WPT tests for security features applied to speculation rules ruleset fetch #43488
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wpt-pr-bot
approved these changes
Dec 2, 2023
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5078187
branch
2 times, most recently
from
f027f57 to
4d6f235
Compare
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5078187
branch
2 times, most recently
from
d6e9eec to
355de66
Compare
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5078187
branch
from
355de66 to
f649727
Compare
…fetch This adds WPT coverage for the fetch of the speculation rules themselves (via the `Speculation-Rules` header). These are fairly standard in how they work, but because these requests are currently triggered only via a response header, they don't mesh very well with the existing test harness for several reasons: 1. We need to make a new context to issue the request. A window works most naturally, since a UA might not bother fetching rules in a subframe). This has knock-on consequences, like the need to replicate the headers for the security features to this opened window, which is awkward because what these headers were isn't plumbed in yet and isn't easy to obtain from script. 2. Since this isn't requested via an element or script API, there is currently no explicit signal when this request has completed, successfully or otherwise. Instead, we poll the server to see when it has processed the request, timing out after some time if the request has not been seen (this is expected in the case that it is blocked). This has the potential to be flaky, though some steps are taken to mitigate this (and further ones could be, like using a longer or infinite timeout when the request should be allowed, but this requires plumbing the expected result deeper, which is awkward with the test generation machinery). 3. Since it is processed as a response header early in the lifecycle of the document, we can't rely on securitypolicyviolation events to be fired in that context with any determinism. In theory this could be worked around by having the server process violation reports but this has its own issues. Instead they're skipped here, but not in an elegant way. Bug: 1507833 Change-Id: I3e5de39191241ebee592c8e9ea85e38f462e1d7c
chromium-wpt-export-bot
changed the title
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-5078187
branch
from
f649727 to
dd77a1c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds WPT coverage for the fetch of the speculation rules
themselves (via the
Speculation-Rulesheader). These are fairlystandard in how they work, but because these requests are currently
triggered only via a response header, they don't mesh very well with
the existing test harness for several reasons:
We need to make a new context to issue the request. A window
works most naturally, since a UA might not bother fetching rules
in a subframe).
This has knock-on consequences, like the need to replicate the
headers for the security features to this opened window, which
is awkward because what these headers were isn't plumbed in yet
and isn't easy to obtain from script.
Since this isn't requested via an element or script API, there
is currently no explicit signal when this request has completed,
successfully or otherwise. Instead, we poll the server to see
when it has processed the request, timing out after some time
if the request has not been seen (this is expected in the case
that it is blocked).
This has the potential to be flaky, though some steps are taken
to mitigate this (and further ones could be, like using a longer
or infinite timeout when the request should be allowed, but this
requires plumbing the expected result deeper, which is awkward
with the test generation machinery).
Since it is processed as a response header early in the
lifecycle of the document, we can't rely on
securitypolicyviolation events to be fired in that context with
any determinism. In theory this could be worked around by having
the server process violation reports but this has its own issues.
Instead they're skipped here, but not in an elegant way.
Bug: 1507833
Change-Id: I3e5de39191241ebee592c8e9ea85e38f462e1d7c
Reviewed-on: https://chromium-review.googlesource.com/5078187
WPT-Export-Revision: 1e86f21b18197551ab05937ef3d77c87fc2ce5ae