Allow range headers to pass through a service worker

fetch/range/general.any.js

@@ -0,0 +1,54 @@
+// Helpers that return headers objects with a particular guard
+function headersGuardNone(fill) {
+  if (fill) return new Headers(fill);
+  return new Headers();
+}
+
+function headersGuardResponse(fill) {
+  const opts = {};
+  if (fill) opts.headers = fill;
+  return new Response('', opts).headers;
+}
+
+function headersGuardRequest(fill) {
+  const opts = {};
+  if (fill) opts.headers = fill;
+  return new Request('./', opts).headers;
+}
+
+function headersGuardRequestNoCors(fill) {
+  const opts = { mode: 'no-cors' };
+  if (fill) opts.headers = fill;
+  return new Request('./', opts).headers;
+}
+
+test(() => {
+  // Setting range should work for these guards
+  for (const createHeaders of [headersGuardNone, headersGuardResponse, headersGuardRequest]) {
+    // There are three ways to set headers.
+    // Filling, appending, and setting. Test each:
+    let headers = createHeaders({ Range: 'foo' });
+    assert_equals(headers.get('Range'), 'foo');
+
+    headers = createHeaders();
+    headers.append('Range', 'foo');
+    assert_equals(headers.get('Range'), 'foo');
+
+    headers = createHeaders();
+    headers.set('Range', 'foo');
+    assert_equals(headers.get('Range'), 'foo');
+  }
+
+  // It shouldn't work for the request-no-cors guard
+  let headers = headersGuardRequestNoCors({ Range: 'foo' });
+  assert_false(headers.has('Range'));
+
+  headers = headersGuardRequestNoCors();
+  headers.append('Range', 'foo');
+  assert_false(headers.has('Range'));
+
+  headers = headersGuardRequestNoCors();
+  headers.set('Range', 'foo');
+  assert_false(headers.has('Range'));
+}, `Privileged header is allowed unless guard is request-no-cors`);
+

fetch/range/partial-script.window.js

@@ -0,0 +1,7 @@
+// META: script=resources/utils.js
+
+// It's weird that browsers do this, but it should continue to work.
+promise_test(async t => {
+  await loadScript('resources/partial-script.py?pretend-offset=90000');
+  assert_true(self.scriptExecuted);
+}, `Script executed from partial response`);

fetch/range/resources/basic.html

@@ -0,0 +1 @@
+<!DOCTYPE html>

fetch/range/resources/long-wav.py

@@ -0,0 +1,111 @@
+"""
+This generates a 30 minute silent wav, and is capable of
+responding to Range requests.
+"""
+import time
+import re
+import struct
+
+
+def create_wav_header(sample_rate, bit_depth, channels, duration):
+    bytes_per_sample = bit_depth / 8
+    block_align = bytes_per_sample * channels
+    byte_rate = sample_rate * block_align
+    sub_chunk_2_size = duration * byte_rate
+
+    data = b''
+    # ChunkID
+    data += b'RIFF'
+    # ChunkSize
+    data += struct.pack('<L', 36 + sub_chunk_2_size)
+    # Format
+    data += b'WAVE'
+    # Subchunk1ID
+    data += b'fmt '
+    # Subchunk1Size
+    data += struct.pack('<L', 16)
+    # AudioFormat
+    data += struct.pack('<H', 1)
+    # NumChannels
+    data += struct.pack('<H', channels)
+    # SampleRate
+    data += struct.pack('<L', sample_rate)
+    # ByteRate
+    data += struct.pack('<L', byte_rate)
+    # BlockAlign
+    data += struct.pack('<H', block_align)
+    # BitsPerSample
+    data += struct.pack('<H', bit_depth)
+    # Subchunk2ID
+    data += b'data'
+    # Subchunk2Size
+    data += struct.pack('<L', sub_chunk_2_size)
+
+    return data
+
+
+def main(request, response):
+    response.headers.set("Content-Type", "audio/wav")
+    response.headers.set("Accept-Ranges", "bytes")
+    response.headers.set("Cache-Control", "no-cache")
+
+    range_header = request.headers.get('Range', '')
+    range_received_key = request.GET.first('range-received-key', '')
+
+    if range_received_key and range_header:
+        # This is later collected using stash-take.py
+        request.stash.put(range_received_key, 'range-header-received', '/fetch/privileged-headers/')
+
+    # Audio details
+    sample_rate = 8000
+    bit_depth = 8
+    channels = 1
+    duration = 60 * 5
+
+    total_length = (sample_rate * bit_depth * channels * duration) / 8
+    bytes_remaining_to_send = total_length
+    initial_write = ''
+
+    if range_header:
+        response.status = 206
+        start, end = re.search(r'^bytes=(\d*)-(\d*)$', range_header).groups()
+
+        start = int(start)
+        end = int(end) if end else 0
+
+        if end:
+            bytes_remaining_to_send = (end + 1) - start
+        else:
+            bytes_remaining_to_send = total_length - start
+
+        wav_header = create_wav_header(sample_rate, bit_depth, channels, duration)
+
+        if start < len(wav_header):
+            initial_write = wav_header[start:]
+
+            if bytes_remaining_to_send < len(initial_write):
+                initial_write = initial_write[0:bytes_remaining_to_send]
+
+        content_range = "bytes {}-{}/{}".format(start, end or total_length - 1, total_length)
+
+        response.headers.set("Content-Range", content_range)
+    else:
+        initial_write = create_wav_header(sample_rate, bit_depth, channels, duration)
+
+    response.headers.set("Content-Length", bytes_remaining_to_send)
+
+    response.write_status_headers()
+    response.writer.write(initial_write)
+
+    bytes_remaining_to_send -= len(initial_write)
+
+    while bytes_remaining_to_send > 0:
+        if not response.writer.flush():
+            break
+
+        to_send = b'\x00' * min(bytes_remaining_to_send, sample_rate)
+        bytes_remaining_to_send -= len(to_send)
+
+        response.writer.write(to_send)
+        # Throttle the stream
+        time.sleep(0.5)

fetch/range/resources/partial-script.py

@@ -0,0 +1,30 @@
+"""
+This generates a partial response containing valid JavaScript.
+"""
+
+
+def main(request, response):
+    require_range = request.GET.first('require-range', '')
+    pretend_offset = int(request.GET.first('pretend-offset', '0'))
+    range_header = request.headers.get('Range', '')
+
+    if require_range and not range_header:
+        response.set_error(412, "Range header required")
+        response.write()
+        return
+
+    response.headers.set("Content-Type", "text/plain")
+    response.headers.set("Accept-Ranges", "bytes")
+    response.headers.set("Cache-Control", "no-cache")
+    response.status = 206
+
+    to_send = 'self.scriptExecuted = true;'
+    length = len(to_send)
+
+    content_range = "bytes {}-{}/{}".format(
+        pretend_offset, pretend_offset + length - 1, pretend_offset + length)
+
+    response.headers.set("Content-Range", content_range)
+    response.headers.set("Content-Length", length)
+
+    response.content = to_send

fetch/range/resources/range-sw.js

@@ -0,0 +1,142 @@
+importScripts('/resources/testharness.js');
+
+setup({ explicit_done: true });
+
+function assert_range_request(request, expectedRangeHeader, name) {
+  assert_equals(request.headers.get('Range'), expectedRangeHeader, name);
+}
+
+async function broadcast(msg) {
+  for (const client of await clients.matchAll()) {
+    client.postMessage(msg);
+  }
+}
+
+addEventListener('fetch', event => {
+  /** @type Request */
+  const request = event.request;
+  const url = new URL(request.url);
+  const action = url.searchParams.get('action');
+
+  switch (action) {
+    case 'range-header-filter-test':
+      rangeHeaderFilterTest(request);
+      return;
+    case 'range-header-passthrough-test':
+      rangeHeaderPassthroughTest(event);
+      return;
+    case 'store-ranged-response':
+      storeRangedResponse(event);
+      return;
+    case 'use-stored-ranged-response':
+      useStoredRangeResponse(event);
+      return;
+  }
+});
+
+/**
+ * @param {Request} request
+ */
+function rangeHeaderFilterTest(request) {
+  const rangeValue = request.headers.get('Range');
+
+  test(() => {
+    assert_range_request(new Request(request), rangeValue, `Untampered`);
+    assert_range_request(new Request(request, {}), rangeValue, `Untampered (no init props set)`);
+    assert_range_request(new Request(request, { __foo: 'bar' }), rangeValue, `Untampered (only invalid props set)`);
+    assert_range_request(new Request(request, { mode: 'cors' }), rangeValue, `More permissive mode`);
+    assert_range_request(request.clone(), rangeValue, `Clone`);
+  }, "Range headers correctly preserved");
+
+  test(() => {
+    assert_range_request(new Request(request, { headers: { Range: 'foo' } }), null, `Tampered - range header set`);
+    assert_range_request(new Request(request, { headers: {} }), null, `Tampered - empty headers set`);
+    assert_range_request(new Request(request, { mode: 'no-cors' }), null, `Tampered – mode set`);
+    assert_range_request(new Request(request, { cache: 'no-cache' }), null, `Tampered – cache mode set`);
+  }, "Range headers correctly removed");
+
+  test(() => {
+    let headers;
+
+    headers = new Request(request).headers;
+    headers.delete('does-not-exist');
+    assert_equals(headers.get('Range'), rangeValue, `Preserved if no header actually removed`);
+
+    headers = new Request(request).headers;
+    headers.append('foo', 'bar');
+    assert_equals(headers.get('Range'), rangeValue, `Preserved if silent-failure on append (due to request-no-cors guard)`);
+
+    headers = new Request(request).headers;
+    headers.set('foo', 'bar');
+    assert_equals(headers.get('Range'), rangeValue, `Preserved if silent-failure on set (due to request-no-cors guard)`);
+
+    headers = new Request(request).headers;
+    headers.append('Range', 'foo');
+    assert_equals(headers.get('Range'), rangeValue, `Preserved if silent-failure on append (due to request-no-cors guard)`);
+
+    headers = new Request(request).headers;
+    headers.set('Range', 'foo');
+    assert_equals(headers.get('Range'), rangeValue, `Preserved if silent-failure on set (due to request-no-cors guard)`);
+
+    headers = new Request(request).headers;
+    headers.append('Accept', 'whatever');
+    assert_equals(headers.get('Range'), null, `Stripped if header successfully appended`);
+
+    headers = new Request(request).headers;
+    headers.set('Accept', 'whatever');
+    assert_equals(headers.get('Range'), null, `Stripped if header successfully set`);
+
+    headers = new Request(request).headers;
+    headers.delete('Accept');
+    assert_equals(headers.get('Range'), null, `Stripped if header successfully deleted`);
+
+    headers = new Request(request).headers;
+    headers.delete('Range');
+    assert_equals(headers.get('Range'), null, `Stripped if range header successfully deleted`);
+  }, "Headers correctly filtered");
+
+  done();
+}
+
+function rangeHeaderPassthroughTest(event) {
+  /** @type Request */
+  const request = event.request;
+  const url = new URL(request.url);
+  const key = url.searchParams.get('range-received-key');
+
+  event.waitUntil(new Promise(resolve => {
+    promise_test(async () => {
+      await fetch(event.request);
+      const response = await fetch('stash-take.py?key=' + key);
+      assert_equals(await response.json(), 'range-header-received');
+      resolve();
+    }, `Include range header in network request`);
+
+    done();
+  }));
+
+  // Just send back any response, it isn't important for the test.
+  event.respondWith(new Response(''));
+}
+
+let storedRangeResponseP;
+
+function storeRangedResponse(event) {
+  /** @type Request */
+  const request = event.request;
+  const id = new URL(request.url).searchParams.get('id');
+
+  storedRangeResponseP = fetch(event.request);
+  broadcast({ id });
+
+  // Just send back any response, it isn't important for the test.
+  event.respondWith(new Response(''));
+}
+
+function useStoredRangeResponse(event) {
+  event.respondWith(async function() {
+    const response = await storedRangeResponseP;
+    if (!response) throw Error("Expected stored range response");
+    return response.clone();
+  }());
+}

fetch/range/resources/stash-take.py

@@ -0,0 +1,7 @@
+from wptserve.handlers import json_handler
+
+
+@json_handler
+def main(request, response):
+    key = request.GET.first("key")
+    return request.server.stash.take(key, '/fetch/privileged-headers/')

fetch/range/resources/utils.js

@@ -0,0 +1,9 @@
+function loadScript(url, { doc = document }={}) {
+  return new Promise((resolve, reject) => {
+    const script = doc.createElement('script');
+    script.onload = () => resolve();
+    script.onerror = () => reject(Error("Script load failed"));
+    script.src = url;
+    doc.body.appendChild(script);
+  })
+}