mirror of
https://github.com/servo/servo.git
synced 2025-07-16 20:03:39 +01:00
Update web-platform-tests to revision 71a0d51d14d8b0f1b53cda3a7d39ef8765164485
This commit is contained in:
Ms2ger
parent
d504015496
commit
163009575a
290 changed files with 2928 additions and 972 deletions
|
|
@ -1,3 +0,0 @@
|
|||
[canvas_transformations_reset_001.html]
|
||||
type: reftest
|
||||
expected: FAIL
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -1,8 +1,8 @@
|
|||
[status-basic.htm]
|
||||
type: testharness
|
||||
|
||||
[XMLHttpRequest: status/statusText - various responses 7 (GET 402)]
|
||||
expected: FAIL
|
||||
|
||||
[XMLHttpRequest: status/statusText - various responses 9 (CHICKEN 402)]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
41
tests/wpt/metadata/encoding/big5-encoder.html.ini
Normal file
41
tests/wpt/metadata/encoding/big5-encoder.html.ini
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
[big5-encoder.html]
|
||||
type: testharness
|
||||
[big5 encoder: very basic]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: Highest-pointer BMP character excluded from encoder]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: Highest-pointer character excluded from encoder]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: Lowest-pointer character included in encoder]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: Euro; the highest-pointer character before a range of 30 unmapped pointers]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The lowest-pointer character after the range of 30 unmapped pointers]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The highest-pointer character before a range of 41 unmapped pointers]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The lowest-pointer character after the range of 41 unmapped pointers]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The last character in the index]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The canonical BMP test character that is not in the index]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: The canonical astral test character that is not in the index]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: A Plane 2 character whose low 16 bits match a BMP character that has a lower pointer]
|
||||
expected: FAIL
|
||||
|
||||
[big5 encoder: A duplicate-mapped code point that prefers the highest pointer in the encoder]
|
||||
expected: FAIL
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
[document-all.html]
|
||||
type: testharness
|
||||
['unusual behaviors' of document.all]
|
||||
expected: FAIL
|
||||
|
||||
['unusual behaviors' of document.all with assignment]
|
||||
expected: FAIL
|
||||
|
||||
|
|
@ -66,3 +66,6 @@
|
|||
[Selection attributes should not apply to type reset]
|
||||
expected: FAIL
|
||||
|
||||
[Selection attributes should not apply to type email]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
[task_microtask_ordering.html]
|
||||
type: testharness
|
||||
[Basic task and microtask ordering]
|
||||
expected: FAIL
|
||||
|
||||
[Level 1 bossfight (synthetic click)]
|
||||
expected: FAIL
|
||||
|
||||
|
|
@ -1 +1 @@
|
|||
dbf549ea32d23cf96b7f49e3333c068aaf050bc3
|
||||
9e914ca0db2820b365c06deedb8b5325c63c007b
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
<!DOCTYPE html>
|
||||
<meta charset="utf-8">
|
||||
<link rel="match" href="canvas_transformations_reset_001-ref.htm">
|
||||
<link rel="match" href="canvas_transformations_reset_001-ref.html">
|
||||
<style>
|
||||
html, body {
|
||||
margin: 0;
|
||||
|
|
|
|||
|
|
@ -1,65 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title> Calling stopPropagation() prior to dispatchEvent() </title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<div id=log></div>
|
||||
|
||||
<table id="table" border="1" style="display: none">
|
||||
<tbody id="table-body">
|
||||
<tr id="table-row">
|
||||
<td id="table-cell">Shady Grove</td>
|
||||
<td>Aeolian</td>
|
||||
</tr>
|
||||
<tr id="parent">
|
||||
<td id="target">Over the river, Charlie</td>
|
||||
<td>Dorian</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<script>
|
||||
var EVENT = "foo";
|
||||
var TARGET = document.getElementById("target");
|
||||
var PARENT = document.getElementById("parent");
|
||||
var TBODY = document.getElementById("table-body");
|
||||
var TABLE = document.getElementById("table");
|
||||
var BODY = document.body;
|
||||
var HTML = document.documentElement;
|
||||
var CurrentTargets = [window, document, HTML, BODY, TABLE, TBODY, PARENT, TARGET];
|
||||
var ExpectResult = [];
|
||||
var ActualResult = [];
|
||||
var ExpectPhases = [];
|
||||
var ActualPhases = [];
|
||||
|
||||
var description = "Test Description: " +
|
||||
"If Event.stopPropagation() has been called prior to the dispatch, all phases must be skipped.";
|
||||
test(function()
|
||||
{
|
||||
for (var i=0; i < CurrentTargets.length; i++)
|
||||
{
|
||||
CurrentTargets[i].addEventListener(EVENT, TestEvent, true);
|
||||
CurrentTargets[i].addEventListener(EVENT, TestEvent, false);
|
||||
}
|
||||
|
||||
var evt = document.createEvent("Event");
|
||||
evt.initEvent(EVENT, true, true);
|
||||
evt.stopPropagation();
|
||||
TARGET.dispatchEvent(evt);
|
||||
|
||||
assert_array_equals(ActualResult, ExpectResult, "ActualResult");
|
||||
assert_array_equals(ActualPhases, ExpectPhases, "ActualPhases");
|
||||
|
||||
}, description);
|
||||
|
||||
function TestEvent(evt)
|
||||
{
|
||||
ActualResult.push(evt.currentTarget);
|
||||
ActualPhases.push(evt.eventPhase);
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,66 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title> Calling stopPropagation() prior to dispatchEvent() </title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<div id=log></div>
|
||||
|
||||
<table id="table" border="1" style="display: none">
|
||||
<tbody id="table-body">
|
||||
<tr id="table-row">
|
||||
<td id="table-cell">Shady Grove</td>
|
||||
<td>Aeolian</td>
|
||||
</tr>
|
||||
<tr id="parent">
|
||||
<td id="target">Over the river, Charlie</td>
|
||||
<td>Dorian</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<script>
|
||||
|
||||
var EVENT = "foo";
|
||||
var TARGET = document.getElementById("target");
|
||||
var PARENT = document.getElementById("parent");
|
||||
var TBODY = document.getElementById("table-body");
|
||||
var TABLE = document.getElementById("table");
|
||||
var BODY = document.body;
|
||||
var HTML = document.documentElement;
|
||||
var CurrentTargets = [window, document, HTML, BODY, TABLE, TBODY, PARENT, TARGET];
|
||||
var ExpectResult = [];
|
||||
var ActualResult = [];
|
||||
var ExpectPhases = [];
|
||||
var ActualPhases = [];
|
||||
|
||||
var description = "Test Description: " +
|
||||
"If Event.stopPropagation() has been called prior to the dispatch, all phases must be skipped.";
|
||||
test(function()
|
||||
{
|
||||
for (var i=0; i < CurrentTargets.length; i++)
|
||||
{
|
||||
CurrentTargets[i].addEventListener(EVENT, TestEvent, true);
|
||||
CurrentTargets[i].addEventListener(EVENT, TestEvent, false);
|
||||
}
|
||||
|
||||
var evt = document.createEvent("Event");
|
||||
evt.initEvent(EVENT, true, true);
|
||||
evt.stopPropagation();
|
||||
TARGET.dispatchEvent(evt);
|
||||
|
||||
assert_array_equals(ActualResult, ExpectResult, "ActualResult");
|
||||
assert_array_equals(ActualPhases, ExpectPhases, "ActualPhases");
|
||||
|
||||
}, description);
|
||||
|
||||
function TestEvent(evt)
|
||||
{
|
||||
ActualResult.push(evt.currentTarget);
|
||||
ActualPhases.push(evt.eventPhase);
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -14,7 +14,13 @@ base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inli
|
|||
<base href="http://www1.{{host}}:{{ports[http][0]}}/">
|
||||
<script>
|
||||
test(function() {
|
||||
assert_equals(document.baseURI, 'http://www1.{{host}}:{{ports[http][0]}}/');
|
||||
if ('{{ports[http][0]}}' == '80' ||
|
||||
'{{ports[http][0]}}' == '443') {
|
||||
assert_equals(document.baseURI, 'http://www1.{{host}}/');
|
||||
} else {
|
||||
assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/');
|
||||
}
|
||||
|
||||
log("TEST COMPLETE")
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -6,12 +6,15 @@
|
|||
<title>form-action-src-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
log(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
|
|
@ -23,13 +26,15 @@ form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<form action="../support/pass.png" id="theform" method="post" target="_blank">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
|
||||
<form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -12,25 +12,29 @@
|
|||
form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
log("TEST COMPLETE");
|
||||
}, 0);
|
||||
});
|
||||
setTimeout(function() {}, 1000);
|
||||
setTimeout(function() {log("TEST COMPLETE");}, 1);
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<form action="../content-security-policy/support/fail.png" id="theform" method="post">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
<form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none'"></script>
|
||||
</body>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -6,12 +6,15 @@
|
|||
<title>form-action-src-default-ignored</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
|
||||
default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
log(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
|
|
@ -23,11 +26,13 @@ default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-s
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<form action="../support/pass.png" id="theform" method="post" target="_blank">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
|
||||
<form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that default-src does. If this test passes, you will see a page indicating a form was POSTed or a blocked pop-up warning.</p>
|
||||
<p>Tests that default-src does not cascade to form-action.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
|
||||
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -3,15 +3,18 @@
|
|||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>form-action-src-get-allowed</title>
|
||||
<title>form-action-src-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
log(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
|
|
@ -23,13 +26,16 @@ form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<form action="../support/pass.png" id="theform" method="get" target="_blank">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
|
||||
<form action="/common/redirect.py" id="theform" method="get" target="test_target">
|
||||
<input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed or a blocked pop-up warning.</p>
|
||||
<p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>form-action-src-get-blocked</title>
|
||||
<title>form-action-src-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
|
|
@ -12,23 +12,31 @@
|
|||
form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {}, 1000);
|
||||
document.getElementById('submit').click();
|
||||
log("TEST COMPLETE");
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
log("TEST COMPLETE");
|
||||
}, 0);
|
||||
});
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<form action="/navigation/resources/form-target.pl" id="theform" method="get">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
|
||||
<form action="/common/redirect.py" id="theform" method="get" target="test_target">
|
||||
<input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
|
||||
<p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none'"></script>
|
||||
</body>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none'
|
||||
"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -9,16 +9,15 @@
|
|||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
<script nonce='noncynonce'>
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
log("TEST COMPLETE");
|
||||
}, 0);
|
||||
});
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
|
|
@ -29,7 +28,7 @@ form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
|||
</form>
|
||||
<p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none'"></script>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
|
||||
Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -9,9 +9,12 @@
|
|||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
form-action 127.0.0.1:8000; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
window.addEventListener('load', function() {
|
||||
setTimeout(function() {
|
||||
document.getElementById('submit').click();
|
||||
|
|
@ -24,13 +27,15 @@ form-action 127.0.0.1:8000; script-src 'self' 'unsafe-inline'; connect-src 'self
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<form id="form1" action="/navigation/resources/redirection-response.php?host=localhost:8000&status=302&target=form-target.pl" method="post">
|
||||
<iframe name="test_target" id="test_iframe"></iframe>
|
||||
|
||||
<form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target">
|
||||
<input type="text" name="fieldname" value="fieldvalue">
|
||||
<input type="submit" id="submit" value="submit">
|
||||
</form>
|
||||
<p>Tests that blocking form redirect works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20127.0.0.1:8000"></script>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
|
||||
Content-Security-Policy: form-action 127.0.0.1:8000; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';
|
||||
-->
|
||||
</head>
|
||||
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline' '*'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -4,20 +4,21 @@
|
|||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
<title>combine-multiple-policies</title>
|
||||
<title>combine-header-and-meta-policies</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing multiple policies:
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
|
||||
Content-Security-Policy: img-src 'none'
|
||||
-->
|
||||
</head>
|
||||
|
||||
<body>
|
||||
This test checks that we enforce all the supplied policies. This test passe if it doesn't alert fail and if the style doesn't apply.
|
||||
Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
|
||||
<p>Test passes if both style and image are blocked and a report is generated for the
|
||||
style block from the header-supplied policy.</p>
|
||||
|
||||
<script>
|
||||
var img = document.createElement('img');
|
||||
img.src = '../support/fail.png';
|
||||
|
|
@ -2,5 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: combine-multiple-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
HTTP/1.1 200 OK
|
||||
Content-Type: text/html
|
||||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a
|
||||
Content-Security-Policy: img-src 'none'
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
<title>combine-multiple-policies</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing multiple policies:
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
|
||||
Content-Security-Policy: img-src 'none'
|
||||
-->
|
||||
</head>
|
||||
|
||||
<body>
|
||||
This test checks that we enforce all the supplied policies. This test passe if it doesn't alert fail and if the style doesn't apply.
|
||||
Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
|
||||
<script>
|
||||
var img = document.createElement('img');
|
||||
img.src = '../support/fail.png';
|
||||
img.onerror = function() {
|
||||
log("TEST COMPLETE");
|
||||
};
|
||||
img.onload = function() {
|
||||
log("FAIL");
|
||||
};
|
||||
document.body.appendChild(img);
|
||||
|
||||
</script>
|
||||
<style>
|
||||
body {
|
||||
background-color: blue;
|
||||
}
|
||||
|
||||
</style>
|
||||
<script>
|
||||
var el = document.querySelector('body');
|
||||
test(function() {
|
||||
assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
|
||||
});
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -17,7 +17,17 @@ connect-src 'self'; script-src 'self' 'unsafe-inline';
|
|||
<script>
|
||||
try {
|
||||
var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
|
||||
log("Fail");
|
||||
// Firefox doesn't throw an exception and takes some time to close async
|
||||
if (es.readyState == EventSource.CONNECTING) {
|
||||
setTimeout( function() {
|
||||
es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass");
|
||||
}, 2);
|
||||
} else if (es.readyState == EventSource.CLOSED) {
|
||||
log("Pass");
|
||||
} else {
|
||||
log("Fail");
|
||||
}
|
||||
|
||||
} catch (e) {
|
||||
log("Pass");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
<title>connect-src-eventsource-redirect-to-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","PASS successfullyParsed is true","TEST COMPLETE"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self'; script-src 'self' 'unsafe-inline';
|
||||
|
|
@ -18,7 +18,7 @@ connect-src 'self'; script-src 'self' 'unsafe-inline';
|
|||
<script>
|
||||
var es;
|
||||
try {
|
||||
es = new EventSource("/common/redirect.py?location= http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
|
||||
es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream");
|
||||
} catch (e) {
|
||||
log("FAIL " + "EventSource() should not throw an exception.");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,19 +11,24 @@
|
|||
<!-- enforcing policy:
|
||||
connect-src 'self'; script-src 'self' 'unsafe-inline';
|
||||
-->
|
||||
<script></script>
|
||||
<script id="inject_here"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var xhr = new XMLHttpRequest;
|
||||
try {
|
||||
xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
|
||||
xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
|
||||
} catch (e) {
|
||||
log("FAIL " + "XMLHttpRequest.open() should not throw an exception.");
|
||||
}
|
||||
xhr.onload = function() {
|
||||
log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
|
||||
//cons/**/ole.log(xhr.responseText);
|
||||
if(xhr.responseText == "FAIL") {
|
||||
log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect.");
|
||||
} else {
|
||||
log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect.");
|
||||
}
|
||||
log("TEST COMPLETE");
|
||||
};
|
||||
xhr.onerror = function() {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
|
||||
script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
|
||||
-->
|
||||
</head>
|
||||
|
||||
|
|
@ -18,31 +18,45 @@ script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
|
|||
filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content..
|
||||
</p>
|
||||
<script>
|
||||
function fail() {
|
||||
alert_assert("FAIL!");
|
||||
}
|
||||
window.webkitRequestFileSystem(TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
|
||||
fs.root.getFile('fail.js', {
|
||||
create: true
|
||||
}, function(fileEntry) {
|
||||
fileEntry.createWriter(function(fileWriter) {
|
||||
fileWriter.onwriteend = function(e) {
|
||||
var script = document.createElement('script');
|
||||
script.src = fileEntry.toURL('application/javascript');
|
||||
document.body.appendChild(script);
|
||||
};
|
||||
// Create a new Blob and write it to pass.js.
|
||||
var b = new Blob(['fail();'], {
|
||||
type: 'application/javascript'
|
||||
if(!window.webkitRequestFileSystem) {
|
||||
t_log = async_test();
|
||||
t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
function fail() {
|
||||
alert_assert("FAIL!");
|
||||
}
|
||||
window.webkitRequestFileSystem(
|
||||
TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
|
||||
fs.root.getFile('fail.js', {
|
||||
create: true
|
||||
}, function(fileEntry) {
|
||||
fileEntry.createWriter(function(fileWriter) {
|
||||
fileWriter.onwriteend = function(e) {
|
||||
var script = document.createElement('script');
|
||||
script.src = fileEntry.toURL('application/javascript');
|
||||
document.body.appendChild(script);
|
||||
};
|
||||
// Create a new Blob and write it to pass.js.
|
||||
var b = new Blob(['fail();'], {
|
||||
type: 'application/javascript'
|
||||
});
|
||||
fileWriter.write(b);
|
||||
});
|
||||
});
|
||||
fileWriter.write(b);
|
||||
});
|
||||
});
|
||||
});
|
||||
var s = document.createElement('script');
|
||||
s.async = true;
|
||||
s.defer = true;
|
||||
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20'*'"
|
||||
document.lastChild.appendChild(s);
|
||||
}
|
||||
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20'*'"></script>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline' '*'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -18,31 +18,42 @@ script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self';
|
|||
filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source.
|
||||
</p>
|
||||
<script>
|
||||
function pass() {
|
||||
log("PASS (1/1)");
|
||||
}
|
||||
window.webkitRequestFileSystem(TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
|
||||
fs.root.getFile('pass.js', {
|
||||
create: true
|
||||
}, function(fileEntry) {
|
||||
fileEntry.createWriter(function(fileWriter) {
|
||||
fileWriter.onwriteend = function(e) {
|
||||
var script = document.createElement('script');
|
||||
script.src = fileEntry.toURL('application/javascript');
|
||||
document.body.appendChild(script);
|
||||
};
|
||||
// Create a new Blob and write it to pass.js.
|
||||
var b = new Blob(['pass();'], {
|
||||
type: 'application/javascript'
|
||||
if(!window.webkitRequestFileSystem) {
|
||||
t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
function pass() {
|
||||
log("PASS (1/1)");
|
||||
}
|
||||
window.webkitRequestFileSystem(
|
||||
TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
|
||||
fs.root.getFile('pass.js', {
|
||||
create: true
|
||||
}, function(fileEntry) {
|
||||
fileEntry.createWriter(function(fileWriter) {
|
||||
fileWriter.onwriteend = function(e) {
|
||||
var script = document.createElement('script');
|
||||
script.src = fileEntry.toURL('application/javascript');
|
||||
document.body.appendChild(script);
|
||||
};
|
||||
// Create a new Blob and write it to pass.js.
|
||||
var b = new Blob(['pass();'], {
|
||||
type: 'application/javascript'
|
||||
});
|
||||
fileWriter.write(b);
|
||||
});
|
||||
});
|
||||
fileWriter.write(b);
|
||||
});
|
||||
});
|
||||
});
|
||||
var s = document.createElement('script');
|
||||
s.async = true;
|
||||
s.defer = true;
|
||||
s.src = "../support/checkReport.sub.js?reportExists=false"
|
||||
document.lastChild.appendChild(s);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,24 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
These frames should not be blocked by Content-Security-Policy. It's pointle to block about:blank iframes because blocking a frame just results in displaying about:blank anyway!
|
||||
<iframe src="about:blank"></iframe>
|
||||
<object type="text/html" data="about:blank"></object>
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>frame-src-about-blank-allowed-by-default</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<!-- enforcing policy:
|
||||
frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>These frames should not be blocked by Content-Security-Policy.
|
||||
It's pointless to block about:blank iframes because
|
||||
blocking a frame just results in displaying about:blank anyway!
|
||||
</p>
|
||||
<iframe src="about:blank"></iframe>
|
||||
<object type="text/html" data="about:blank"></object>
|
||||
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,3 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
This iframe should not be blocked by Content-Security-Policy:
|
||||
<iframe src="about:blank"></iframe>
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>frame-src-about-blank-allowed-by-scheme</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<!-- enforcing policy:
|
||||
frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>This frame should not be blocked by Content-Security-Policy.
|
||||
</p>
|
||||
<iframe src="about:blank"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1 +1,63 @@
|
|||
<iframe src="resources/alert-pass.html"></iframe>
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>frame-src-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS"]');
|
||||
var expected_alerts = ["PASS"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
This iframe should be allowed.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1 +1,61 @@
|
|||
<iframe src="resources/alert-fail.html"></iframe>
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>frame-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'none'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -32,16 +32,16 @@
|
|||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
t_alert.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
frame-src 'self' http://localhost:8080; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
|
||||
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
|
|
@ -50,8 +50,6 @@ frame-src 'self' http://localhost:8080; script-src 'self' 'unsafe-inline'; conne
|
|||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
if (loads == 3)
|
||||
log("TEST COMPLETE");
|
||||
}
|
||||
|
||||
</script>
|
||||
|
|
@ -60,9 +58,9 @@ frame-src 'self' http://localhost:8080; script-src 'self' 'unsafe-inline'; conne
|
|||
<body>
|
||||
<iframe src="resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()"></iframe>
|
||||
<iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'self'%20http://localhost:8080"></script>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'self'http://www1.{{host}}:{{ports[http][0]}}"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
onconnect = function(event) {
|
||||
var port = event.ports[0];
|
||||
try {
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/blue.css", true);
|
||||
port.postMessage("xhr allowed");
|
||||
} catch (e) {
|
||||
port.postMessage("xhr blocked");
|
||||
}
|
||||
};
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
onconnect = function (event) {
|
||||
var port = event.ports[0];
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.onerror = function () {
|
||||
port.postMessage("xhr blocked");
|
||||
port.postMessage("TEST COMPLETE");
|
||||
};
|
||||
xhr.onload = function () {
|
||||
if (xhr.responseText == "FAIL") {
|
||||
port.postMessage("xhr allowed");
|
||||
} else {
|
||||
port.postMessage("xhr blocked");
|
||||
}
|
||||
port.postMessage("TEST COMPLETE");
|
||||
};
|
||||
try {
|
||||
xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
|
||||
xhr.send();
|
||||
} catch (e) {
|
||||
port.postMessage("xhr blocked");
|
||||
port.postMessage("TEST COMPLETE");
|
||||
}
|
||||
}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
onconnect = function(event) {
|
||||
var port = event.ports[0];
|
||||
try {
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/blue.css", true);
|
||||
port.postMessage("xhr allowed");
|
||||
} catch (e) {
|
||||
port.postMessage("xhr blocked");
|
||||
}
|
||||
};
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
onconnect = function (event) {
|
||||
var port = event.ports[0];
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.onerror = function () {
|
||||
port.postMessage("xhr blocked");
|
||||
port.postMessage("TEST COMPLETE");
|
||||
};
|
||||
xhr.onload = function () {
|
||||
if (xhr.responseText == "FAIL") {
|
||||
port.postMessage("xhr allowed");
|
||||
} else {
|
||||
port.postMessage("xhr blocked");
|
||||
}
|
||||
port.postMessage("TEST COMPLETE");
|
||||
};
|
||||
try {
|
||||
xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
|
||||
xhr.send();
|
||||
} catch (e) {
|
||||
port.postMessage("xhr blocked");
|
||||
port.postMessage("TEST COMPLETE");
|
||||
}
|
||||
}
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
try {
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
|
||||
postMessage("xhr allowed");
|
||||
} catch (e) {
|
||||
postMessage("xhr blocked");
|
||||
}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
var xhr = new XMLHttpRequest;
|
||||
xhr.onerror = function () {
|
||||
postMessage("xhr blocked");
|
||||
postMessage("TEST COMPLETE");
|
||||
};
|
||||
xhr.onload = function () {
|
||||
//cons/**/ole.log(xhr.responseText);
|
||||
if (xhr.responseText == "FAIL") {
|
||||
postMessage("xhr allowed");
|
||||
} else {
|
||||
postMessage("xhr blocked");
|
||||
}
|
||||
postMessage("TEST COMPLETE");
|
||||
};
|
||||
try {
|
||||
xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
|
||||
xhr.send();
|
||||
} catch (e) {
|
||||
postMessage("xhr blocked");
|
||||
postMessage("TEST COMPLETE");
|
||||
}
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
try {
|
||||
var xhr = new XMLHttpRequest;
|
||||
xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
|
||||
postMessage("xhr allowed");
|
||||
} catch (e) {
|
||||
postMessage("xhr blocked");
|
||||
}
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
var xhr = new XMLHttpRequest;
|
||||
xhr.onerror = function () {
|
||||
postMessage("xhr blocked");
|
||||
postMessage("TEST COMPLETE");
|
||||
};
|
||||
xhr.onload = function () {
|
||||
//cons/**/ole.log(xhr.responseText);
|
||||
if (xhr.responseText == "FAIL") {
|
||||
postMessage("xhr allowed");
|
||||
} else {
|
||||
postMessage("xhr blocked");
|
||||
}
|
||||
postMessage("TEST COMPLETE");
|
||||
};
|
||||
try {
|
||||
xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true);
|
||||
xhr.send();
|
||||
} catch (e) {
|
||||
postMessage("xhr blocked");
|
||||
postMessage("TEST COMPLETE");
|
||||
}
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>worker-connect-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
<p>This test loads a worker, from a guid.
|
||||
The worker should be blocked from loading with a child-src policy of 'self'
|
||||
as the blob: scheme must be specified explicitly.
|
||||
A report should be sent to the report-uri specified
|
||||
with this resource.</p>
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var blob = new Blob([
|
||||
"postMessage('FAIL');" +
|
||||
"postMessage('TEST COMPLETE');"
|
||||
],
|
||||
{type : 'application/javascript'});
|
||||
var url = URL.createObjectURL(blob);
|
||||
var worker = new Worker(url);
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert('TEST COMPLETE');
|
||||
}
|
||||
function timeout() {
|
||||
alert_assert('TEST COMPLETE');
|
||||
}
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr allowed"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr allowed","TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';
|
||||
-->
|
||||
|
|
@ -17,7 +17,7 @@ connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe
|
|||
<body>
|
||||
<script>
|
||||
try {
|
||||
var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.js');
|
||||
var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js');
|
||||
worker.port.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -7,17 +7,23 @@
|
|||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr blocked"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline';
|
||||
connect-src *; script-src 'self' 'unsafe-inline';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>This test loads a shared worker, delivered with its own
|
||||
policy. The worker should be blocked from making an XHR
|
||||
as that policy specifies a connect-src 'none', though
|
||||
this resource's policy is connect-src *. No report
|
||||
should be sent since the worker's policy doesn't specify
|
||||
a report-uri.</p>
|
||||
<script>
|
||||
try {
|
||||
var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.js');
|
||||
var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js');
|
||||
worker.port.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,45 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>worker-connect-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;
|
||||
-->
|
||||
|
||||
</head>
|
||||
<p>This test loads a worker, from a guid.
|
||||
The worker should be blocked from loading with a child-src policy of *
|
||||
as the blob: scheme must be specified explicitly.
|
||||
A report should be sent to the report-uri specified
|
||||
with this resource.</p>
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var blob = new Blob([
|
||||
"postMessage('FAIL');" +
|
||||
"postMessage('TEST COMPLETE');"
|
||||
],
|
||||
{type : 'application/javascript'});
|
||||
var url = URL.createObjectURL(blob);
|
||||
var worker = new Worker(url);
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert('TEST COMPLETE');
|
||||
}
|
||||
function timeout() {
|
||||
alert_assert('TEST COMPLETE');
|
||||
}
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -17,7 +17,7 @@ connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe
|
|||
<body>
|
||||
<script>
|
||||
try {
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.js');
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js');
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -7,17 +7,22 @@
|
|||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr blocked"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline';
|
||||
connect-src *; script-src 'self' 'unsafe-inline';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<p>This test loads a worker, which is delivered with its own
|
||||
policy. The worker should be blocked from making an XHR
|
||||
as that policy specifies a connect-src 'none', though
|
||||
this resource's policy is connect-src *. No report
|
||||
should be sent since the worker's policy doesn't specify
|
||||
a report-uri.</p>
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.js');
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js');
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -14,6 +14,11 @@ script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<p>This test loads a worker, delivered with its own policy.
|
||||
The eval() call in the worker should be forbidden by that
|
||||
policy. No report should be generated because the worker
|
||||
policy does not set a report-uri (although this parent
|
||||
resource does).</p>
|
||||
<script>
|
||||
try {
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-eval.js');
|
||||
|
|
|
|||
|
|
@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
|
|||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,65 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>worker-connect-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;
|
||||
-->
|
||||
|
||||
</head>
|
||||
<p>This test loads a worker, from a guid.
|
||||
The worker should be blocked from making an XHR
|
||||
to www1 as this resource's policy is connect-src 'self
|
||||
and a guid Worker should inherit is parent's policy.
|
||||
A report should be sent to the report-uri specified
|
||||
with this resource.</p>
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var blob = new Blob([
|
||||
"var xhr = new XMLHttpRequest;" +
|
||||
"xhr.onerror = function () {" +
|
||||
" postMessage('xhr blocked');" +
|
||||
" postMessage('TEST COMPLETE');" +
|
||||
"};" +
|
||||
"xhr.onload = function () {" +
|
||||
" if (xhr.responseText == 'FAIL') {" +
|
||||
" postMessage('xhr allowed');" +
|
||||
" } else {" +
|
||||
" postMessage('xhr blocked');" +
|
||||
" }" +
|
||||
" postMessage('TEST COMPLETE');" +
|
||||
"};" +
|
||||
"try { " +
|
||||
" xhr.open(" +
|
||||
" 'GET'," +
|
||||
" 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis'," +
|
||||
" true" +
|
||||
" );" +
|
||||
" xhr.send();" +
|
||||
"} catch (e) {" +
|
||||
" postMessage('xhr blocked');" +
|
||||
" postMessage('TEST COMPLETE');" +
|
||||
"}"],
|
||||
{type : 'application/javascript'});
|
||||
var url = URL.createObjectURL(blob);
|
||||
var worker = new Worker(url);
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -15,6 +15,11 @@ script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self';
|
|||
</head>
|
||||
|
||||
<body>
|
||||
<p>This test loads a worker, delivered with its own policy.
|
||||
The Function constructor should be forbidden by that
|
||||
policy. No report should be generated because the worker
|
||||
policy does not set a report-uri (although this parent
|
||||
resource does).</p>
|
||||
<script>
|
||||
try {
|
||||
var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-function-function.js');
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
|
||||
script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>child-src-about-blank-allowed-by-default</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<!-- enforcing policy:
|
||||
child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>These frames should not be blocked by Content-Security-Policy.
|
||||
It's pointless to block about:blank iframes because
|
||||
blocking a frame just results in displaying about:blank anyway!
|
||||
</p>
|
||||
<iframe src="about:blank"></iframe>
|
||||
<object type="text/html" data="about:blank"></object>
|
||||
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>child-src-about-blank-allowed-by-scheme</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<!-- enforcing policy:
|
||||
child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>This frame should not be blocked by Content-Security-Policy.
|
||||
</p>
|
||||
<iframe src="about:blank"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>child-src-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS"]');
|
||||
var expected_alerts = ["PASS"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_alert.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
This iframe should be allowed.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>child-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_log.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_log.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_log.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'none'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>child-src-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_log.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_log.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_log.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
A more permissive child-src should not relax restrictions from a less-
|
||||
permissive frame-src. Directives still combine for least privilege, even when
|
||||
one obsoletes another.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'none'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-conflicting-frame-src={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>child-src-cross-origin-load</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script>
|
||||
<script>
|
||||
window.addEventListener("message", function(event) {
|
||||
alert_assert(event.data);
|
||||
}, false);
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS","PASS"]');
|
||||
var expected_alerts = ["PASS", "PASS"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_alert.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<p>
|
||||
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
|
||||
</p>
|
||||
<script>
|
||||
window.wasPostTestScriptParsed = true;
|
||||
var loads = 0;
|
||||
|
||||
function loadEvent() {
|
||||
loads++;
|
||||
log("PASS " + "IFrame #" + loads + " generated a load event.");
|
||||
if (loads == 3)
|
||||
log("TEST COMPLETE");
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe>
|
||||
<iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>child-src-worker-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
child-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
|
||||
foo.onmessage = function(event) {
|
||||
alert_assert("PASS");
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-worker-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>child-src-worker-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
child-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
try {
|
||||
var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js');
|
||||
foo.onmessage = function(event) {
|
||||
alert_assert("FAIL");
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert("PASS");
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
<script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'none'"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: child-src-worker-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src
|
||||
Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>single-frame-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
|
||||
function startTest() {
|
||||
window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
|
||||
}
|
||||
function done() { alert_assert("PASS"); }
|
||||
setTimeout(done(), 1);
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none.html' name="frame1"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
<p>Reporting Frame...</p>
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
var p = document.createElement(p);
|
||||
p.textContent = event.data;
|
||||
document.body.appendChild(p);
|
||||
window.parent.postMessage(event.data, "*");
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false
|
||||
);
|
||||
</script>
|
||||
<iframe src='{{GET[subframe]}}' name="deepframe"></iframe>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Content-Security-Policy: frame-ancestors 'self'
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
<p>Reporting Frame...</p>
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
var p = document.createElement(p);
|
||||
p.textContent = event.data;
|
||||
document.body.appendChild(p);
|
||||
window.parent.postMessage(event.data, "*");
|
||||
}
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false
|
||||
);
|
||||
</script>
|
||||
<iframe src='{{GET[subframe]}}' name="deepframe"></iframe>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Content-Security-Policy: frame-ancestors *
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>multiple-frames-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["hello frame1","hello frame2"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
var startTestCtr = 0;
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTestCtr++;
|
||||
if(startTestCtr == 2) {
|
||||
startTest();
|
||||
}
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
|
||||
function startTest() {
|
||||
window.frames['frame1'].postMessage("hello frame1", "*");
|
||||
window.frames['frame2'].postMessage("hello frame2", "*");
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html' name="frame2"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>multiple-frames-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["hello frame2"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
|
||||
function startTest() {
|
||||
window.frames['frame1'].postMessage("hello frame1", "*");
|
||||
window.frames['frame2'].postMessage("hello frame2", "*");
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-none.html' name="frame1"></iframe>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame2"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>multiple-frames-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["hello frame1","hello frame2"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
var startTestCtr = 0;
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTestCtr++;
|
||||
if(startTestCtr == 2) {
|
||||
startTest();
|
||||
}
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
function startTest() {
|
||||
window.frames['frame1'].postMessage("hello frame1", "*");
|
||||
window.frames['frame2'].postMessage("hello frame2", "*");
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame2"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>single-frame-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["hello deep frame"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
function startTest() {
|
||||
window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>single-frame-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
function startTest() {
|
||||
window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
|
||||
}
|
||||
function done() { alert_assert("PASS"); }
|
||||
setTimeout(done(), 1);
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html?subframe=http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>single-frame-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
|
||||
function startTest() {
|
||||
window.frames['frame1'].frames['deepframe'].postMessage("hello deep frame", "*");
|
||||
}
|
||||
function done() { alert_assert("PASS"); }
|
||||
setTimeout(done(), 1);
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html?subframe=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'">
|
||||
</head>
|
||||
<body>
|
||||
<p>Reporting Frame...</p>
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
var p = document.createElement(p);
|
||||
p.textContent = event.data;
|
||||
document.body.appendChild(p);
|
||||
window.parent.postMessage(event.data, "*");
|
||||
}
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false
|
||||
);
|
||||
window.parent.postMessage("start test", "*");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
<p>Reporting Frame...</p>
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
var p = document.createElement(p);
|
||||
p.textContent = event.data;
|
||||
document.body.appendChild(p);
|
||||
window.parent.postMessage(event.data, "*");
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false
|
||||
);
|
||||
|
||||
window.parent.postMessage("start test", "*");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Content-Security-Policy: frame-ancestors 'none'
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
<p>Reporting Frame...</p>
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
var p = document.createElement(p);
|
||||
p.textContent = event.data;
|
||||
document.body.appendChild(p);
|
||||
window.parent.postMessage(event.data, "*");
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false
|
||||
);
|
||||
|
||||
window.parent.postMessage("start test", "*");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Content-Security-Policy: frame-ancestors 'self'
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>single-frame-self-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["hello frame1"]'></script>
|
||||
<!-- enforcing policy:
|
||||
connect-src 'self' 'none'; script-src 'self' 'unsafe-inline'; frame-src 'self';
|
||||
-->
|
||||
<script>
|
||||
function onMessage(event) {
|
||||
if(event.data == "start test") {
|
||||
startTest();
|
||||
} else {
|
||||
alert_assert(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
window.addEventListener(
|
||||
"message",
|
||||
onMessage,
|
||||
false);
|
||||
|
||||
function startTest() {
|
||||
window.frames['frame1'].postMessage("hello frame1", "*");
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src='http://{{host}}:{{ports[http][0]}}/content-security-policy/frame-ancestors/reporting-frame-allows-self.html' name="frame1"></iframe>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
<title>meta-img-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>Test passes if the image is blocked.</p>
|
||||
|
||||
<script>
|
||||
function testImgSrc() {
|
||||
var img = document.createElement('img');
|
||||
img.src = '../support/fail.png';
|
||||
img.onerror = function() {
|
||||
log("PASS");
|
||||
};
|
||||
img.onload = function() {
|
||||
log("FAIL");
|
||||
};
|
||||
document.body.appendChild(img);
|
||||
}
|
||||
testImgSrc();
|
||||
log("TEST COMPLETE");
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue