From 4018f0d30041356994ecc85864a0c0b8d7898f7c Mon Sep 17 00:00:00 2001
From: Andy Paicu <andypaicu@chromium.org>
Date: Tue, 23 Oct 2018 08:00:05 -0700
Subject: [PATCH] Added 304 CSP test and removed "content-*" prefix from
 headers to ignore on 304

Also updated kNonUpdatedHeaders with more headers from the
nsHttpResponseHead file

Spec: https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch
Spec issue: https://github.com/w3c/webappsec-csp/issues/161

While the spec does not give any list of content headers that should be ignored
on a 304 request, some of them are directly dependent on the resource body and
as such should not be updated (for example `content-length` cannot be different
since the content remains identical).

The exact list of ignored headers is identical to the one that firefox uses.

Bug: 174301
Change-Id: I8aab863b1f2733d051609e121539ad6acad36c6b
---
 .../304-response-should-update-csp.sub.html   | 52 +++++++++++++++++++
 .../generic/support/304-response.py           | 33 ++++++++++++
 fetch/http-cache/304-update.html              | 30 +++++++++++
 3 files changed, 115 insertions(+)
 create mode 100644 content-security-policy/generic/304-response-should-update-csp.sub.html
 create mode 100644 content-security-policy/generic/support/304-response.py

diff --git a/content-security-policy/generic/304-response-should-update-csp.sub.html b/content-security-policy/generic/304-response-should-update-csp.sub.html
new file mode 100644
index 000000000000000..b16eadaedc07ca9
--- /dev/null
+++ b/content-security-policy/generic/304-response-should-update-csp.sub.html
@@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <title>Test that a 304 response will update the CSP header</title>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that the first frame uses nonce abc");
+    var t2 = async_test("Test that the first frame does not use nonce def");
+
+    var t3 = async_test("Test that the second frame uses nonce def");
+    var t4 = async_test("Test that the second frame does not use nonce abc");
+
+    var i1 = document.createElement('iframe');
+    // We add a random parameter to avoid previous tests cached requests.
+    // We want to make sure i1 gets a 200 code and i2 gets a 304 code.
+    i1.src = "support/304-response.py?{{$id:uuid()}}";
+
+    var i2 = document.createElement('iframe');
+    i2.src = "support/304-response.py?{{$id}}";
+
+    var load_second_frame = function() {
+      document.body.appendChild(i2);
+    }
+
+    window.onmessage = function(e) {
+      if (e.source == i1.contentWindow) {
+        if (e.data == "abc_executed") { t1.done(); return; }
+        if (e.data == "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t2.done(); return; }
+
+        t1.step(function() { assert_unreached("Unexpected message received"); });
+        t2.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+      if (e.source == i2.contentWindow) {
+        if (e.data == "def_executed") { t3.done(); return; }
+        if (e.data == "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t4.done(); return; }
+
+        t3.step(function() { assert_unreached("Unexpected message received"); });
+        t4.step(function() { assert_unreached("Unexpected message received"); });
+      }
+
+    };
+
+    i1.onload = load_second_frame;
+    document.body.appendChild(i1);
+  </script>
+</body>
+
+</html>
diff --git a/content-security-policy/generic/support/304-response.py b/content-security-policy/generic/support/304-response.py
new file mode 100644
index 000000000000000..4980937eab7f7d0
--- /dev/null
+++ b/content-security-policy/generic/support/304-response.py
@@ -0,0 +1,33 @@
+def main(request, response):
+    if request.headers.get("If-None-Match"):
+        # we are now receing the second request, we will send back a different CSP
+        # with the 304 response
+        response.status = 304
+        headers = [("Content-Type", "text/html"),
+                   ("Content-Security-Policy", "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   ("Cache-Control", "private, max-age=0, must-revalidate"),
+                   ("ETag", "123456")]
+        return headers, ""
+    else:
+        headers = [("Content-Type", "text/html"),
+                   ("Content-Security-Policy", "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"),
+                   ("Cache-Control", "private, max-age=0, must-revalidate"),
+                   ("Etag", "123456")]
+        return headers, '''
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+        window.addEventListener("securitypolicyviolation", function(e) {
+            top.postMessage(e.originalPolicy, '*');
+        });
+    </script>
+    <script nonce="abc">
+        top.postMessage('abc_executed', '*');
+    </script>
+    <script nonce="def">
+        top.postMessage('def_executed', '*');
+    </script>
+</head>
+</html>
+'''
diff --git a/fetch/http-cache/304-update.html b/fetch/http-cache/304-update.html
index f0bd82196e57b8e..d6d8481e8742781 100644
--- a/fetch/http-cache/304-update.html
+++ b/fetch/http-cache/304-update.html
@@ -120,6 +120,36 @@
           }
         ]
       },
+      {
+        name: "Content-* header",
+        requests: [
+          {
+            response_headers: [
+              ["Expires", -5000],
+              ["ETag", "GHI"],
+              ["Content-Test-Header", "A"]
+            ]
+          },
+          {
+            response_headers: [
+              ["Expires", 3000],
+              ["ETag", "GHI"],
+              ["Content-Test-Header", "B"]
+            ],
+            expected_type: "etag_validated",
+            expected_response_headers: [
+              ["Content-Test-Header", "B"]
+            ],
+            pause_after: true
+          },
+          {
+            expected_type: "cached",
+            expected_response_headers: [
+              ["Content-Test-Header", "B"]
+            ]
+          }
+        ]
+      },
     ];
     run_tests(tests);
     </script>