[resource-timing] Add TAO null check tests and make sure they pass

This CL brings in the pending test [1] for a null TAO check and opaque origins, adds another test to make sure only case-sensitive "null" is taken into account, and changes the TAO implementation to actually pass the tests. [1] #13507 Change-Id: I1656d5a5cf2a833ada4dc83278eda0a07cec66c7 BUG=940898 Change-Id: I1656d5a5cf2a833ada4dc83278eda0a07cec66c7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1517653 Commit-Queue: Yoav Weiss <yoavweiss@chromium.org> Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Cr-Commit-Position: refs/heads/master@{#641123}
web-platform-tests · Mar 15, 2019 · f366313 · f366313
1 parent ea2ee73
commit f366313
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 2 deletions.
diff --git a/lint.whitelist b/lint.whitelist
@@ -187,8 +187,9 @@ SET TIMEOUT: paint-timing/resources/subframe-painting.html
 SET TIMEOUT: payment-request/allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html
 SET TIMEOUT: preload/single-download-preload.html
 SET TIMEOUT: resize-observer/resources/iframe.html
-SET TIMEOUT: resource-timing/resources/iframe-TAO*
 SET TIMEOUT: resource-timing/resources/nested-contexts.js
+SET TIMEOUT: resource-timing/TAO-null-opaque-origin.sub.html
+SET TIMEOUT: resource-timing/TAO-case-insensitive-null-opaque-origin.sub.html
 SET TIMEOUT: screen-orientation/onchange-event.html
 SET TIMEOUT: secure-contexts/basic-popup-and-iframe-tests.https.js
 SET TIMEOUT: service-workers/cache-storage/script-tests/cache-abort.js

diff --git a/resource-timing/TAO-case-insensitive-null-opaque-origin.sub.html b/resource-timing/TAO-case-insensitive-null-opaque-origin.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>Resource Timing TAO - "Null" and opaque origin</title>
+<link rel="author" title="Google" href="http://www.google.com/" />
+<link rel="help" href="https://www.w3.org/TR/resource-timing-2/#timing-allow-origin"/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const t = async_test("Test case-insensitive null TAO value with opaque origins");
+window.addEventListener("message", t.step_func_done(e=>{
+    assert_equals(e.data, "PASS");
+}));
+</script>
+</head>
+<body>
+<h1>Description</h1>
+<p>This test validates that for a cross origin resource, the timing allow check algorithm will fail when the value of Timing-Allow-Origin is a case-insensitive match to null and the origin is an opaque origin.</p>
+<div id="log"></div>
+<iframe id="frameContext"></iframe>
+<script>
+let frame_content = "data:text/html;utf8,<body>" +
+                    "<script>" +
+                    "const url = '{{location[scheme]}}://{{host}}:{{ports[http][1]}}/resource-timing/resources/TAOResponse.py?tao=Null';" +
+                    "const observe = (list, observer) => {" +
+                    "  const entry = list.getEntries()[0];" +
+                    "  const sum = entry.redirectStart + entry.redirectEnd + entry.domainLookupStart + entry.domainLookupEnd + entry.connectStart +" +
+                    "              entry.connectEnd + entry.secureConnectionStart + entry.requestStart + entry.responseStart + entry.transferSize +" +
+                    "              entry.encodedBodySize + entry.decodedBodySize;" +
+                    "  const result = sum == 0 ? 'PASS' : 'FAIL';" +
+                    "  window.parent.postMessage(result, '*');" +
+                    "};" +
+                    "let observer = new PerformanceObserver(observe);" +
+                    "observer.observe({ entryTypes: ['resource'] });" +
+                    "fetch(url);" +
+                    "</" + "script></body>";
+document.getElementById("frameContext").src = frame_content;
+</script>
+</body>
+</html>
diff --git a/resource-timing/TAO-null-opaque-origin.sub.html b/resource-timing/TAO-null-opaque-origin.sub.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>Resource Timing TAO - "null" and opaque origin</title>
+<link rel="author" title="Google" href="http://www.google.com/" />
+<link rel="help" href="https://www.w3.org/TR/resource-timing-2/#timing-allow-origin"/>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const t = async_test("Test null TAO value with opaque origins");
+window.addEventListener("message", t.step_func_done(e=>{
+    assert_equals(e.data, "PASS");
+}));
+</script>
+</head>
+<body>
+<h1>Description</h1>
+<p>This test validates that for a cross origin resource, the timing allow check algorithm will succeed when the value of Timing-Allow-Origin is null and the origin is an opaque origin.</p>
+<div id="log"></div>
+<iframe id="frameContext"></iframe>
+<script>
+let frame_content = "data:text/html;utf8,<body>" +
+                    "<script>" +
+                    "const url = '{{location[scheme]}}://{{host}}:{{ports[http][1]}}/resource-timing/resources/TAOResponse.py?tao=null';" +
+                    "const observe = (list, observer) => {" +
+                    "  const entry = list.getEntries()[0];" +
+                    "  const sum = entry.redirectStart + entry.redirectEnd + entry.domainLookupStart + entry.domainLookupEnd + entry.connectStart +" +
+                    "              entry.connectEnd + entry.secureConnectionStart + entry.requestStart + entry.responseStart + entry.transferSize +" +
+                    "              entry.encodedBodySize + entry.decodedBodySize;" +
+                    "  const result = sum != 0 ? 'PASS' : 'FAIL';" +
+                    "  window.parent.postMessage(result, '*');" +
+                    "};" +
+                    "let observer = new PerformanceObserver(observe);" +
+                    "observer.observe({ entryTypes: ['resource'] });" +
+                    "fetch(url);" +
+                    "</" + "script></body>";
+document.getElementById("frameContext").src = frame_content;
+</script>
+</body>
+</html>
diff --git a/resource-timing/resources/TAOResponse.py b/resource-timing/resources/TAOResponse.py
@@ -11,8 +11,11 @@ def main(request, response):
     # wildcard, pass
         response.headers.set('Timing-Allow-Origin', '*')
     elif tao == 'null':
-    # null, fail
+    # null, fail unless it's an opaque origin
         response.headers.set('Timing-Allow-Origin', 'null')
+    elif tao == 'Null':
+    # case-insentive null, fail
+        response.headers.set('Timing-Allow-Origin', 'Null')
     elif tao == 'origin':
     # case-sensitive match for origin, pass
         response.headers.set('Timing-Allow-Origin', origin)