File: fetch-canvas-tainting-video-with-range-request.https.html

package info (click to toggle)
firefox-esr 91.13.0esr-1~deb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 3,375,652 kB
  • sloc: cpp: 5,762,054; javascript: 5,481,714; ansic: 3,121,191; python: 851,492; asm: 331,172; xml: 178,949; java: 155,554; sh: 63,704; makefile: 20,127; perl: 12,825; yacc: 4,583; cs: 3,846; objc: 3,026; lex: 1,720; exp: 762; pascal: 635; php: 436; lisp: 260; awk: 231; ruby: 103; sed: 53; sql: 46; csh: 45
file content (93 lines) | stat: -rw-r--r-- 4,273 bytes parent folder | download | duplicates (12) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
<!DOCTYPE html>
<meta charset="utf-8">
<title>Canvas tainting due to video whose responses are fetched via a service worker including range requests</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="resources/test-helpers.sub.js?pipe=sub"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<script>
// These tests try to test canvas tainting due to a <video> element. The video
// src URL is same-origin as the page, but the response is fetched via a service
// worker that does tricky things like returning opaque responses from another
// origin. Furthermore, this tests range requests so there are multiple
// responses.
//
// We test range requests by having the server return 206 Partial Content to the
// first request (which doesn't necessarily have a "Range" header or one with a
// byte range). Then the <video> element automatically makes ranged requests
// (the "Range" HTTP request header specifies a byte range). The server responds
// to these with 206 Partial Content for the given range.
function range_request_test(script, expected, description) {
  promise_test(t => {
      let frame;
      let registration;
      add_result_callback(() => {
          if (frame) frame.remove();
          if (registration) registration.unregister();
        });

      const scope = 'resources/fetch-canvas-tainting-iframe.html';
      return service_worker_unregister_and_register(t, script, scope)
        .then(r => {
            registration = r;
            return wait_for_state(t, registration.installing, 'activated');
          })
        .then(() => {
            return with_iframe(scope);
          })
        .then(f => {
            frame = f;
            // Add "?VIDEO&PartialContent" to get a video resource from the
            // server using range requests.
            const video_url = 'fetch-access-control.py?VIDEO&PartialContent';
            return frame.contentWindow.create_test_case_promise(video_url);
          })
        .then(result => {
            assert_equals(result, expected);
          });
    }, description);
}

// We want to consider a number of scenarios:
// (1) Range responses come from a single origin, the same-origin as the page.
//     The canvas should not be tainted.
range_request_test(
  'resources/fetch-event-network-fallback-worker.js',
  'NOT_TAINTED',
  'range responses from single origin (same-origin)');

// (2) Range responses come from a single origin, cross-origin from the page
//     (and without CORS sharing). This is not possible to test, since service
//     worker can't make a request with a "Range" HTTP header in no-cors mode.

// (3) Range responses come from multiple origins. The first response comes from
//     cross-origin (and without CORS sharing, so is opaque). Subsequent
//     responses come from same-origin. The canvas should be tainted (but in
//     Chrome this is a LOAD_ERROR since it disallows range responses from
//     multiple origins, period).
range_request_test(
  'resources/range-request-to-different-origins-worker.js',
  'TAINTED',
  'range responses from multiple origins (cross-origin first)');

// (4) Range responses come from multiple origins. The first response comes from
//     same-origin. Subsequent responses come from cross-origin (and without
//     CORS sharing). Like (2) this is not possible since the service worker
//     cannot make range requests cross-origin.

// (5) Range responses come from a single origin, with a mix of opaque and
//     non-opaque responses. The first request uses 'no-cors' mode to
//     receive an opaque response, and subsequent range requests use 'cors'
//     to receive non-opaque responses. The canvas should be tainted.
range_request_test(
  'resources/range-request-with-different-cors-modes-worker.js',
  'TAINTED',
  'range responses from single origin with both opaque and non-opaque responses');

// (6) Range responses come from a single origin, with a mix of opaque and
//     non-opaque responses. The first request uses 'cors' mode to
//     receive an non-opaque response, and subsequent range requests use
//     'no-cors' to receive non-opaque responses. Like (2) this is not possible.
</script>
</body>