Add more dangling markup tests to WPT

As part of formally adding dangling markup injection mitigation to
html spec[1], we need to add more tests to WPT. This change moves some
of the existing tests to WPT, and add more tests.

[1]: whatwg/html#10022

Change-Id: I7b03839adeb749c3206a4fb95a9dfa5785c634c4

fetch/security/dangling-markup/media.html

@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  var resources = {"audio": "/media/sound_5.mp3", "video":"/media/test.mp4"};
+
+  for (const key in resources){
+    async_test(t => {
+      let elem = document.body.appendChild(document.createElement(key));
+      elem.onerror = t.unreached_func(`${key} should load`);
+      elem.oncanplay = t.step_func(() => {
+        t.done();
+      });
+      elem.src = resources[key];
+    }, `Should load ${key}`);
+
+    async_test(t => {
+      let elem = document.body.appendChild(document.createElement(key));
+      elem.onerror = t.step_func(() => {
+        t.done();
+      });
+      elem.oncanplay = t.unreached_func(`${key} should not load`);
+      elem.src = resources[key] + "?\n<";
+    }, `Should not load ${key} with dangling markup in URL`);
+  }
+</script>

fetch/security/dangling-markup/option.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./resources/helper.js"></script>
+<body>
+<script>
+
+  var tests = [
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post">
+        <input type="submit">
+        <select name="dangling"><option>
+    `,
+    `
+      <div>
+        <form action="/resource-timing/resources/document-navigated.html" method="post">
+          <input type="submit">
+          <select name="dangling"><option>
+    `,
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post" id="form">
+        <input type="submit">
+      </form>
+      <select name="dangling" form="form"><option>
+    `,
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post">
+        <input type="submit">
+        <select name="dangling"><option label="yay">
+    `,
+    `
+      <div>
+        <form action="/resource-timing/resources/document-navigated.html" method="post">
+          <input type="submit">
+          <select name="dangling"><option label="yay">
+    `,
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post" id="form">
+        <input type="submit">
+      </form>
+      <select name="dangling" form="form"><option label="yay">
+    `
+  ];
+
+  tests.forEach(markup => {
+    async_test(t => {
+      var i = createFrame(`${markup}sekrit<element attribute></element>`);
+      assert_no_submission(t, i);
+    }, markup.replace(/[\n\r]/g, ''));
+  });
+</script>

fetch/security/dangling-markup/resources/helper.js

@@ -0,0 +1,63 @@
+function assert_no_message_from_frame(test, frame) {
+  window.addEventListener("message", test.step_func(e => {
+    assert_not_equals(e.source, frame.contentWindow);
+  }));
+}
+
+function appendFrameAndGetElement(test, frame) {
+  return new Promise((resolve, reject) => {
+    frame.onload = test.step_func(_ => {
+      frame.onload = null;
+      resolve(frame.contentDocument.querySelector('#dangling'));
+    });
+    document.body.appendChild(frame);
+  });
+}
+
+function appendAndSubmit(test, frame) {
+  return new Promise((resolve, reject) => {
+    frame.onload = test.step_func(_ => {
+      frame.onload = null;
+      frame.contentDocument.querySelector('form').addEventListener("error", _ => {
+        resolve("error");
+      });
+      frame.contentDocument.querySelector('form').addEventListener("submit", _ => {
+        resolve("submit");
+      });
+      frame.contentDocument.querySelector('[type=submit]').click();
+    });
+    document.body.appendChild(frame);
+  });
+}
+
+function assert_no_submission(test, frame) {
+  assert_no_message_from_frame(test, frame);
+
+  appendAndSubmit(test, frame)
+    .then(test.step_func_done(result => {
+      assert_equals(result, "error");
+      frame.remove();
+    }));
+}
+
+function assert_img_loaded(test, frame) {
+  appendFrameAndGetElement(test, frame)
+    .then(test.step_func_done(img => {
+      assert_equals(img.naturalHeight, 103, "Height");
+      assert_equals(img.naturalWidth, 76, "Width");
+    }));
+}
+
+function assert_img_not_loaded(test, frame) {
+  appendFrameAndGetElement(test, frame)
+    .then(test.step_func_done(img => {
+      assert_equals(img.naturalHeight, 0, "Height");
+      assert_equals(img.naturalWidth, 0, "Width");
+    }));
+}
+
+function createFrame(markup) {
+  var i = document.createElement('iframe');
+  i.srcdoc = `${markup}sekrit`;
+  return i;
+}

fetch/security/dangling-markup/textarea.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./resources/helper.js"></script>
+<body>
+<script>
+
+  var tests = [
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post">
+        <input type="submit">
+        <textarea name="dangling">
+    `,
+    `
+      <div>
+        <form action="/resource-timing/resources/document-navigated.html" method="post">
+          <input type="submit">
+          <textarea name="dangling">
+    `,
+    `
+      <form action="/resource-timing/resources/document-navigated.html" method="post" id="form">
+        <input type="submit">
+      </form>
+      <textarea name="dangling" form="form">
+    `
+  ];
+
+  tests.forEach(markup => {
+    async_test(t => {
+      var i = createFrame(`${markup}sekrit<element attribute></element>`);
+      assert_no_submission(t, i);
+    }, markup.replace(/[\n\r]/g, ''));
+  });
+</script>