Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Many html tests assume data: URLs are treated as same-origin #1999

Closed
inexorabletash opened this issue Jul 13, 2015 · 6 comments
Closed

Many html tests assume data: URLs are treated as same-origin #1999

inexorabletash opened this issue Jul 13, 2015 · 6 comments
Labels
html

Comments

@inexorabletash
Copy link
Member

We're working on switching how Blink runs web-platform-tests for CI from our default mechanism as file:-based to using wptserve. This has turned up that many tests create subresources (iframes, vtt) using data: URLs then treat them as same-origin.

Per https://bugzilla.mozilla.org/show_bug.cgi?id=255107 only FF has the same-origin behavior. Opera/Chrome/Safari/IE all treat data: URLs as cross-origin and intentionally disagree with what is written in the spec, and therefore fail.

A handful of the tests for reference:
html/browsers/browsing-the-web/read-media/pageload-image.html
html/browsers/browsing-the-web/read-media/pageload-video.html
html/semantics/embedded-content/media-elements/interfaces/TextTrack/addCue.html
(and many others in TextTrack/)
html/syntax/parsing/html5lib_adoption01.html
(and many others in parsing/)
html/webappapis/scripting/processing-model-2/compile-error-data-url.html
... and probably others in directories we're not importing yet.

Since the browser behavior differences are long-standing (and perhaps unlikely to be resolved soon), and since these tests aren't testing data: URLs directly, it seems like we should update the tests to not depend on data: URLs.
@jgraham
Copy link
Contributor

jgraham commented Jul 13, 2015

Historically Opera — i.e. Presto — matched the spec here and many of these tests were written by Opera engineers to match the spec. Given the disagreement about the model here I welcome PRs to change these tests to not use data: URIs (but in at least some cases I expect that to be difficult e.g. the html5lib tests are based around loading a document generated in content using the regular HTML parser; I'm not sure how else to do that).

@sideshowbarker
Copy link
Contributor

@jgraham

I welcome PRs to change these tests to not use data: URIs (but in at least some cases I expect that to be difficult e.g. the html5lib tests are based around loading a document generated in content using the regular HTML parser; I'm not sure how else to do that)

Is using <iframe srcdoc> instead for those a possible solution?

Given the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1018872 it might be useful to also get feedback from @annevk, @bzbarsky, and @mikewest here on how we should deal with this in the test suite. And maybe also from @hillbrad—especially if he @mikewest got any new ideas on what if anything might be possible as far as dealing with the underlying issue.

@annevk
Copy link
Member

annevk commented Jul 14, 2015

Mozilla would appreciate the tests being updated. That would make it easier for us to migrate to a stricter data URL world. It's not especially high priority for us at the moment though.

@inexorabletash inexorabletash mentioned this issue Jul 15, 2015
Closed
@inexorabletash inexorabletash mentioned this issue Dec 11, 2015
Closed
@inexorabletash
Copy link
Member Author

An attempt at <iframe srcdoc> over in #2429 - seems to work but perhaps it's not capturing all of the semantics.

@bzbarsky
Copy link
Contributor

<iframe srcdoc> is always in standards mode. Are any of these tests testing quirks mode?

mikewest added a commit that referenced this issue Dec 11, 2015
@mikewest
Stop using data: URLs in html/syntax/parsing
7cdc05e 
We can generate equivalent test results by using `blob:` URLs rather
than `data:` URLs for parsing tests. The former has the advantage of
working correctly in Chrome, due to unrelated choices about the behavior
of `data:` URLs.

h/t to @inexorabletash who showed me exactly where I needed to make this
change. :)

Partially addresses #1999
@mikewest mikewest mentioned this issue Dec 11, 2015
Merged
@snyk-bot snyk-bot mentioned this issue Aug 18, 2021
Open
@snyk-bot snyk-bot mentioned this issue Sep 4, 2021
Open
This was referenced Sep 12, 2021
Open
Open
This was referenced Oct 21, 2022
Open
Open
@annevk
Copy link
Member

annevk commented Mar 28, 2023

First two are fixed by d6e6530.

<track> pointing to a data: URL seems okay and not cross-origin per se.

Not sure I see the problem in https://github.com/web-platform-tests/wpt/blame/master/html/syntax/parsing/html5lib_adoption01.html and generally those tests seem to run fine in all browsers?

https://github.com/web-platform-tests/wpt/blame/master/html/webappapis/scripting/processing-model-2/compile-error-data-url.html also seems fine and passes in all browsers.

Going to close this but feel free to reopen or shout if I missed something.

@annevk annevk closed this as completed Mar 28, 2023
@snyk-bot snyk-bot mentioned this issue Apr 27, 2023
Merged
@MaxMood96 MaxMood96 mentioned this issue Jun 22, 2023
Open
@Woodpile37 Woodpile37 mentioned this issue Aug 21, 2023
Merged
This was referenced Nov 27, 2023
Open
Open
This was referenced Apr 15, 2024
Open
Open
This was referenced May 14, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
html
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sideshowbarker @jgraham @inexorabletash @bzbarsky @annevk