Update web-platform-tests to revision 615bb572c95add74ca4fb9fed4af5269a49cf4ef

tests/wpt/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html

@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <!-- This tests that a report only policy is not treated as enforcing when
+         inherited by a worker. This manifests in particular for `unsafe-eval`
+         in this bug crbug.com/777076  -->
+    <script nonce="abc">
+      var t1 = async_test("Check that inline is allowed since the inherited policy is report only");
+      var t2 = async_test("Check that eval is allowed since the inherited policy is report only");
+
+      var w = new Worker("support/eval.js");
+      w.onmessage = function(e) {
+        if (e.data == "unsafe-inline allowed") t1.done();
+        else if (e.data == "unsafe-eval allowed") t2.done();
+      }
+    </script>
+</body>
+</html>

tests/wpt/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers

@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: script-src 'self' 'nonce-abc';

tests/wpt/web-platform-tests/content-security-policy/generic/support/eval.js

@@ -0,0 +1,2 @@
+postMessage('unsafe-inline allowed');
+eval("postMessage('unsafe-eval allowed')");

tests/wpt/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html

@@ -12,5 +12,5 @@
     assert_equals(e.data.result, 'success');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
 </body>

tests/wpt/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html

@@ -12,5 +12,5 @@
     assert_equals(e.data.result, 'success');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
 </body>

tests/wpt/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html

@@ -13,5 +13,5 @@
     assert_equals(e.data.violatedDirective, 'form-action');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
-</body>
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"">
+</body>

tests/wpt/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html

@@ -13,5 +13,5 @@
     assert_equals(e.data.violatedDirective, 'form-action');
   });
 </script>
-<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id=dummy">
+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}">
 </body>

tests/wpt/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html

@@ -0,0 +1,19 @@
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+</head>
+<body>
+  <script>
+    var t = async_test("Eval is allowed because the CSP is report-only");
+    try {
+      eval("t.done()");
+    } catch {
+      t.step(function() { assert_true(false, "The eval should have execute succesfully"); })
+    }
+  </script>
+
+  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27"></script>
+</body>
+</html>

tests/wpt/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers

@@ -0,0 +1,2 @@
+Set-Cookie: eval-allowed-in-report-only-mode-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/script-src
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}

tests/wpt/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html

@@ -0,0 +1,17 @@
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline' -->
+</head>
+<body>
+  <script>
+    var t = async_test("Eval is allowed because the CSP is report-only");
+    try {
+      eval("t.done()");
+    } catch {
+      t.step(function() { assert_true(false, "The eval should have execute succesfully"); })
+    }
+  </script>
+</body>
+</html>

tests/wpt/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers

@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline'

tests/wpt/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html

@@ -0,0 +1,239 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+    // basic tests.
+    test(function() {
+      assert_throws(TypeError(),
+                    function() { new SecurityPolicyViolationEvent(); });
+    }, "SecurityPolicyViolationEvent constructor should throw with no parameters");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor works with an init dict");
+
+    // missing required members
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          // documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires documentURI");
+
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          // violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires violatedDirective");
+
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          // effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires effectiveDirective");
+
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          // originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires originalPolicy");
+
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          // disposition: "enforce",
+          statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires disposition");
+
+    test(function() {
+      assert_throws(TypeError(),
+        function() { new SecurityPolicyViolationEvent("securitypolicyviolation", {
+          documentURI: "http://example.com",
+          referrer: "http://example.com",
+          blockedURI: "http://example.com",
+          violatedDirective: "default-src",
+          effectiveDirective: "default-src",
+          originalPolicy: "default-src 'none'",
+          sourceFile: "example.js",
+          sample: "<script>alert('1');</scr" + "ipt>",
+          disposition: "enforce",
+          // statusCode: 200,
+          lineNumber: 1,
+          columnNumber: 1,
+      })});
+    }, "SecurityPolicyViolationEvent constructor requires statusCode");
+
+    // missing optional members
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        // referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require referrer");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        // blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require blockedURI");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        // sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require sourceFile");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        // sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require sample");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        // lineNumber: 1,
+        columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require lineNumber");
+
+    test(function() {
+      assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", {
+        documentURI: "http://example.com",
+        referrer: "http://example.com",
+        blockedURI: "http://example.com",
+        violatedDirective: "default-src",
+        effectiveDirective: "default-src",
+        originalPolicy: "default-src 'none'",
+        sourceFile: "example.js",
+        sample: "<script>alert('1');</scr" + "ipt>",
+        disposition: "enforce",
+        statusCode: 200,
+        lineNumber: 1,
+        // columnNumber: 1,
+      }), undefined);
+    }, "SecurityPolicyViolationEvent constructor does not require columnNumber");
+</script>