From b9251407378be4ed002c0b6661cece0788d287ef Mon Sep 17 00:00:00 2001
From: punithnayak <npunith125@gmail.com>
Date: Wed, 17 Jan 2024 19:26:40 -0800
Subject: [PATCH] Replace TAOResponse.py with CustomCorsResponse.py

*Deleted wpt/resource-timing/resources/TAOResponse.py
*Linked all the affecting tests to wpt/common/CustomCorsResponse.py

Bug: 1241646
Change-Id: I651cfc36afc8af76f8133ba113b6feb8ed11519b
---
 common/CustomCorsResponse.py                  |  5 ++
 .../TAO-port-mismatch-means-crossorigin.html  |  8 +--
 resource-timing/cross-origin-iframe.html      |  2 +-
 resource-timing/opaque-origin.html            | 20 +++---
 resource-timing/resources/TAOResponse.py      | 64 -------------------
 .../iframe-TAO-crossorigin-port.sub.html      | 40 ++++++------
 .../resources/iframe_TAO_match_origin.html    |  3 +-
 resource-timing/sizes-redirect-img.html       |  4 +-
 resource-timing/sizes-redirect.any.js         | 36 ++++++-----
 9 files changed, 66 insertions(+), 116 deletions(-)
 delete mode 100644 resource-timing/resources/TAOResponse.py

diff --git a/common/CustomCorsResponse.py b/common/CustomCorsResponse.py
index fc4d122f1b184b..f7d477aabf4836 100644
--- a/common/CustomCorsResponse.py
+++ b/common/CustomCorsResponse.py
@@ -20,6 +20,11 @@ def query_parameter_or_default(param, default):
   for k, v in headers.items():
     response.headers.set(k, v)
 
+  img = request.GET.first(b'img') if b'img' in request.GET else None
+  if img:
+    response.headers.set(b"Content-Type", b"image/png")
+    with open(request.doc_root + "/resource-timing/resources/blue.png", "rb") as f:
+      response.content = f.read()
   # Note that, in order to have out-of-the-box support for tests that don't call
   #   setup({'allow_uncaught_exception': true})
   # we return a no-op JS payload. This approach will avoid syntax errors in
diff --git a/resource-timing/TAO-port-mismatch-means-crossorigin.html b/resource-timing/TAO-port-mismatch-means-crossorigin.html
index f1218d17a0a44f..79a0b80366f8d5 100644
--- a/resource-timing/TAO-port-mismatch-means-crossorigin.html
+++ b/resource-timing/TAO-port-mismatch-means-crossorigin.html
@@ -18,8 +18,8 @@
 // have a Timing-Allow-Origin header value with the second port so this page's
 // origin should not be a match.
 const port_mismatch_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
-                          `/resource-timing/resources/TAOResponse.py?` +
-                          `tao=origin_port_${PORT2}`;
+                          `/common/CustomCorsResponse.py?` +
+                          `tao=origin_port_${PORT2}&headers=${encodeURIComponent('{"Access-Control-Allow-Origin":"*","Timing-Allow-Origin":"${PORT2}"}')}`;
 attribute_test(
   fetch, port_mismatch_url, invariants.assert_tao_failure_resource,
   "A port mismatch must fail the TAO check");
@@ -29,8 +29,8 @@
 // the Timing-Allow-Origin header's value. Therefore, the subresource's timings
 // must be exposed.
 const port_match_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
-                       `/resource-timing/resources/TAOResponse.py?` +
-                       `tao=origin_port_${PORT}`;
+                       `/common/CustomCorsResponse.py?` +
+                       `tao=origin_port_${PORT}&headers=${encodeURIComponent('{"Access-Control-Allow-Origin":"*","Timing-Allow-Origin":"*"}')}`;
 attribute_test(
   fetch, port_match_url, invariants.assert_tao_pass_no_redirect_http,
   "An identical port must pass the TAO check");
diff --git a/resource-timing/cross-origin-iframe.html b/resource-timing/cross-origin-iframe.html
index 69daebffaf2a24..dafe1d77b6a432 100644
--- a/resource-timing/cross-origin-iframe.html
+++ b/resource-timing/cross-origin-iframe.html
@@ -24,7 +24,7 @@
   promise_test(async t => {
     const iframe = document.createElement('iframe');
     t.add_cleanup(() => iframe.remove());
-    iframe.src = `${REMOTE_ORIGIN}/resource-timing/resources/TAOResponse.py?tao=wildcard`;
+    iframe.src = `${REMOTE_ORIGIN}/common/CustomCorsResponse.py?headers=${encodeURIComponent('{"Timing-Allow-Origin": "*"}')}`;
     document.body.appendChild(iframe);
     const entry = await observe_entry(iframe.src);
     invariants.assert_tao_pass_no_redirect_http(entry);
diff --git a/resource-timing/opaque-origin.html b/resource-timing/opaque-origin.html
index 598ee50a59278f..da0a077946c863 100644
--- a/resource-timing/opaque-origin.html
+++ b/resource-timing/opaque-origin.html
@@ -20,21 +20,21 @@ <h1>Description</h1>
 <iframe id="frameContext"></iframe>
 <script>
 const {ORIGIN} = get_host_info();
-const url = `${ORIGIN}/resource-timing/resources/TAOResponse.py`;
+const url = `${ORIGIN}/common/CustomCorsResponse.py`;
 const frame_content = `data:text/html;utf8,<body>
   <script src="${ORIGIN}/resources/testharness.js"></` + `script>
   <script src="${ORIGIN}/resource-timing/resources/entry-invariants.js">
   </` + `script>
   <script>
-    attribute_test(fetch, "${url}?tao=null",
-      invariants.assert_tao_pass_no_redirect_http,
-      "An opaque origin should be authorized to see resource timings when the" +
-      "TAO header is the string 'null'");
-    attribute_test(fetch, "${url}?tao=Null",
-      invariants.assert_tao_failure_resource,
-      "An opaque origin must not be authorized to see resource timings when " +
-      "the TAO header is the string 'Null'. (The check for 'null' must be " +
-      "case-sensitive)");
+attribute_test(fetch, "${url}?tao=null&headers=${encodeURIComponent('{%22Access-Control-Allow-Origin%22:%22null%22,%22Timing-Allow-Origin%22:%22null%22}')}",
+  invariants.assert_tao_pass_no_redirect_http,
+  "An opaque origin should be authorized to see resource timings when the" +
+  "TAO header is the string 'null'");
+attribute_test(fetch, "${url}?tao=Null&headers=${encodeURIComponent('{%22Access-Control-Allow-Origin%22:%22null%22,%22Timing-Allow-Origin%22:%22Null%22}')}",
+  invariants.assert_tao_failure_resource,
+  "An opaque origin must not be authorized to see resource timings when " +
+  "the TAO header is the string 'Null'. (The check for 'null' must be " +
+  "case-sensitive)");
   </` + `script>
 </body>`;
 
diff --git a/resource-timing/resources/TAOResponse.py b/resource-timing/resources/TAOResponse.py
deleted file mode 100644
index 60392b8e10ada4..00000000000000
--- a/resource-timing/resources/TAOResponse.py
+++ /dev/null
@@ -1,64 +0,0 @@
-import os
-
-def main(request, response):
-    if b'origin' in request.headers:
-      origin = request.headers[b'origin']
-      response.headers.set(b'Access-Control-Allow-Origin', origin)
-
-    tao = request.GET.first(b'tao')
-    img = request.GET.first(b'img') if b'img' in request.GET else None
-
-    if tao == b'zero':
-    # zero TAO value, fail
-        pass
-    elif tao == b'wildcard':
-    # wildcard, pass
-        response.headers.set(b'Timing-Allow-Origin', b'*')
-    elif tao == b'null':
-    # null, fail unless it's an opaque origin
-        response.headers.set(b'Timing-Allow-Origin', b'null')
-    elif tao == b'Null':
-    # case-insensitive null, fail
-        response.headers.set(b'Timing-Allow-Origin', b'Null')
-    elif tao == b'origin':
-    # case-sensitive match for origin, pass
-        response.headers.set(b'Timing-Allow-Origin', origin)
-    elif tao.startswith(b'origin_port'):
-    # case-sensitive match for origin and port, pass
-        origin_parts = origin.split(b':')
-        host = origin_parts[0] + b':' + origin_parts[1]
-        port = tao.split(b'origin_port_')[1]
-        response.headers.set(b'Timing-Allow-Origin', host + b':' + port)
-    elif tao == b'space':
-    # space separated list of origin and wildcard, fail
-        response.headers.set(b'Timing-Allow-Origin', (origin + b' *'))
-    elif tao == b'multi':
-    # more than one TAO values, separated by comma, pass
-        response.headers.set(b'Timing-Allow-Origin', origin)
-        response.headers.append(b'Timing-Allow-Origin', b'*')
-    elif tao == b'multi_wildcard':
-    # multiple wildcards, separated by comma, pass
-        response.headers.set(b'Timing-Allow-Origin', b'*')
-        response.headers.append(b'Timing-Allow-Origin', b'*')
-    elif tao == b'match_origin':
-    # contains a match of origin, separated by comma, pass
-        response.headers.set(b'Timing-Allow-Origin', origin)
-        response.headers.append(b'Timing-Allow-Origin', b"fake")
-    elif tao == b'match_wildcard':
-    # contains a wildcard, separated by comma, pass
-        response.headers.set(b'Timing-Allow-Origin', b"fake")
-        response.headers.append(b'Timing-Allow-Origin', b'*')
-    elif tao == b'uppercase':
-    # non-case-sensitive match for origin, fail
-        response.headers.set(b'Timing-Allow-Origin', origin.upper())
-    else:
-        pass
-    response.status = 200
-    if img:
-      response.headers.set(b"Content-Type", b"image/png")
-      with open(request.doc_root + "/resource-timing/resources/blue.png", "rb") as f:
-        response.content = f.read()
-        f.close()
-    else:
-      response.headers.set(b"Content-Type", b"text/plain")
-      response.content = "TEST"
diff --git a/resource-timing/resources/iframe-TAO-crossorigin-port.sub.html b/resource-timing/resources/iframe-TAO-crossorigin-port.sub.html
index 97d77fcc58a3bb..560cc2129279d9 100644
--- a/resource-timing/resources/iframe-TAO-crossorigin-port.sub.html
+++ b/resource-timing/resources/iframe-TAO-crossorigin-port.sub.html
@@ -1,31 +1,33 @@
 <!DOCTYPE html>
 <html>
-<body>
-<script>
-    const url = '{{location[scheme]}}://{{host}}:{{ports[http][1]}}/resource-timing/resources/TAOResponse.py?tao=origin_port_{{ports[http][1]}}';
-    const observe = (list, observer) => {
+  <body>
+    <script>
+      var origin = window.location.origin;
+      const url =
+        "{{location[scheme]}}://{{host}}:{{ports[http][1]}}/common/CustomCorsResponse.py?tao=origin_port_{{ports[http][1]}}&headers="+encodeURIComponent('{"Timing-Allow-Origin": "' + origin + '"}') ;
+      const observe = (list, observer) => {
         const entry = list.getEntries()[0];
         const sum = entry.redirectStart +
-                  entry.redirectEnd +
-                  entry.domainLookupStart +
-                  entry.domainLookupEnd +
-                  entry.connectStart +
-                  entry.connectEnd +
-                  entry.secureConnectionStart +
-                  entry.requestStart +
-                  entry.responseStart +
-                  entry.transferSize +
-                  entry.encodedBodySize +
-                  entry.decodedBodySize;
+          entry.redirectEnd +
+          entry.domainLookupStart +
+          entry.domainLookupEnd +
+          entry.connectStart +
+          entry.connectEnd +
+          entry.secureConnectionStart +
+          entry.requestStart +
+          entry.responseStart +
+          entry.transferSize +
+          entry.encodedBodySize +
+          entry.decodedBodySize;
 
         const result = sum == 0 ? 'PASS' : 'FAIL';
         window.top.postMessage(result, '*');
     }
-    let observer = new PerformanceObserver(observe);
-    observer.observe({ entryTypes: ["resource"] });
+      let observer = new PerformanceObserver(observe);
+      observer.observe({ entryTypes: ["resource"] });
     fetch(url).then(r => r.text());
-</script>
-</body>
+    </script>
+  </body>
 </html>
 
 
diff --git a/resource-timing/resources/iframe_TAO_match_origin.html b/resource-timing/resources/iframe_TAO_match_origin.html
index cf68aade7954e6..a411cf2bfd1518 100644
--- a/resource-timing/resources/iframe_TAO_match_origin.html
+++ b/resource-timing/resources/iframe_TAO_match_origin.html
@@ -8,7 +8,8 @@
   var dirName = dirname(location.href);
   var client = new XMLHttpRequest,
   // create a cross-origin request
-    url = dirName.replace('://', '://www.') + 'TAOResponse.py?tao=match_origin';
+    var origin = window.location.origin;
+    url = dirName.replace('://', '://www.') + `/common/CustomCorsResponse.py?tao=match_origin&headers=${encodeURIComponent('{"Timing-Allow-Origin": "' + origin + '"}')}`;
     client.open("GET", url, false);
     client.send(null);
 }
diff --git a/resource-timing/sizes-redirect-img.html b/resource-timing/sizes-redirect-img.html
index e440029782b5d5..21ec0b9010fada 100644
--- a/resource-timing/sizes-redirect-img.html
+++ b/resource-timing/sizes-redirect-img.html
@@ -10,9 +10,9 @@
 // don't, so this test covers extra code paths beyond those covered by
 // resource-timing-sizes-redirect.html.
 
-const baseUrl = new URL('/resource-timing/resources/TAOResponse.py?tao=wildcard&img=true', location.href).href;
+const baseUrl = new URL(`/common/CustomCorsResponse.py?img=true&headers=${encodeURIComponent('{"Timing-Allow-Origin":"*","Access-Control-Allow-Origin":"*"}')}`, location.href).href;
 
-const expectedSize = 1010;
+const expectedSize = 35;
 
 const hostInfo = get_host_info();
 
diff --git a/resource-timing/sizes-redirect.any.js b/resource-timing/sizes-redirect.any.js
index e483a4d409c6c2..ffd5b2ff68b906 100644
--- a/resource-timing/sizes-redirect.any.js
+++ b/resource-timing/sizes-redirect.any.js
@@ -3,8 +3,13 @@
 // META: script=/resource-timing/resources/sizes-helper.js
 
 const baseUrl =
-  new URL('/resource-timing/resources/TAOResponse.py?tao=wildcard', location.href).href;
-const expectedSize = 4;
+    new URL(
+        `/common/CustomCorsResponse.py?tao=wildcard&headers=${
+            encodeURIComponent(
+                '{"Timing-Allow-Origin":"*","Access-Control-Allow-Origin":"*"}')}`,
+        location.href)
+        .href;
+const expectedSize = 35;
 
 const hostInfo = get_host_info();
 performance.clearResourceTimings();
@@ -18,20 +23,21 @@ const accumulateEntry = () => {
   });
 };
 
-const checkResourceSizes = () => {
-  const entries = performance.getEntriesByType('resource');
-  for (let entry of entries) {
-    checkSizeFields(entry, expectedSize, expectedSize + headerSize);
-  }
-}
+const checkResourceSizes =
+    () => {
+      const entries = performance.getEntriesByType('resource');
+      for (let entry of entries) {
+        checkSizeFields(entry, expectedSize, expectedSize + headerSize);
+      }
+    }
 
-const redirectUrl = (redirectSourceOrigin, allowOrigin, targetUrl) => {
-  return redirectSourceOrigin +
-    '/resource-timing/resources/redirect-cors.py?allow_origin=' +
-    encodeURIComponent(allowOrigin) +
-    '&timing_allow_origin=*' +
-    '&location=' + encodeURIComponent(targetUrl);
-}
+const redirectUrl =
+    (redirectSourceOrigin, allowOrigin, targetUrl) => {
+      return redirectSourceOrigin +
+          '/resource-timing/resources/redirect-cors.py?allow_origin=*' +
+          '&timing_allow_origin=*' +
+          '&location=' + encodeURIComponent(targetUrl);
+    }
 
 promise_test(() => {
   // Use a different URL every time so that the cache behaviour does not