1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
<!DOCTYPE html>
<!-- Test verifies CORB will block responses beginning with a JSON parser
breaker regardless of their MIME type (excluding text/css - see below).
A JSON parser breaker is a prefix added to resources with sensitive data to
prevent cross-site script inclusion (XSSI) and similar attacks. For example,
it may be included in JSON files to prevent them from leaking data via a
<script> tag, making the response only useful to a fetch or XmlHttpRequest.
See also https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#Protecting-JSON
The assumption is that all images, other media, scripts, fonts and other
resources that may be embedded cross-origin will never begin with a JSON
parser breaker. For example an JPEG image should always being with FF D8 FF,
a PNG image with 89 50 4E 47 0D 0A 1A 0A bytes and an SVG image with "<?xml"
substring.
The assumption above excludes text/css which (as shown by
style-css-with-json-parser-breaker.sub.html) can parse as valid stylesheet
even in presence of a JSON parser breaker.
-->
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<div id=log></div>
<script>
setup({allow_uncaught_exception : true});
// A subset of JSON security prefixes (only ones that are parser breakers).
json_parser_breakers = [
")]}'",
"{}&&",
"{} &&",
]
// JSON parser breaker should trigger CORB blocking for any Content-Type - even
// for resources that claim to be of a MIME type that is normally allowed to be
// embedded in cross-origin documents (like images and/or scripts).
mime_types = [
// CORB-protected MIME types
"text/html",
"text/xml",
"text/json",
"text/plain",
// MIME types that normally are allowed by CORB.
"application/javascript",
"image/png",
"image/svg+xml",
// Other types.
"application/pdf",
"application/zip",
]
function test(mime_type, body) {
async_test(function(t) {
var script = document.createElement("script")
// Without CORB, the JSON parser breaker would cause a syntax error when
// parsed as JavaScript, but with CORB there should be no errors (because
// CORB will replace the response body with an empty body).
script.onload = t.step_func_done(function(){})
addEventListener("error",function(e) {
t.step(function() {
assert_unreached("Empty body of a CORS-blocked response shouldn't trigger syntax errors.");
t.done();
})
});
// www1 is cross-origin, so the HTTP response is CORB-eligible.
//
// TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
// https://crbug.com/891872 are fixed, we should use a cross-*origin*
// rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
// See also https://crbug.com/918660 for more context.
var src_prefix = "http://{{hosts[alt][www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
document.body.appendChild(script)
}, "CORB-blocks '" + mime_type + "' that starts with the following JSON parser breaker: " + body);
}
mime_types.forEach(function(type) {
json_parser_breakers.forEach(function(body) {
test(type, body);
});
});
</script>
|
