This directory contains tests related to the Cross-Origin Resource Blocking (CORB) algorithm.
The tests in this directory interact with various, random features, but the tests have been grouped together into the fetch/corb
directory, because all of these tests verify behavior that is important to the CORB algorithm.
Note that CORB is currently in very early stages of standardization path. At the same time, some tests in this directory (e.g. css-with-json-parser-breaker
) cover behavior spec-ed outside of CORB (making sure that CORB doesn‘t change the existing web behavior) and therefore are valuable independently from CORB’s standardization efforts.
Tests that cover behavior that is changed by CORB have to be marked as tentative (using .tentative
substring in their filename) until CORB is included in the official Fetch spec. Such tests may fail unless CORB is enabled. In practice this means that:
CORB is a defense-in-depth and in general should not cause changes in behavior that can be observed by web features or by end users. This makes CORB difficult or even impossible to test via WPT.
WPT tests can cover the following:
img-html-correctly-labeled.sub.html
img-png-mislabeled-as-html.sub.html
img-png-mislabeled-as-html-nosniff.tentative.sub.html
script-html-via-cross-origin-blob-url.tentative.sub.html
Examples of aspects that WPT tests cannot cover (these aspects have to be covered in other, browser-specific tests):