mirror of
https://github.com/servo/servo.git
synced 2025-10-04 02:29:12 +01:00
Update web-platform-tests to revision 10168e9a5d44efbc6e7d416d1d454eb9c9f1396c
This commit is contained in:
Josh Matthews
parent
c88dc51d03
commit
0e1caebaf4
791 changed files with 23381 additions and 5501 deletions
|
|
@ -50,7 +50,9 @@
|
|||
{ "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present",
|
||||
"csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
|
||||
"expected": null },
|
||||
// TODO(andypaicu): when `report-to` is implemented, add tests here.
|
||||
{ "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present",
|
||||
"csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php",
|
||||
"expected": null },
|
||||
];
|
||||
|
||||
tests.forEach(test => {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,6 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting
|
||||
Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}", "group": "csp-group", "max-age": 10886400 }
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'self'; report-to csp-group
|
||||
|
|
@ -2,6 +2,6 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting
|
||||
Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}", "group": "csp-group", "max-age": 10886400 }
|
||||
Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
|
||||
|
|
@ -2,6 +2,6 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting
|
||||
Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri "/content-security-policy/support/report.py?op=put&reportID={{$id}}"; report-to csp-group
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id:uuid()}}", "group": "csp-group", "max-age": 10886400 }
|
||||
|
|
@ -2,6 +2,6 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting
|
||||
Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group; report-uri "/content-security-policy/support/report.py?op=put&reportID={{$id}}"
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id:uuid()}}", "group": "csp-group", "max-age": 10886400 }
|
||||
|
|
@ -2,6 +2,6 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting
|
||||
Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}", "group": "csp-group", "max-age": 10886400 }
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test that reports using the report-api service are sent when there's a violation</title>
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
async_test(function(t2) {
|
||||
window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
|
||||
assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.html");
|
||||
assert_equals(e.violatedDirective, "frame-src");
|
||||
t2.done();
|
||||
}));
|
||||
}, "Event is fired");
|
||||
</script>
|
||||
<iframe src="../support/fail.html"></iframe>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-works-on-frame-src={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Report-To: { "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}", "group": "csp-group", "max-age": 10886400 }
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; frame-src 'none'; report-to csp-group
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>When multiple report-uri endpoints for multiple policies are specified, each gets a report</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
||||
Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="ftp://blah.test" />
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A%20https%3A%2F%2F%2A&testName=1-Violation%20report%20status%20OK'></script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A&reportCookieName=multiple-report-policies-2&testName=2-Violation%20report%20status%20OK'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: multiple-report-policies={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Set-Cookie: multiple-report-policies-2={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Reporting and enforcing policies can be different</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline'
|
||||
|
||||
Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var img_test = async_test("The image should be blocked");
|
||||
var sheet_test = async_test("The stylesheet should load");
|
||||
<!-- This image should be blocked, but should not generate a report-->
|
||||
var i = document.createElement('img');
|
||||
i.onerror = img_test.step_func_done();
|
||||
i.onload = img_test.unreached_func("Should not have loaded the img");
|
||||
i.src = "../support/fail.png";
|
||||
document.body.appendChild(i);
|
||||
<!-- This font should be loaded but should generate a report-->
|
||||
var s = document.createElement('link');
|
||||
s.onerror = sheet_test.unreached_func("Should have loaded the font");
|
||||
s.onload = sheet_test.step_func_done();
|
||||
s.type = "text/css";
|
||||
s.rel="stylesheet";
|
||||
s.href = "../support/fonts.css";
|
||||
document.body.appendChild(s);
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-and-enforce={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline'
|
||||
Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Data-uri images are reported correctly</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Cross-origin images are reported correctly</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'
|
||||
Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID=$id
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png">
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-blocked-uri-cross-origin={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'
|
||||
Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Blocked relative images are reported correctly</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'
|
||||
Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="../support/pass.png">
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-blocked-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'
|
||||
Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Cookies are not sent on cross origin violation reports</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=$id
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var test = async_test("Image should not load");
|
||||
fetch(
|
||||
"/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/"),
|
||||
{mode: 'no-cors', credentials: 'include'})
|
||||
.then(() => {
|
||||
// This image will generate a CSP violation report.
|
||||
const img = new Image();
|
||||
img.onerror = test.step_func_done();
|
||||
img.onload = test.unreached_func("Should not have loaded the image");
|
||||
|
||||
img.src = "../support/fail.png";
|
||||
document.body.appendChild(img);
|
||||
});
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&noCookies=true'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Test multiple violations cause multiple reports</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="../support/pass.png">
|
||||
<img src="../support/pass2.png">
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&reportCount=2'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-multiple-violations-01={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>This tests that multiple violations on a page trigger multiple reports
|
||||
if and only if the violations are distinct.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
for (var i = 0; i<5; i++)
|
||||
setTimeout("alert('PASS: setTimeout #" + i + " executed.');", 0);
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27%20%27self%27&reportCount=1'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-multiple-violations-02={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Report-only policy not allowed in meta tag</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'
|
||||
-->
|
||||
<!-- since we try to set the report-uri in the meta tag, we have to set the cookie with the reportID in here instead of in the headers file -->
|
||||
<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id:uuid()}}">
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var test = async_test("Image should load");
|
||||
|
||||
<!-- Set cookie for checking if the report exists
|
||||
-->
|
||||
fetch(
|
||||
"support/set-cookie.py?name=report-only-in-meta&value={{$id}}&path=" + encodeURIComponent("/content-security-policy/reporting/"),
|
||||
{mode: 'no-cors', credentials: 'include'})
|
||||
.then(() => {
|
||||
const img = new Image();
|
||||
img.onload = test.step_func_done();
|
||||
img.onerror = test.unreached_func("Should have loaded the image");
|
||||
|
||||
img.src = "../support/pass.png";
|
||||
document.body.appendChild(img);
|
||||
|
||||
<!-- this needs to be done after setting the cookie so we do it here -->
|
||||
const script = document.createElement('script');
|
||||
script.async = true;
|
||||
script.defer = true;
|
||||
script.src = '../support/checkReport.sub.js?reportExists=false'
|
||||
document.body.appendChild(script);
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID=$id
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
function createListener(expectedURL, test) {
|
||||
var listener = test.step_func(e => {
|
||||
if (e.blockedURI == expectedURL) {
|
||||
document.removeEventListener('securitypolicyviolation', listener);
|
||||
test.done();
|
||||
}
|
||||
});
|
||||
document.addEventListener('securitypolicyviolation', listener);
|
||||
}
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('img');
|
||||
createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1", t);
|
||||
i.src = "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1";
|
||||
}, "Direct block, same-origin = full URL in report");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('img');
|
||||
createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2", t);
|
||||
i.src = "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2";
|
||||
}, "Direct block, cross-origin = full URL in report");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('img');
|
||||
var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3");
|
||||
createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3", t);
|
||||
i.src = url;
|
||||
}, "Block after redirect, same-origin = original URL in report");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('img');
|
||||
var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=4");
|
||||
createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}", t);
|
||||
i.src = url;
|
||||
}, "Block after redirect, cross-origin = original URL in report");
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src {{location[scheme]}}%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-original-url={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Cookies are sent on same origin violation reports</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var test = async_test("Image should not load");
|
||||
fetch(
|
||||
"/cookies/resources/set-cookie.py?name=cspViolationReportCookie2&path=" + encodeURIComponent("/"),
|
||||
{mode: 'no-cors', credentials: 'include'})
|
||||
.then(() => {
|
||||
// This image will generate a CSP violation report.
|
||||
const img = new Image();
|
||||
img.onerror = test.step_func_done();
|
||||
img.onload = test.unreached_func("Should not have loaded the image");
|
||||
|
||||
img.src = "../support/fail.png";
|
||||
document.body.appendChild(img);
|
||||
});
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&cookiePresent=cspViolationReportCookie2'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/content-security-policy/support/testharness-helper.js"></script>
|
||||
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
async_test(t => {
|
||||
waitUntilCSPEventForURL(t, "https://evil.com/img.png")
|
||||
.then(t.step_func_done(e => {
|
||||
var u = new URL(e.documentURI);
|
||||
assert_equals(u.hash, "");
|
||||
}));
|
||||
|
||||
window.location.hash = "should-not-appear-in-report";
|
||||
|
||||
var i = document.createElement("img");
|
||||
i.src = "https://evil.com/img.png#boo";
|
||||
}, "Reported document URI does not contain fragments.");
|
||||
</script>
|
||||
</body>
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Violation report is sent if violation occurs.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: default-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
// This script block will trigger a violation report.
|
||||
alert('FAIL');
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-effective-directive={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: default-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Reporting works in child iframes.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'">
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var t1 = async_test("Check that we received a message from the child frame");
|
||||
|
||||
window.onmessage = function(e) {
|
||||
if (e.data == 'cookie set') {
|
||||
var s = document.createElement('script');
|
||||
s.async = true;
|
||||
s.defer = true;
|
||||
s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27nonce-abc%27&reportCookieName=generate-csp-report';
|
||||
document.body.appendChild(s);
|
||||
|
||||
t1.done();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<iframe src="support/generate-csp-report.html"/>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Violation report is sent from inline javascript.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
// This script block will trigger a violation report.
|
||||
var i = document.createElement('img');
|
||||
i.src = '/security/resources/abe.png';
|
||||
document.body.appendChild(i);
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Violation report is sent from javascript resource.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script src="../support/inject-image.js"></script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: img-src http://*
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="ftp://blah.test" />
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-multiple-reversed={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: img-src http://*
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: img-src http://*
|
||||
Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<img src="ftp://blah.test" />
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-multiple={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: img-src http://*
|
||||
Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<title>Relative scheme URIs are accepted as the report-uri.</title>
|
||||
<!-- CSP headers
|
||||
Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
-->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
// This script block will trigger a violation report.
|
||||
alert('FAIL');
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-scheme-relative={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<meta charset="utf-8">
|
||||
<title>SecurityPolicyViolationEvent IDL Tests</title>
|
||||
<link rel="author" title="Louay Bassbouss" href="http://www.fokus.fraunhofer.de">
|
||||
<link rel="help" href="http://w3c.github.io/presentation-api/#dfn-controlling-user-agent">
|
||||
|
||||
<script src=/resources/testharness.js></script>
|
||||
<script src=/resources/testharnessreport.js></script>
|
||||
<script src=/resources/WebIDLParser.js></script>
|
||||
<script src=/resources/idlharness.js></script>
|
||||
|
||||
<script id="idl" type="text/plain">
|
||||
[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
|
||||
interface SecurityPolicyViolationEvent : Event {
|
||||
readonly attribute DOMString documentURI;
|
||||
readonly attribute DOMString referrer;
|
||||
readonly attribute DOMString blockedURI;
|
||||
readonly attribute DOMString violatedDirective;
|
||||
readonly attribute DOMString effectiveDirective;
|
||||
readonly attribute DOMString originalPolicy;
|
||||
readonly attribute DOMString disposition;
|
||||
readonly attribute DOMString sourceFile;
|
||||
readonly attribute unsigned short statusCode;
|
||||
readonly attribute long lineNumber;
|
||||
readonly attribute long columnNumber;
|
||||
};
|
||||
|
||||
dictionary SecurityPolicyViolationEventInit : EventInit {
|
||||
DOMString documentURI;
|
||||
DOMString referrer;
|
||||
DOMString blockedURI;
|
||||
DOMString violatedDirective;
|
||||
DOMString effectiveDirective;
|
||||
DOMString originalPolicy;
|
||||
DOMString disposition;
|
||||
DOMString sourceFile;
|
||||
unsigned short statusCode;
|
||||
long lineNumber;
|
||||
long columnNumber;
|
||||
};
|
||||
</script>
|
||||
<script>
|
||||
function do_test(dom_idl) {
|
||||
var idl_array = new IdlArray();
|
||||
idl_array.add_untested_idls(dom_idl);
|
||||
var idls = document.getElementById('idl').textContent;
|
||||
idl_array.add_idls(idls);
|
||||
|
||||
window.event_to_test = new SecurityPolicyViolationEvent({});
|
||||
|
||||
idl_array.add_objects({
|
||||
SecurityPolicyViolationEvent: ['event_to_test']
|
||||
});
|
||||
idl_array.test();
|
||||
}
|
||||
|
||||
promise_test(function() {
|
||||
return fetch("/interfaces/dom.idl").then(response => response.text())
|
||||
.then(do_test);
|
||||
}, "Test driver");
|
||||
</script>
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
top.postMessage('cookie set', '*');
|
||||
</script>
|
||||
<script>
|
||||
// This script block will trigger a violation report.
|
||||
alert('FAIL');
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: generate-csp-report={{$id:uuid()}}; Path=/content-security-policy/reporting/
|
||||
Content-Security-Policy: script-src 'self' 'nonce-abc'; report-uri ../../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
import sys
|
||||
import urlparse
|
||||
|
||||
def main(request, response):
|
||||
"""
|
||||
Returns cookie name and path from query params in a Set-Cookie header.
|
||||
|
||||
e.g.
|
||||
|
||||
> GET /cookies/resources/set-cookie.py?name=match-slash&path=%2F HTTP/1.1
|
||||
> Host: localhost:8000
|
||||
> User-Agent: curl/7.43.0
|
||||
> Accept: */*
|
||||
>
|
||||
< HTTP/1.1 200 OK
|
||||
< Content-Type: application/json
|
||||
< Set-Cookie: match-slash=1; Path=/; Expires=Wed, 09 Jun 2021 10:18:14 GMT
|
||||
< Server: BaseHTTP/0.3 Python/2.7.12
|
||||
< Date: Tue, 04 Oct 2016 18:16:06 GMT
|
||||
< Content-Length: 80
|
||||
"""
|
||||
params = urlparse.parse_qs(request.url_parts.query)
|
||||
headers = [
|
||||
("Content-Type", "application/json"),
|
||||
("Set-Cookie", "{name[0]}={value[0]}; Path={path[0]}; Expires=Wed, 09 Jun 2021 10:18:14 GMT".format(**params))
|
||||
]
|
||||
body = "{}"
|
||||
return headers, body
|
||||
|
|
@ -2,4 +2,3 @@
|
|||
var i = document.createElement('img');
|
||||
i.src = '/content-security-policy/support/fail.png';
|
||||
document.body.appendChild(i);
|
||||
log("TEST COMPLETE");
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 1.6 KiB |
Loading…
Add table
Add a link
Reference in a new issue