From 49ea137684bf2172d8a899ee6f32d39999efa495 Mon Sep 17 00:00:00 2001 From: Aaron Tagliaboschi Date: Thu, 5 Nov 2020 08:38:14 -0800 Subject: [PATCH] [Critical-CH] Add check for unsafe HTTP methods According to the Client Hint Reliability ietf draft https://tools.ietf.org/html/draft-davidben-http-client-hint-reliability#section-3 > If the request did not use a safe method (Section 4.2.1 of [RFC7231]), ignore the Critical-CH header and continue processing the response as usual. Also added a WPT to make sure. Bug: 1127313 Change-Id: I82682077dfa51a4aa7204a973c192379cd6588c7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2508711 Commit-Queue: Aaron Tagliaboschi Reviewed-by: Matt Menke Reviewed-by: Maksim Orlovich Reviewed-by: Yoav Weiss Cr-Commit-Position: refs/heads/master@{#824434} --- .../critical-ch/unsafe-method.https.window.js | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 client-hints/critical-ch/unsafe-method.https.window.js diff --git a/client-hints/critical-ch/unsafe-method.https.window.js b/client-hints/critical-ch/unsafe-method.https.window.js new file mode 100644 index 00000000000000..0eca0eb8e9aea1 --- /dev/null +++ b/client-hints/critical-ch/unsafe-method.https.window.js @@ -0,0 +1,23 @@ +async_test((t) => { + // This test requires a navigation with a non-safe (i.e. non-GET) HTTP + // response, which the Critical-CH spec says to ignore. The most + // "straight-forward" way to do this in JS is by making a form with an + // unsafe method (e.g. POST) method and submit it. + + // Build the form DOM element + var form = document.createElement("form"); + form.setAttribute("method", "post"); + form.setAttribute("action", "resources/echo-critical-hint.py"); + form.setAttribute("target", "popup"); //don't navigate away from the page running the test... + document.body.appendChild(form); + + var popup_window = window.open("/common/blank.html", "popup"); + assert_not_equals(popup_window, null, "Popup windows not allowed?"); + + popup_window.addEventListener('message', (e) => { + t.step(()=>{assert_equals(e.data, "FAIL")}); + t.done(); + }); + + form.submit(); +}, "Critical-CH unsafe method")