Add referrer policy tests for loading the various subresources via a srcdoc iframe. #2851
Conversation
|
Critic review: https://critic.hoppipolla.co.uk/r/6407 This is an external review system which you may optionally use for the code review of your pull request. In order to help critic track your changes, please do not make in-place history rewrites (e.g. via |
|
Reviewers for this pull request are: @kristijanburnik. |
|
@kristijanburnik could you take a look, please? I wasn't sure what the best way to add this was; whether we want more subresource types or something else. Note that ideally we would also add tests for resources in srcdoc in srcdoc in normal document, to check that UAs walk up the srcdoc chain.... And we probably also need tests for sandboxed iframes; while that's out of the scope of what I'm trying to do here, it might affect how we approach setting this up. Adding three more subresource types for every existing type seems a bit weird to me, but right now the "how to load" functions are just keyed off subresource type... |
|
Oh, and the CI failures are for path length; we can sort that out once we know whether we're doing a new subresource type or not, since that will affect filenames. |
|
@mikewest I'm told @kristijanburnik is no longer active on this stuff, so you own these tests. Can you take a look at the above questions, please? And update OWNERS? ;) |
|
Hooray. I own things. Yes, I'll look at these in the morning and try to remember how all of it works. |
|
@mikewest It's been a week. Ping? |
|
Looking at this - sorry for the delay - there are still a number of these tests that use the CSP delivery method, which I believe is no longer current? https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery |
|
I have no idea. Given my experience with the similarly written mixed-content tests, there are likely all sorts of bugs in the tests themselves, even if we ignore spec changes... |
This patch teaches the 'img-tag'-style tests to load an image both in the top-level document, and inside a 'srcdoc' frame. The referrer should be the same in both places. Addresses #2851.
|
I apologize; I didn't get back to this right away, and then it fell off my radar completely. I think the approach is reasonable in the short term, but, as you note, adds a lot of tests. Since we should probably be doing I don't think it's fair to ask you to do that refactoring after ~4 months, though, so I've uploaded a pass at it to https://github.com/w3c/web-platform-tests/tree/referrer-policy. WDYT? |
|
One does not necessarily need to add a lot of tests. Even a single test can The generating framework allows for suppressing (excluded_tests) or It's up to you if you choose to be more general/specific or prefer This is all documented here: On Sep 9, 2016 3:20 PM, "Mike West" notifications@github.com wrote:
|
I have a hard time telling whether it works or not, because I have vague memories of the test harness mutating the server state, such that you couldn't do two loads from a single test. But maybe that was the mixed-content tests instead... Have you tested the patch? |
I have. It works for me locally. I'll turn it into a real PR. |
* Referrer Policy: Test image loads inside srcdoc frames. This patch teaches the 'img-tag'-style tests to load an image both in the top-level document, and inside a 'srcdoc' frame. The referrer should be the same in both places. Addresses #2851. * fixup whitespace * fixup console.log
| function loadImage(src, callback, attributes) { | ||
| var image = new Image(); | ||
|
|
||
| function loadImage(src, callback, attributes, isSrcDoc) |
There was a problem hiding this comment.
nit. other arguments use_this_style, so I'd change this to is_src_doc
| @@ -73,14 +90,14 @@ function decodeImageData(rgba) { | |||
| return JSON.parse(string_data); | |||
| } | |||
|
|
|||
| function decodeImage(url, callback, referrer_policy) { | |||
| function decodeImage(url, callback, referrer_policy, isSrcDoc) { | |||
|
Alright, I guess practically speaking the choice is between taking all of these tests and accepting that there's some or a lot of overlap, or throwing them away to avoid possible overlap. I don't know the existing tests or what's in this PR, so @bzbarsky whatever you prefer I can rubberstamp and merge :) |
|
I think we should just throw out this PR at this point. It's not clear to me that it can even be merged as-is... |
|
It had merge conflicts, so it couldn't have been merged without some work. I've closed it now. |
No description provided.