script-resource-with-nonsniffable-types.tentative.sub.html

Enable keyboard shortcuts

This test has a WPT meta file that expects 1 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<!-- Test verifies CORB will block responses with types that do not

  require confirmation sniffing.

  We assume that:

  1) it is unlikely that images, other media, scripts, etc. will be mislabelled

     as the |protected_mime_types| below,

  2) the |protected_mime_types| below are likely to contain sensitive,

     credentialled data.

-->

<meta charset="utf-8">

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

<script src="/common/utils.js"></script>

<div id=log></div>

<script>

setup({allow_uncaught_exception : true, single_test : true});

function test(mime_type, is_blocking_expected) {

  var action = is_blocking_expected ? "blocks" : "does not block";

  async_test(function(t) {

    var script = document.createElement("script")

    var script_has_run_token = "script_has_run" + token();

    // With and without CORB there should be no error, but without CORB the

    // original script body will be preserved and |window.script_has_run| will

    // be set.

    window[script_has_run_token] = false;

    script.onload = t.step_func_done(function(){

      if (is_blocking_expected) {

        assert_false(window[script_has_run_token]);

      } else {

        assert_true(window[script_has_run_token]);

});

    addEventListener("error",function(e) {

      t.step(function() {

        assert_unreached("Unexpected error: " + e);

        t.done();

})

});

    // www1 is cross-origin, so the HTTP response is CORB-eligible.

    var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";

    body = `window['${script_has_run_token}'] = true;`

    script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);

    document.body.appendChild(script)

  }, "CORB " + action + " '" + mime_type + "'");

// Some mime types should be protected by CORB without any kind

// of confirmation sniffing.

protected_mime_types = [

  "application/gzip",

  "application/pdf",

  "application/x-gzip",

  "application/x-protobuf",

  "application/zip",

  "multipart/byteranges",

  "multipart/signed",

  "text/csv",

  "text/event-stream",

protected_mime_types.forEach(function(type) {

    test(type, true /* is_blocking_expected */);

});

// Other mime types.

other_mime_types = [

  // These content types are legitimately allowed in 'no-cors' fetches.

  "application/javascript",

  // Confirmation sniffing will fail and prevent CORB from blocking the

  // response.

  "text/html",

  // Unrecognized content types.

  "application/blah"

other_mime_types.forEach(function(type) {

    test(type, false /* is_blocking_expected */);

});

</script>