script-resource-with-json-parser-breaker.tentative.sub.html (3417B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <!-- Test verifies CORB will block responses beginning with a JSON parser 4 breaker regardless of their MIME type (excluding text/css - see below). 5 6 A JSON parser breaker is a prefix added to resources with sensitive data to 7 prevent cross-site script inclusion (XSSI) and similar attacks. For example, 8 it may be included in JSON files to prevent them from leaking data via a 9 <script> tag, making the response only useful to a fetch or XmlHttpRequest. 10 See also https://chromium.googlesource.com/chromium/src/+/main/services/network/cross_origin_read_blocking_explainer.md#Protecting-JSON 11 12 The assumption is that all images, other media, scripts, fonts and other 13 resources that may be embedded cross-origin will never begin with a JSON 14 parser breaker. For example an JPEG image should always being with FF D8 FF, 15 a PNG image with 89 50 4E 47 0D 0A 1A 0A bytes and an SVG image with "<?xml" 16 substring. 17 18 The assumption above excludes text/css which (as shown by 19 style-css-with-json-parser-breaker.sub.html) can parse as valid stylesheet 20 even in presence of a JSON parser breaker. 21 --> 22 <script src="/resources/testharness.js"></script> 23 <script src="/resources/testharnessreport.js"></script> 24 <div id=log></div> 25 <script> 26 setup({allow_uncaught_exception : true}); 27 28 // A subset of JSON security prefixes (only ones that are parser breakers). 29 json_parser_breakers = [ 30 ")]}'", 31 "{}&&", 32 "{} &&", 33 ] 34 35 // JSON parser breaker should trigger CORB blocking for any Content-Type - even 36 // for resources that claim to be of a MIME type that is normally allowed to be 37 // embedded in cross-origin documents (like images and/or scripts). 38 mime_types = [ 39 // CORB-protected MIME types 40 "text/html", 41 "text/xml", 42 "text/json", 43 "text/plain", 44 45 // MIME types that normally are allowed by CORB. 46 "application/javascript", 47 "image/png", 48 "image/svg+xml", 49 50 // Other types. 51 "application/pdf", 52 "application/zip", 53 ] 54 55 function test(mime_type, body) { 56 // The test below depends on a global/shared event handler - we need to ensure 57 // that no tests run in parallel - this is achieved by using `promise_test` 58 // instead of `async_test`. See also 59 // https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests 60 promise_test(t => new Promise(function(resolve, reject) { 61 var script = document.createElement("script") 62 63 // Without CORB, the JSON parser breaker would cause a syntax error when 64 // parsed as JavaScript, but with CORB there should be no errors (because 65 // CORB will replace the response body with an empty body). With ORB, 66 // the script loading itself should error out. 67 script.onload = resolve; 68 script.onerror = resolve; 69 addEventListener("error", t.unreached_func( 70 "Empty body of a CORS-blocked response shouldn't trigger syntax errors.")) 71 72 // www1 is cross-origin, so the HTTP response is CORB-eligible. 73 var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py"; 74 script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body); 75 document.body.appendChild(script) 76 }), "CORB-blocks '" + mime_type + "' that starts with the following JSON parser breaker: " + body); 77 } 78 79 mime_types.forEach(function(type) { 80 json_parser_breakers.forEach(function(body) { 81 test(type, body); 82 }); 83 }); 84 85 </script>