
     severities.put(MessageId.RSC_026, Severity.ERROR);
     severities.put(MessageId.RSC_027, Severity.WARNING);
     severities.put(MessageId.RSC_028, Severity.ERROR);
+    severities.put(MessageId.RSC_029, Severity.ERROR);
 
     // Scripting
     severities.put(MessageId.SCP_001, Severity.SUPPRESSED); // checking scripts is out of scope

diff --git a/src/main/java/com/adobe/epubcheck/messages/MessageId.java b/src/main/java/com/adobe/epubcheck/messages/MessageId.java
@@ -334,6 +334,7 @@ public enum MessageId implements Comparable<MessageId>
   RSC_026("RSC-026"),
   RSC_027("RSC-027"),
   RSC_028("RSC-028"),
+  RSC_029("RSC-029"),
 
   // Messages relating to scripting
   SCP_001("SCP-001"),

diff --git a/src/main/java/com/adobe/epubcheck/ocf/OCFContainer.java b/src/main/java/com/adobe/epubcheck/ocf/OCFContainer.java
@@ -130,8 +130,9 @@ public boolean isRemote(URL url)
     }
     else
     {
-      return !(URLUtils.isSameOrigin(url, rootURL));
+      return URLUtils.isRemote(url, rootURL);
     }
   }
 
+
 }
diff --git a/src/main/java/com/adobe/epubcheck/opf/OPFChecker.java b/src/main/java/com/adobe/epubcheck/opf/OPFChecker.java
@@ -210,7 +210,7 @@ protected boolean checkContent()
       // only check the filename in single-file mode
       // (it is checked by the container checker in full-publication mode)
       // and for local resources (i.e. computed to a file URL)
-      if (!context.container.isPresent() && !item.isRemote())
+      if (!context.container.isPresent() && !item.isRemote() && !item.hasDataURL())
       {
         new OCFFilenameChecker(item.getPath(), context, item.getLocation()).check();
       }
@@ -378,6 +378,10 @@ else if (isBlessedStyleType(mimeType))
 
   protected void checkItemContent(OPFItem item)
   {
+    // We do not currently support checking resources defined as data URLs
+    if (item.hasDataURL()) {
+      return;
+    }
     // Create a new validation context for the OPF item
     // FIXME 2022 set context OPFItem here
     // (instead of from XRefChecker in the builder code)

diff --git a/src/main/java/com/adobe/epubcheck/opf/OPFChecker30.java b/src/main/java/com/adobe/epubcheck/opf/OPFChecker30.java
@@ -186,6 +186,12 @@ else if (!overlayTextChecker.isCorrectOverlay(docURL, mo))
   @Override
   protected void checkSpineItem(OPFItem item, OPFHandler opfHandler)
   {
+    // Items with `data:` URLs are not allowed in the spine 
+    if (item.hasDataURL()) {
+      report.message(MessageId.RSC_029, item.getLocation());
+      return;
+    }
+
     String mimeType = item.getMimeType();
 
     if (item.getProperties()

diff --git a/src/main/java/com/adobe/epubcheck/opf/OPFItem.java b/src/main/java/com/adobe/epubcheck/opf/OPFItem.java
@@ -109,6 +109,13 @@ private OPFItem(Builder builder)
       {
         this.path = url.toHumanString();
       }
+      // If the item is defined with a data URL, return
+      // the URL string truncated arbitrarily to 30 chars
+      else if ("data".equals(url.scheme()))
+      {
+        String urlString = url.toString();
+        this.path = url.toString().substring(0, Math.min(urlString.length(), 30)) + "…";
+      }
       // If a container is present (full-publication check)
       // the item path is relative to the root of the container
       else if (builder.container.isPresent())
@@ -289,6 +296,16 @@ public boolean isFixedLayout()
     return fixedLayout;
   }
 
+  /**
+   * Returns <code>true</code> iff this item is a remote resource.
+   * 
+   * @return <code>true</code> iff this item is a remote resource.
+   */
+  public boolean hasDataURL()
+  {
+    return "data".equals(url.scheme());
+  }
+
   /**
    * Returns <code>true</code> iff this item is a remote resource.
    * 

diff --git a/src/main/java/com/adobe/epubcheck/opf/ValidationContext.java b/src/main/java/com/adobe/epubcheck/opf/ValidationContext.java
@@ -141,7 +141,7 @@ private String computePath()
   {
     if (container.isPresent() && !container.get().isRemote(url))
     {
-      if (!url.path().isEmpty())
+      if (url.path() != null && !url.path().isEmpty())
       {
         return url.path().substring(1);
       }
@@ -181,7 +181,7 @@ public boolean isRemote(URL url)
     }
     else
     {
-      return !(URLUtils.isSameOrigin(url, this.url));
+      return URLUtils.isRemote(url, this.url);
     }
   }