Fix up wpt/preload

- Some tests in wpt/preload use Resource Timing entries to make sure that no requests are made. We're changing that (Resource Timing entries should be created even when blocked by CSP - see whatwg/fetch#1215). Stop using Resource Timing entries and check that with server side scripts. - http/tests/preload/preload-csp.html is covered by some WPTs. Let's remove it. Change-Id: I3c2cdfa2459d212657be7569c5290c48b39d6f05 Bug: 1275564 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3708287 Reviewed-by: Yoav Weiss <[email protected]> Commit-Queue: Yutaka Hirano <[email protected]> Cr-Commit-Position: refs/heads/main@{#1019490}
chromium · Jun 30, 2022 · aae9fb0 · aae9fb0
1 parent 6e96700
commit aae9fb0
Show file tree

Hide file tree

Showing 11 changed files with 269 additions and 215 deletions.
diff --git a/third_party/blink/web_tests/external/wpt/preload/dynamic-adding-preload-nonce.html b/third_party/blink/web_tests/external/wpt/preload/dynamic-adding-preload-nonce.html
@@ -1,39 +1,50 @@
 <!DOCTYPE html>
 <script nonce="abc" src="/resources/testharness.js"></script>
 <script nonce="abc" src="/resources/testharnessreport.js"></script>
+<script nonce="abc" src="/common/utils.js"></script>
 <script nonce="abc" src="/preload/resources/preload_helper.js"></script>
 <body>
 <script nonce="abc">
 
-async_test(function(t) {
-    verifyPreloadAndRTSupport();
-    var link = document.createElement("link");
-    link.as = "script";
-    link.rel = "preload";
-    link.href = "resources/dummy.js?with-nonce";
-    link.nonce = "abc";
-    link.onload = link.onerror = t.step_func(function() {
-        t.step_timeout(function() {
-            verifyNumberOfResourceTimingEntries("resources/dummy.js?with-nonce", 1);
-            t.done();
-        }, 0);
-    });
-    document.body.appendChild(link);
+promise_test(async (t) => {
+  verifyPreloadAndRTSupport();
+  const id = token();
+  const link = document.createElement("link");
+  link.as = "script";
+  link.rel = "preload";
+  link.href = stashPutUrl(id);
+  link.nonce = "abc";
+
+  const load = new Promise((resolve) => {
+    link.onload = resolve;
+  });
+  link.onerror = t.unreached_func("link.onerror");
+
+  document.body.appendChild(link);
+  await load;
+
+  const arrived = await hasArrivedAtServer(id);
+  assert_true(arrived, "The preload should've arrived at the server.");
 }, "link preload with nonce attribute");
 
-async_test(function(t) {
-    verifyPreloadAndRTSupport();
-    var link = document.createElement("link");
-    link.as = "script";
-    link.rel = "preload";
-    link.href = "resources/dummy.js?without-nonce";
-    link.onload = link.onerror = t.step_func(function() {
-        t.step_timeout(function() {
-            verifyNumberOfResourceTimingEntries("resources/dummy.js?without-nonce", 0);
-            t.done();
-        }, 0);
-    });
-    document.body.appendChild(link);
+promise_test(async (t) => {
+  verifyPreloadAndRTSupport();
+  const id = token();
+  const link = document.createElement("link");
+  link.as = "script";
+  link.rel = "preload";
+  link.href = stashPutUrl(id);
+
+  const error = new Promise((resolve) => {
+    link.onerror = resolve;
+  });
+  link.onload = t.unreached_func("link.onload");
+
+  document.body.appendChild(link);
+  await error;
+
+  const arrived = await hasArrivedAtServer(id);
+  assert_false(arrived, "The preload should've arrived at the server.");
 }, "link preload without nonce attribute");
 
 </script>

diff --git a/third_party/blink/web_tests/external/wpt/preload/link-header-preload-nonce.html b/third_party/blink/web_tests/external/wpt/preload/link-header-preload-nonce.html
@@ -1,33 +1,53 @@
 <!DOCTYPE html>
-<title>Makes sure that Link headers preload resources with CSP nonce</title>
-<script nonce="abc" src="/resources/testharness.js"></script>
-<script nonce="abc" src="/resources/testharnessreport.js"></script>
-<script nonce="abc" src="/preload/resources/preload_helper.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/preload/resources/preload_helper.js"></script>
 <body>
-<script nonce="abc">
-    setup({single_test: true});
+<script>
 
-    var iterations = 0;
+async_test(t => {
+  const id = token();
+  const pageUrl =
+    '/common/blank.html?pipe=' +
+    '|header(content-security-policy, script-src \'nonce-abc\')' +
+    `|header(link, <${encodedStashPutUrl(id)}>;rel=preload;as=script)`;
 
-    function check_finished() {
-        if (numberOfResourceTimingEntries("resources/dummy.js?from-header&without-nonce") == 0 &&
-            numberOfResourceTimingEntries("resources/dummy.js?from-header&with-nonce") == 1) {
-            done();
-        }
-        iterations++;
-        if (iterations == 10) {
-            // At least one is expected to fail, but this should give details to the exact failure(s).
-            verifyNumberOfResourceTimingEntries("resources/dummy.js?from-header&without-nonce", 0);
-            verifyNumberOfResourceTimingEntries("resources/dummy.js?from-header&with-nonce", 1);
-            done();
-        } else {
-            step_timeout(check_finished, 500);
-        }
+  const w = window.open(pageUrl);
+  t.add_cleanup(() => w.close());
+
+  step_timeout(async () => {
+    try {
+      const arrived = await hasArrivedAtServer(id);
+      assert_false(arrived, 'The preload should be blocked.');
+      t.done();
+    } catch (e) {
+      t.step(() => {throw e;});
+    }
+  }, 3000);
+}, 'without nonce');
+
+async_test(t => {
+  const id = token();
+  const pageUrl =
+    '/common/blank.html?pipe=' +
+    '|header(content-security-policy, script-src \'nonce-az\')' +
+    `|header(link, <${encodedStashPutUrl(id)}>;rel=preload;as=script;nonce=az)`;
+  const w = window.open(pageUrl);
+  t.add_cleanup(() => w.close());
+
+  // TODO: Use step_wait after
+  // https://github.com/web-platform-tests/wpt/pull/34289 is merged.
+  step_timeout(async () => {
+    try {
+      const arrived = await hasArrivedAtServer(id);
+      assert_true(arrived, 'The preload should have arrived at the server.');
+      t.done();
+    } catch (e) {
+      t.step(() => {throw e;});
     }
+  }, 3000);
+}, 'with nonce');
 
-    window.addEventListener("load", function() {
-        verifyPreloadAndRTSupport();
-        step_timeout(check_finished, 500);
-    });
 </script>
 </body>
diff --git a/third_party/blink/web_tests/external/wpt/preload/link-header-preload-nonce.html.headers b/third_party/blink/web_tests/external/wpt/preload/link-header-preload-nonce.html.headers
diff --git a/third_party/blink/web_tests/external/wpt/preload/preload-csp.sub.html b/third_party/blink/web_tests/external/wpt/preload/preload-csp.sub.html
@@ -1,55 +1,35 @@
 <!DOCTYPE html>
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; font-src 'none'; style-src 'none'; img-src 'none'; media-src 'none'; connect-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; font-src 'none'; style-src 'none'; img-src 'none'; media-src 'none';">
 <title>Makes sure that preload requests respect CSP</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
 <script src="/preload/resources/preload_helper.js"></script>
-<link rel=preload href="{{host}}:{{ports[http][1]}}/preload/resources/dummy.js" as=style>
-<link rel=preload href="resources/dummy.css" as=style>
-<link rel=preload href="resources/square.png" as=image>
-<link rel=preload href="/fonts/CanvasTest.ttf" as=font crossorigin>
-<link rel=preload href="resources/white.mp4" as=video>
-<link rel=preload href="resources/sound_5.oga" as=audio>
-<link rel=preload href="resources/foo.vtt" as=track>
-<link rel=preload href="resources/dummy.xml?foo=bar" as=foobarxmlthing>
-<link rel=preload href="resources/dummy.xml">
+<link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}">
 <body>
 <script>
-    setup({single_test: true});
-
-    var iterations = 0;
-
-    function check_finished() {
-        if (numberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js") == 0 &&
-            numberOfResourceTimingEntries("resources/dummy.css") == 0 &&
-            numberOfResourceTimingEntries("resources/square.png") == 0 &&
-            numberOfResourceTimingEntries("/fonts/CanvasTest.ttf") == 0 &&
-            numberOfResourceTimingEntries("resources/white.mp4") == 0 &&
-            numberOfResourceTimingEntries("resources/sound_5.oga") == 0 &&
-            numberOfResourceTimingEntries("resources/foo.vtt") == 0 &&
-            numberOfResourceTimingEntries("resources/dummy.xml") == 0) {
-            done();
-        }
-        iterations++;
-        if (iterations == 10) {
-            // At least one is expected to fail, but this should give details to the exact failure(s).
-            verifyNumberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js", 0);
-            verifyNumberOfResourceTimingEntries("resources/dummy.css", 0);
-            verifyNumberOfResourceTimingEntries("resources/square.png", 0);
-            verifyNumberOfResourceTimingEntries("/fonts/CanvasTest.ttf", 0);
-            verifyNumberOfResourceTimingEntries("resources/white.mp4", 0);
-            verifyNumberOfResourceTimingEntries("resources/sound_5.oga", 0);
-            verifyNumberOfResourceTimingEntries("resources/foo.vtt", 0);
-            verifyNumberOfResourceTimingEntries("resources/dummy.xml", 0);
-            done();
-        } else {
-            step_timeout(check_finished, 500);
-        }
+promise_test(async (t) => {
+  verifyPreloadAndRTSupport();
+  const keys = [];
+  const links = document.querySelectorAll('link');
+  for (const link of links) {
+    if (link.rel === 'preload') {
+      const r = /\?key=([a-zA-Z0-9\-]+)$/;
+      keys.push(link.href.match(r)[1]);
     }
+  }
+  await new Promise((resolve) => step_timeout(resolve, 3000));
 
-    window.addEventListener("load", function() {
-        verifyPreloadAndRTSupport();
-        step_timeout(check_finished, 500);
-    });
+  for (const key of keys) {
+    assert_false(await hasArrivedAtServer(key));
+  }
+}, 'Preload requests are blocked by CSP.');
 </script>
-
diff --git a/third_party/blink/web_tests/external/wpt/preload/preload-default-csp.sub.html b/third_party/blink/web_tests/external/wpt/preload/preload-default-csp.sub.html
@@ -1,55 +1,35 @@
 <!DOCTYPE html>
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src 'none'; connect-src 'self';">
 <title>Makes sure that preload requests respect CSP</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="/preload/resources/preload_helper.js"></script>
-<link rel=preload href="{{host}}:{{ports[http][1]}}/preload/resources/dummy.js" as=style>
-<link rel=preload href="resources/dummy.css" as=style>
-<link rel=preload href="resources/square.png" as=image>
-<link rel=preload href="/fonts/CanvasTest.ttf" as=font crossorigin>
-<link rel=preload href="resources/white.mp4" as=video>
-<link rel=preload href="resources/sound_5.oga" as=audio>
-<link rel=preload href="resources/foo.vtt" as=track>
-<link rel=preload href="resources/dummy.xml?foo=bar" as=foobarxmlthing>
-<link rel=preload href="resources/dummy.xml">
+<link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing>
+<link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}">
 <body>
 <script>
-    setup({single_test: true});
-
-    var iterations = 0;
-
-    function check_finished() {
-        if (numberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js") == 0 &&
-            numberOfResourceTimingEntries("resources/dummy.css") == 0 &&
-            numberOfResourceTimingEntries("resources/square.png") == 0 &&
-            numberOfResourceTimingEntries("/fonts/CanvasTest.ttf") == 0 &&
-            numberOfResourceTimingEntries("resources/white.mp4") == 0 &&
-            numberOfResourceTimingEntries("resources/sound_5.oga") == 0 &&
-            numberOfResourceTimingEntries("resources/foo.vtt") == 0 &&
-            numberOfResourceTimingEntries("resources/dummy.xml") == 0) {
-            done();
-        }
-        iterations++;
-        if (iterations == 10) {
-            // At least one is expected to fail, but this should give details to the exact failure(s).
-            verifyNumberOfResourceTimingEntries("{{host}}:{{ports[http][1]}}/preload/resources/dummy.js", 0);
-            verifyNumberOfResourceTimingEntries("resources/dummy.css", 0);
-            verifyNumberOfResourceTimingEntries("resources/square.png", 0);
-            verifyNumberOfResourceTimingEntries("/fonts/CanvasTest.ttf", 0);
-            verifyNumberOfResourceTimingEntries("resources/white.mp4", 0);
-            verifyNumberOfResourceTimingEntries("resources/sound_5.oga", 0);
-            verifyNumberOfResourceTimingEntries("resources/foo.vtt", 0);
-            verifyNumberOfResourceTimingEntries("resources/dummy.xml", 0);
-            done();
-        } else {
-            step_timeout(check_finished, 500);
-        }
+promise_test(async (t) => {
+  verifyPreloadAndRTSupport();
+  const keys = [];
+  const links = document.querySelectorAll('link');
+  for (const link of links) {
+    if (link.rel === 'preload') {
+      const r = /\?key=([a-zA-Z0-9\-]+)$/;
+      keys.push(link.href.match(r)[1]);
     }
+  }
+  await new Promise((resolve) => step_timeout(resolve, 3000));
 
-    window.addEventListener("load", function() {
-        verifyPreloadAndRTSupport();
-        step_timeout(check_finished, 500);
-    });
+  for (const key of keys) {
+    assert_false(await hasArrivedAtServer(key));
+  }
+}, 'Preload requests are blocked by CSP ("default-src \'none\').');
 </script>
 
diff --git a/third_party/blink/web_tests/external/wpt/preload/preload-strict-dynamic.html b/third_party/blink/web_tests/external/wpt/preload/preload-strict-dynamic.html