Replace TAOResponse.py with CustomCorsResponse.py

common/CustomCorsResponse.py

@@ -20,11 +20,16 @@ def query_parameter_or_default(param, default):
   for k, v in headers.items():
     response.headers.set(k, v)
 
+  img = request.GET.first(b'img') if b'img' in request.GET else None
+  if img:
+    response.headers.set(b"Content-Type", b"image/png")
+    with open(request.doc_root + "/resource-timing/resources/blue.png", "rb") as f:
+      response.content = f.read()
   # Note that, in order to have out-of-the-box support for tests that don't call
   #   setup({'allow_uncaught_exception': true})
   # we return a no-op JS payload. This approach will avoid syntax errors in
   # script resources that would otherwise cause the test harness to fail.
   response.content = json.loads(query_parameter_or_default(b'content',
     b'"/* CustomCorsResponse.py content */"'))
   response.status_code = json.loads(query_parameter_or_default(b'status',
-    b'200'))
+    b'200'))

resource-timing/TAO-port-mismatch-means-crossorigin.html

@@ -18,8 +18,8 @@
 // have a Timing-Allow-Origin header value with the second port so this page's
 // origin should not be a match.
 const port_mismatch_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
-                          `/resource-timing/resources/TAOResponse.py?` +
-                          `tao=origin_port_${PORT2}`;
+                          `/common/CustomCorsResponse.py?` +
+                          `headers=${encodeURIComponent('{"Access-Control-Allow-Origin":"*","Timing-Allow-Origin":"${PORT2}"}')}`;
 attribute_test(
   fetch, port_mismatch_url, invariants.assert_tao_failure_resource,
   "A port mismatch must fail the TAO check");
@@ -29,8 +29,8 @@
 // the Timing-Allow-Origin header's value. Therefore, the subresource's timings
 // must be exposed.
 const port_match_url = `${location.protocol}//${ORIGINAL_HOST}:${PORT2}` +
-                       `/resource-timing/resources/TAOResponse.py?` +
-                       `tao=origin_port_${PORT}`;
+                       `/common/CustomCorsResponse.py?` +
+                       `headers=${encodeURIComponent('{"Access-Control-Allow-Origin":"*","Timing-Allow-Origin":"*"}')}`;
 attribute_test(
   fetch, port_match_url, invariants.assert_tao_pass_no_redirect_http,
   "An identical port must pass the TAO check");

resource-timing/cross-origin-iframe.html

@@ -24,7 +24,7 @@
   promise_test(async t => {
     const iframe = document.createElement('iframe');
     t.add_cleanup(() => iframe.remove());
-    iframe.src = `${REMOTE_ORIGIN}/resource-timing/resources/TAOResponse.py?tao=wildcard`;
+    iframe.src = `${REMOTE_ORIGIN}/common/CustomCorsResponse.py?headers=${encodeURIComponent('{"Timing-Allow-Origin": "*"}')}`;
     document.body.appendChild(iframe);
     const entry = await observe_entry(iframe.src);
     invariants.assert_tao_pass_no_redirect_http(entry);

resource-timing/opaque-origin.html

@@ -20,21 +20,21 @@ <h1>Description</h1>
 <iframe id="frameContext"></iframe>
 <script>
 const {ORIGIN} = get_host_info();
-const url = `${ORIGIN}/resource-timing/resources/TAOResponse.py`;
+const url = `${ORIGIN}/common/CustomCorsResponse.py`;
 const frame_content = `data:text/html;utf8,<body>
   <script src="${ORIGIN}/resources/testharness.js"></` + `script>
   <script src="${ORIGIN}/resource-timing/resources/entry-invariants.js">
   </` + `script>
   <script>
-    attribute_test(fetch, "${url}?tao=null",
-      invariants.assert_tao_pass_no_redirect_http,
-      "An opaque origin should be authorized to see resource timings when the" +
-      "TAO header is the string 'null'");
-    attribute_test(fetch, "${url}?tao=Null",
-      invariants.assert_tao_failure_resource,
-      "An opaque origin must not be authorized to see resource timings when " +
-      "the TAO header is the string 'Null'. (The check for 'null' must be " +
-      "case-sensitive)");
+attribute_test(fetch, "${url}?headers=${encodeURIComponent('{%22Access-Control-Allow-Origin%22:%22null%22,%22Timing-Allow-Origin%22:%22null%22}')}",
+  invariants.assert_tao_pass_no_redirect_http,
+  "An opaque origin should be authorized to see resource timings when the" +
+  "TAO header is the string 'null'");
+attribute_test(fetch, "${url}?headers=${encodeURIComponent('{%22Access-Control-Allow-Origin%22:%22null%22,%22Timing-Allow-Origin%22:%22Null%22}')}",
+  invariants.assert_tao_failure_resource,
+  "An opaque origin must not be authorized to see resource timings when " +
+  "the TAO header is the string 'Null'. (The check for 'null' must be " +
+  "case-sensitive)");
   </` + `script>
 </body>`;
 

resource-timing/resources/iframe-TAO-crossorigin-port.sub.html

@@ -1,31 +1,33 @@
 <!DOCTYPE html>
 <html>
-<body>
-<script>
-    const url = '{{location[scheme]}}://{{host}}:{{ports[http][1]}}/resource-timing/resources/TAOResponse.py?tao=origin_port_{{ports[http][1]}}';
-    const observe = (list, observer) => {
+  <body>
+    <script>
+      var origin = window.location.origin;
+      const url =
+        "{{location[scheme]}}://{{host}}:{{ports[http][1]}}/common/CustomCorsResponse.py?headers="+encodeURIComponent('{"Timing-Allow-Origin": "' + origin + '"}') ;
+      const observe = (list, observer) => {
         const entry = list.getEntries()[0];
         const sum = entry.redirectStart +
-                  entry.redirectEnd +
-                  entry.domainLookupStart +
-                  entry.domainLookupEnd +
-                  entry.connectStart +
-                  entry.connectEnd +
-                  entry.secureConnectionStart +
-                  entry.requestStart +
-                  entry.responseStart +
-                  entry.transferSize +
-                  entry.encodedBodySize +
-                  entry.decodedBodySize;
+          entry.redirectEnd +
+          entry.domainLookupStart +
+          entry.domainLookupEnd +
+          entry.connectStart +
+          entry.connectEnd +
+          entry.secureConnectionStart +
+          entry.requestStart +
+          entry.responseStart +
+          entry.transferSize +
+          entry.encodedBodySize +
+          entry.decodedBodySize;
 
         const result = sum == 0 ? 'PASS' : 'FAIL';
         window.top.postMessage(result, '*');
     }
-    let observer = new PerformanceObserver(observe);
-    observer.observe({ entryTypes: ["resource"] });
+      let observer = new PerformanceObserver(observe);
+      observer.observe({ entryTypes: ["resource"] });
     fetch(url).then(r => r.text());
-</script>
-</body>
+    </script>
+  </body>
 </html>
 
 

resource-timing/resources/iframe_TAO_match_origin.html

@@ -8,7 +8,8 @@
   var dirName = dirname(location.href);
   var client = new XMLHttpRequest,
   // create a cross-origin request
-    url = dirName.replace('://', '://www.') + 'TAOResponse.py?tao=match_origin';
+    var origin = window.location.origin;
+    url = dirName.replace('://', '://www.') + `/common/CustomCorsResponse.py?headers=${encodeURIComponent('{"Timing-Allow-Origin": "' + origin + '"}')}`;
     client.open("GET", url, false);
     client.send(null);
 }

resource-timing/sizes-redirect-img.html

@@ -10,9 +10,9 @@
 // don't, so this test covers extra code paths beyond those covered by
 // resource-timing-sizes-redirect.html.
 
-const baseUrl = new URL('/resource-timing/resources/TAOResponse.py?tao=wildcard&img=true', location.href).href;
+const baseUrl = new URL(`/common/CustomCorsResponse.py?img=true&headers=${encodeURIComponent('{"Timing-Allow-Origin":"*","Access-Control-Allow-Origin":"*"}')}`, location.href).href;
 
-const expectedSize = 1010;
+const expectedSize = 35;
 
 const hostInfo = get_host_info();
 

resource-timing/sizes-redirect.any.js

@@ -3,8 +3,13 @@
 // META: script=/resource-timing/resources/sizes-helper.js
 
 const baseUrl =
-  new URL('/resource-timing/resources/TAOResponse.py?tao=wildcard', location.href).href;
-const expectedSize = 4;
+    new URL(
+        `/common/CustomCorsResponse.py?headers=${
+            encodeURIComponent(
+                '{"Timing-Allow-Origin":"*","Access-Control-Allow-Origin":"*"}')}`,
+        location.href)
+        .href;
+const expectedSize = 35;
 
 const hostInfo = get_host_info();
 performance.clearResourceTimings();
@@ -18,20 +23,21 @@ const accumulateEntry = () => {
   });
 };
 
-const checkResourceSizes = () => {
-  const entries = performance.getEntriesByType('resource');
-  for (let entry of entries) {
-    checkSizeFields(entry, expectedSize, expectedSize + headerSize);
-  }
-}
+const checkResourceSizes =
+    () => {
+      const entries = performance.getEntriesByType('resource');
+      for (let entry of entries) {
+        checkSizeFields(entry, expectedSize, expectedSize + headerSize);
+      }
+    }
 
-const redirectUrl = (redirectSourceOrigin, allowOrigin, targetUrl) => {
-  return redirectSourceOrigin +
-    '/resource-timing/resources/redirect-cors.py?allow_origin=' +
-    encodeURIComponent(allowOrigin) +
-    '&timing_allow_origin=*' +
-    '&location=' + encodeURIComponent(targetUrl);
-}
+const redirectUrl =
+    (redirectSourceOrigin, allowOrigin, targetUrl) => {
+      return redirectSourceOrigin +
+          '/resource-timing/resources/redirect-cors.py?allow_origin=*' +
+          '&timing_allow_origin=*' +
+          '&location=' + encodeURIComponent(targetUrl);
+    }
 
 promise_test(() => {
   // Use a different URL every time so that the cache behaviour does not