Fetch: X-Content-Type-Options: nosniff parsing

For whatwg/fetch#818.

Author: annevk

fetch/nosniff/parsing-nosniff.html

@@ -0,0 +1,24 @@
+promise_test(() => fetch("resources/x-content-type-options.json").then(res => res.json()).then(runTests), "Loading JSON…");
+
+function runTests(allTestData) {
+  for (let i = 0; i < allTestData.length; i++) {
+    const testData = allTestData[i],
+          input = encodeURIComponent(testData.input);
+    async_test(t => {
+      const script = document.createElement("script");
+      t.add_cleanup(() => script.remove());
+      // A <script> element loading a classic script does not care about the MIME type, unless
+      // X-Content-Type-Options: nosniff is specified, in which case a JavaScript MIME type is
+      // enforced, which x/x is not.
+      if (testData.nosniff) {
+        script.onerror = t.step_func_done();
+        script.onload = t.unreached_func("Script should not have loaded");
+      } else {
+        script.onerror = t.unreached_func("Script should have loaded");
+        script.onload = t.step_func_done();
+      }
+      script.src = "resources/nosniff.py?nosniff=" + input;
+      document.body.appendChild(script);
+    }, input);
+  }
+}

fetch/nosniff/parsing-nosniff.window.js

@@ -0,0 +1,10 @@
+def main(request, response):
+    response.add_required_headers = False
+    output =  "HTTP/1.1 220 YOU HAVE NO POWER HERE\r\n"
+    output += "Content-Length: 22\r\n"
+    output += "Content-Type: x/x\r\n"
+    output += request.GET.first("nosniff") + "\r\n"
+    output += "\r\n"
+    output += "// nothing to see here"
+    response.writer.write(output)
+    response.close_connection = True

fetch/nosniff/resources/nosniff-first.asis

@@ -0,0 +1,58 @@
+[
+  {
+    "input": "X-Content-Type-Options: NOSNIFF",
+    "nosniff": true
+  },
+  {
+    "input": "x-content-type-OPTIONS: nosniff",
+    "nosniff": true
+  },
+  {
+    "input": "X-Content-Type-Options: nosniff,,@#$#%%&^&^*()()11!",
+    "nosniff": true
+  },
+  {
+    "input": "X-Content-Type-Options: @#$#%%&^&^*()()11!,nosniff",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: nosniff\r\nX-Content-Type-Options: no",
+    "nosniff": true
+  },
+  {
+    "input": "X-Content-Type-Options: no\r\nX-Content-Type-Options: nosniff",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options:\r\nX-Content-Type-Options: nosniff",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: ,nosniff",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: nosniff\u000C",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: nosniff\u000B",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: nosniff\u000B,nosniff",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: 'NosniFF'",
+    "nosniff": false
+  },
+  {
+    "input": "X-Content-Type-Options: \"nosniFF\"",
+    "nosniff": false
+  },
+  {
+    "input": "Content-Type-Options: nosniff",
+    "nosniff": false
+  }
+]