XCTO test + basic responses

hp23 Server · hp23 Server · commit 320841109e20 · 2024-05-13T09:01:15.000Z
diff --git a/_hp/common/script-xcto.js b/_hp/common/script-xcto.js
@@ -0,0 +1 @@
+window.parent.postMessage({ "id": "<replace-id>", "message": "message send" }, "*");
diff --git a/_hp/server/responses.py b/_hp/server/responses.py
@@ -50,6 +50,8 @@ def get_body(feature_group, resp):
         file = open("_hp/common/frame-img-csp.html", "rb")
     elif feature_group in ["coep"]:
         file = open("_hp/common/frame-coep.html", "rb")
+    elif feature_group in ["xcto"]:
+        file = open("_hp/common/script-xcto.js", "rb")
     else:
         print(f"Invalid feature_group: {feature_group}")
         return ""
@@ -69,4 +71,6 @@ def main(request, response):
         response.raw_header = []
     # Get the correct response body based on the current test/feature group
     file = get_body(params['feature_group'], resp=resp)
+    if params['feature_group'] == "xcto":
+        file = file.replace(b"<replace-id>", bytes(params['count'], encoding="utf-8"))
     return response.status_code, response.raw_header, file
diff --git a/_hp/tests/script-execution-xcto.sub.html b/_hp/tests/script-execution-xcto.sub.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Script execution XCTO Tests</title>
+    <script src="/_hp/resources/testharness.sub.js"></script>
+    <script src="/_hp/resources/store_results.sub.js"></script>
+</head>
+
+<body>
+
+</body>
+
+
+<script>
+    let resp_type = urlParams.get("resp_type") || "debug";
+    var count = 0;
+    function script_sniffing_test(element, sandbox, test_info, url, origin, response_id) {
+        /*
+        url: str, URL to be tested (next in the framing chain)
+        origin: str, Origin of the URL to be tested
+        response_id: int, ID of the response element (final response of the chain)
+        element: str, iframe/object/embed
+        sandbox: bool whether to add the sandbox attribute to the next frame
+        test_info: str, additional information about the test (direct, sandbox, nested (A->B->A->A))
+        */
+        test_name = `sniffing_${element}|${sandbox}|${test_info}|${origin}|${response_id}`;
+        //console.log(url, response_id, test_name);
+        async_test(t => {
+            t.set_test_info(url, test_info);
+            const i = document.createElement(element);
+            count = count + 1;
+            i.id = count;
+            let origin = location.origin;
+            let resp = 1;
+            let nest = 0;
+            let final_url = url + response_id + `&count=${i.id}&nest=${nest}&origin=${origin}&element=${element}&resp=${resp}`
+            i.src = final_url;
+
+            // Wait for 90% of test_timeout; then report that no message was received!
+            let timer = t.step_timeout(() => {
+                t.report_outcome("message timeout");
+                t.done();
+            }, 0.9 * test_timeout);
+            // Report that a message was received
+            waitForMessageFrom(i, t).then(t.step_func_done(e => {
+                clearTimeout(timer);
+                t.report_outcome(e.data.message);
+            }));
+            // Cleanup function (remove the frame after the test)
+            t.add_cleanup(() => {
+                i.remove();
+            });
+            // Start the test
+            document.body.append(i);
+        }, test_name);
+    }
+
+    // A -> B (XCTO): send message
+    const simple_sniffing = script_sniffing_test.bind(null, 'script', false, "direct");
+    simple_sniffing.element_relation = "script_direct";
+    let test_declarations;
+    test_declarations = [simple_sniffing];
+    const path = '/_hp/server/responses.py?feature_group=xcto&resp_id=';
+    const label = 'XCTO';
+    run_tests(test_declarations, path, label);
+
+</script>
+
+</html>
diff --git a/_hp/tests/script-execution-xcto.sub.html.headers b/_hp/tests/script-execution-xcto.sub.html.headers
@@ -0,0 +1,2 @@
+Content-Type: text/html; charset=utf-8
+Cache-Control: max-age=3600
diff --git a/_hp/tools/create_responses.py b/_hp/tools/create_responses.py
@@ -414,3 +414,25 @@ def create_responses(header_list, label, status_code=200, resp_type="debug"):
 
 
 #endregion
+
+#region MIMESniffing XCTO
+label = "XCTO"
+header_name = "X-Content-Type-Options" # https://fetch.spec.whatwg.org/#x-content-type-options-header
+header_deny = [(header_name, "nosniff")]
+header_allow = [(header_name, "*")]
+# Debug tests
+create_responses([header_deny, header_allow], label)
+# Basic tests
+header_list = [[(header_name, "nosniff")], [], 
+               [(header_name, "null")], [(header_name, origin_s)],
+               [(header_name, origin)], [(header_name, parent)],
+               [(header_name, home)], [(header_name, origin_sp)],
+               [(header_name, site)],
+               [(header_name, "*"), (header_name, "nosniff")], [(header_name, origin_s), (header_name, "null")]
+            ]
+
+create_responses(header_list, label, resp_type="basic")
+# Some basic headers with redirect
+header_list = [[(header_name, "*"), redirect_empty], [(header_name, "no-sniff"), redirect_empty]]
+create_responses(header_list, label, status_code=302, resp_type="basic")
+#endregion

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+window.parent.postMessage({ "id": "<replace-id>", "message": "message send" }, "*");`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Content-Type: text/html; charset=utf-8`
	`2`	`+Cache-Control: max-age=3600`