mirror of
https://github.com/servo/servo.git
synced 2025-10-04 02:29:12 +01:00
Update web-platform-tests to revision 8a2ceb5f18911302b7a5c1cd2791f4ab50ad4326
This commit is contained in:
Josh Matthews
parent
462c272380
commit
1f531f66ea
5377 changed files with 174916 additions and 84369 deletions
|
|
@ -1,9 +0,0 @@
|
|||
<link rel="manifest" href="manifest.test/manifest.json">
|
||||
<script>
|
||||
{
|
||||
testRunner.getManifestThen(function() {
|
||||
alert_assert("Pass");
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
<link rel="manifest" href="manifest.test/manifest.json">
|
||||
<script>
|
||||
{
|
||||
testRunner.getManifestThen(function() {
|
||||
alert_assert("Pass");
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>object-src-applet-archive-codebase</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var len = navigator.mimeTypes.length;
|
||||
var allTypes = "";
|
||||
var appletMimeType = "application/x-java-applet";
|
||||
for (var i = 0; i < len; i++) {
|
||||
allTypes += navigator.mimeTypes[i].type + ';';
|
||||
}
|
||||
if (allTypes.indexOf(appletMimeType) == -1) {
|
||||
t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
var s = document.createElement('script');
|
||||
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
|
||||
document.body.appendChild(s);
|
||||
}
|
||||
|
||||
</script>
|
||||
This test passes if there is a CSP violation saying the plugin was blocked.
|
||||
<applet code="TestThingie" archive="archive.jar" codebase="/plugins/codebase/" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>object-src-applet-archive</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var len = navigator.mimeTypes.length;
|
||||
var allTypes = "";
|
||||
var appletMimeType = "application/x-java-applet";
|
||||
for (var i = 0; i < len; i++) {
|
||||
allTypes += navigator.mimeTypes[i].type + ';';
|
||||
}
|
||||
if (allTypes.indexOf(appletMimeType) == -1) {
|
||||
t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
var s = document.createElement('script');
|
||||
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
|
||||
document.body.appendChild(s);
|
||||
}
|
||||
|
||||
</script>
|
||||
This test passes if there is a CSP violation saying the plugin was blocked.
|
||||
<applet code="TestThingie" archive="/plugins/archive.jar" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>object-src-applet-archive-code-codebase</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var len = navigator.mimeTypes.length;
|
||||
var allTypes = "";
|
||||
var appletMimeType = "application/x-java-applet";
|
||||
for (var i = 0; i < len; i++) {
|
||||
allTypes += navigator.mimeTypes[i].type + ';';
|
||||
}
|
||||
if (allTypes.indexOf(appletMimeType) == -1) {
|
||||
t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
var s = document.createElement('script');
|
||||
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
|
||||
document.body.appendChild(s);
|
||||
}
|
||||
|
||||
</script>
|
||||
This test passes if there is a CSP violation saying the plugin was blocked.
|
||||
<applet code="code.class" codebase="/plugins/codebase/"></applet>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<title>object-src-applet-code</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing policy:
|
||||
object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var len = navigator.mimeTypes.length;
|
||||
var allTypes = "";
|
||||
var appletMimeType = "application/x-java-applet";
|
||||
for (var i = 0; i < len; i++) {
|
||||
allTypes += navigator.mimeTypes[i].type + ';';
|
||||
}
|
||||
if (allTypes.indexOf(appletMimeType) == -1) {
|
||||
t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test.");
|
||||
t_log.phase = t_log.phases.HAS_RESULT;
|
||||
t_log.done();
|
||||
} else {
|
||||
var s = document.createElement('script');
|
||||
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'";
|
||||
document.body.appendChild(s);
|
||||
}
|
||||
|
||||
</script>
|
||||
This test passes if there is a CSP violation saying the plugin was blocked.
|
||||
<applet code="/plugins/code.class"></applet>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
|
||||
Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -1,8 +1,3 @@
|
|||
if (window.testRunner) {
|
||||
testRunner.dumpAsText();
|
||||
testRunner.waitUntilDone();
|
||||
}
|
||||
|
||||
window.onload = function() {
|
||||
var test = window.location.pathname.replace(/^.+\//, '');
|
||||
var match = window.location.search.match(/^\?test=([^&]+)/);
|
||||
|
|
|
|||
|
|
@ -13,4 +13,15 @@
|
|||
|
||||
assert_true(navigator.sendBeacon("http://{{domains[www]}}:{{ports[http][0]}}/common/text-plain.txt"));
|
||||
}, "sendBeacon should not throw.");
|
||||
|
||||
async_test(t => {
|
||||
document.addEventListener("securitypolicyviolation", t.step_func_done(e => {
|
||||
if (e.blockedURI != "http://{{domains[www]}}:{{ports[http][0]}}/common/text-plain.txt")
|
||||
return;
|
||||
|
||||
assert_equals(e.violatedDirective, "connect-src");
|
||||
}));
|
||||
|
||||
assert_true(navigator.sendBeacon("common/redirect-opt-in.py?status=307&location=http://{{domains[www]}}:{{ports[http][0]}}/common/text-plain.txt"));
|
||||
}, "redirect case");
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
var link = document.createElement('link');
|
||||
link.rel="preload";
|
||||
link.as="font";
|
||||
link.href="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/Ahem.ttf";
|
||||
link.href="http://{{domains[www1]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-match-allowed";
|
||||
link.onload = t.step_func_done();
|
||||
link.onerror = t.unreached_func("Should have loaded the font.");
|
||||
document.getElementsByTagName('head')[0].appendChild(link);
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
var link = document.createElement('link');
|
||||
link.rel="preload";
|
||||
link.as="font";
|
||||
link.href="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/Ahem.ttf";
|
||||
link.href="http://{{domains[www2]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-mismatch-blocked";
|
||||
link.onload = t.unreached_func("Should not have loaded the font.");
|
||||
link.onerror = t.step_func_done();
|
||||
document.getElementsByTagName('head')[0].appendChild(link);
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
var link = document.createElement('link');
|
||||
link.rel="preload";
|
||||
link.as="font";
|
||||
link.href="http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/Ahem.ttf";
|
||||
link.href="http://{{domains[www]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-none-blocked";
|
||||
link.onload = t.unreached_func("Should not have loaded the font.");
|
||||
link.onerror = t.step_func_done();
|
||||
document.getElementsByTagName('head')[0].appendChild(link);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
var link = document.createElement('link');
|
||||
link.rel="preload";
|
||||
link.as="font";
|
||||
link.href="/content-security-policy/support/Ahem.ttf";
|
||||
link.href="/fonts/Ahem.ttf?font-self-allowed";
|
||||
link.onload = t.step_func_done();
|
||||
link.onerror = t.unreached_func("Should have loaded the font.");
|
||||
document.getElementsByTagName('head')[0].appendChild(link);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,84 @@
|
|||
<!DOCTYPE html>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
|
||||
<body>
|
||||
|
||||
<script>
|
||||
function wait_for_error_from_frame(frame, test) {
|
||||
window.addEventListener('message', test.step_func(e => {
|
||||
if (e.source != frame.contentWindow)
|
||||
return;
|
||||
assert_equals(e.data, "error");
|
||||
frame.remove();
|
||||
test.done();
|
||||
}));
|
||||
}
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('iframe');
|
||||
document.body.appendChild(i);
|
||||
|
||||
var img = document.createElement('img');
|
||||
img.onerror = t.step_func_done(_ => i.remove());
|
||||
img.onload = t.unreached_func();
|
||||
i.contentDocument.body.appendChild(img);
|
||||
img.src = "/images/red-16x16.png";
|
||||
}, "<iframe>'s about:blank inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('iframe');
|
||||
i.srcdoc = `
|
||||
<img src='/images/red-16x16.png'
|
||||
onload='window.top.postMessage("load", "*");'
|
||||
onerror='window.top.postMessage("error", "*");'
|
||||
>
|
||||
`;
|
||||
|
||||
wait_for_error_from_frame(i, t);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe srcdoc>'s inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('iframe');
|
||||
var b = new Blob(
|
||||
[`
|
||||
<img src='${window.origin}/images/red-16x16.png'
|
||||
onload='window.top.postMessage("load", "*");'
|
||||
onerror='window.top.postMessage("error", "*");'
|
||||
>
|
||||
`], {type:"text/html"});
|
||||
i.src = URL.createObjectURL(b);
|
||||
|
||||
wait_for_error_from_frame(i, t);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe src='blob:...'>'s inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('iframe');
|
||||
i.src = `data:text/html,<img src='${window.origin}/images/red-16x16.png'
|
||||
onload='window.top.postMessage("load", "*");'
|
||||
onerror='window.top.postMessage("error", "*");'
|
||||
>`;
|
||||
|
||||
wait_for_error_from_frame(i, t);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe src='data:...'>'s inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement('iframe');
|
||||
i.src = `javascript:"<img src='${window.origin}/images/red-16x16.png'
|
||||
onload='window.top.postMessage(\\"load\\", \\"*\\");'
|
||||
onerror='window.top.postMessage(\\"error\\", \\"*\\");'
|
||||
>"`;
|
||||
|
||||
wait_for_error_from_frame(i, t);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe src='javascript:...'>'s inherits policy.");
|
||||
</script>
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
<!DOCTYPE html>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
||||
|
||||
<body>
|
||||
|
||||
<script>
|
||||
function wait_for_error_from_window(w, test) {
|
||||
window.addEventListener('message', test.step_func(e => {
|
||||
if (e.source != w)
|
||||
return;
|
||||
assert_equals(e.data, "error");
|
||||
w.close();
|
||||
test.done();
|
||||
}));
|
||||
}
|
||||
|
||||
async_test(t => {
|
||||
var w = window.open();
|
||||
|
||||
var img = document.createElement('img');
|
||||
img.onerror = t.step_func_done(_ => w.close());
|
||||
img.onload = t.unreached_func();
|
||||
w.document.body.appendChild(img);
|
||||
img.src = "/images/red-16x16.png";
|
||||
}, "window.open() inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var w = window.open();
|
||||
|
||||
wait_for_error_from_window(w, t);
|
||||
|
||||
w.document.write(`
|
||||
<img src='/images/red-16x16.png'
|
||||
onload='window.opener.postMessage("load", "*");'
|
||||
onerror='window.opener.postMessage("error", "*");'
|
||||
>
|
||||
`);
|
||||
}, "`document.write` into `window.open()` inherits policy.");
|
||||
|
||||
async_test(t => {
|
||||
var b = new Blob(
|
||||
[`
|
||||
<img src='${window.origin}/images/red-16x16.png'
|
||||
onload='window.opener.postMessage("load", "*");'
|
||||
onerror='window.opener.postMessage("error", "*");'
|
||||
>
|
||||
`], {type:"text/html"});
|
||||
|
||||
wait_for_error_from_window(window.open(URL.createObjectURL(b)), t);
|
||||
}, "window.open('blob:...') inherits policy.");
|
||||
|
||||
// Navigation to top-level `data:` is blocked.
|
||||
|
||||
async_test(t => {
|
||||
var url =
|
||||
`javascript:"<img src='${window.origin}/images/red-16x16.png'
|
||||
onload='window.opener.postMessage(\\"load\\", \\"*\\");'
|
||||
onerror='window.opener.postMessage(\\"error\\", \\"*\\");'
|
||||
>"`;
|
||||
|
||||
wait_for_error_from_window(window.open(url), t);
|
||||
}, "window.open('javascript:...') inherits policy.");
|
||||
</script>
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<script>
|
||||
var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'");
|
||||
var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp");
|
||||
window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name);
|
||||
setTimeout(function() {
|
||||
var s = document.createElement('script');
|
||||
s.async = true;
|
||||
s.defer = true;
|
||||
s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27";
|
||||
document.body.appendChild(s);
|
||||
}, 2000);
|
||||
</script>
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
<!DOCTYPE html>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
|
||||
<script>
|
||||
var window_url = decodeURIComponent("{{GET[window_url]}}").replace('<', '<').replace('>', '>');
|
||||
window.open(window_url, "_self");
|
||||
</script>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/
|
||||
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Window.open should not open javascript url if not allowed.</title>
|
||||
<script nonce='abc' src='/resources/testharness.js'></script>
|
||||
<script nonce='abc' src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Check that a securitypolicyviolation event is fired");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
|
||||
window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
|
||||
</script>
|
||||
|
||||
<script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: javascript-window-open-blocked={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Multiple policies with different hashing algorithms still work.</title>
|
||||
<!-- nonces are here just to let all of our scripts run -->
|
||||
<script nonce="abc" src='/resources/testharness.js'></script>
|
||||
<script nonce="abc" src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var t = async_test("Test that script executes if allowed by proper hash values");
|
||||
document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
|
||||
var executed = false;
|
||||
</script>
|
||||
|
||||
<!-- test will fail if this script is not allowed to run -->
|
||||
<script>executed = true;</script>
|
||||
|
||||
<script nonce="abc">
|
||||
t.step(function() {
|
||||
assert_true(executed);
|
||||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Multiple policies some using hashes some not using hashes still work.</title>
|
||||
<!-- nonces are here just to let all of our scripts run -->
|
||||
<script nonce="abc" src='/resources/testharness.js'></script>
|
||||
<script nonce="abc" src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var t = async_test("Test that script executes if allowed by proper hash values");
|
||||
document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
|
||||
var executed = false;
|
||||
</script>
|
||||
|
||||
<!-- test will fail if this script is not allowed to run -->
|
||||
<script>executed = true;</script>
|
||||
|
||||
<script nonce="abc">
|
||||
t.step(function() {
|
||||
assert_true(executed);
|
||||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
|
||||
<!-- nonces are here just to let all of our scripts run -->
|
||||
<script nonce="abc" src='/resources/testharness.js'></script>
|
||||
<script nonce="abc" src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var externalRan = false;
|
||||
</script>
|
||||
<script src='./externalScript.js'
|
||||
integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
|
||||
<script nonce="abc">
|
||||
test(function() {
|
||||
assert_true(externalRan, 'External script ran.');
|
||||
}, 'External script in a script tag with matching SRI hash should run.');
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
|
||||
<!-- nonces are here just to let all of our scripts run -->
|
||||
<script nonce="abc" src='/resources/testharness.js'></script>
|
||||
<script nonce="abc" src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var t = async_test("Test that script executes if allowed by proper hash values");
|
||||
var t_spv = async_test("Test that the securitypolicyviolation event is fired");
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.disposition, "report");
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
}));
|
||||
var executed = false;
|
||||
</script>
|
||||
|
||||
<!-- test will fail if this script is not allowed to run -->
|
||||
<script>executed = true;</script>
|
||||
|
||||
<script nonce="abc">
|
||||
t.step(function() {
|
||||
assert_true(executed);
|
||||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
<!DOCTYPE html>
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<script src='../support/testharness-helper.js'></script>
|
||||
|
||||
<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'">
|
||||
|
||||
<script nonce="abc">
|
||||
async_test(t => {
|
||||
assert_no_csp_event_for_url(t, "../support/import-scripts.js");
|
||||
var w = new Worker("../support/import-scripts.js");
|
||||
assert_no_event(t, w, "error");
|
||||
waitUntilEvent(w, "message")
|
||||
.then(t.step_func_done(e => {
|
||||
assert_true(e.data.executed);
|
||||
}));
|
||||
}, "`importScripts(...)` is allowed by 'strict-dynamic'");
|
||||
</script>
|
||||
|
|
@ -51,17 +51,30 @@
|
|||
}, "JavaScript URLs in iframes should not have a sample.");
|
||||
|
||||
async_test(t => {
|
||||
var violations = 0;
|
||||
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
||||
if (e.blockedURI != "eval")
|
||||
return;
|
||||
|
||||
assert_equals(e.sample, "");
|
||||
t.done();
|
||||
violations++
|
||||
if (violations == 3)
|
||||
t.done();
|
||||
}));
|
||||
try {
|
||||
eval("assert_unreached('eval')");
|
||||
assert_unreached('eval');
|
||||
} catch (e) {
|
||||
}
|
||||
}, "eval() should not have a sample.");
|
||||
try {
|
||||
setInterval("assert_unreached('interval')", 1000);
|
||||
assert_unreached('interval');
|
||||
} catch (e) {
|
||||
}
|
||||
try {
|
||||
setTimeout("assert_unreached('timeout')", 1000);
|
||||
assert_unreached('timeout');
|
||||
} catch (e) {
|
||||
}
|
||||
}, "eval()-alikes should not have a sample.");
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -52,16 +52,43 @@
|
|||
|
||||
async_test(t => {
|
||||
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
||||
if (e.blockedURI != "eval")
|
||||
return;
|
||||
|
||||
assert_equals(e.sample, "");
|
||||
t.done();
|
||||
if (e.blockedURI == "eval" &&
|
||||
e.sample == "assert_unreached('eval')") {
|
||||
t.done();
|
||||
}
|
||||
}));
|
||||
try {
|
||||
eval("assert_unreached('eval')");
|
||||
assert_unreached('eval');
|
||||
} catch (e) {
|
||||
}
|
||||
}, "eval() should not have a sample.");
|
||||
}, "eval() should have a sample.");
|
||||
|
||||
async_test(t => {
|
||||
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
||||
if (e.blockedURI == "eval" &&
|
||||
e.sample == "assert_unreached('interval')") {
|
||||
t.done();
|
||||
}
|
||||
}));
|
||||
try {
|
||||
setInterval("assert_unreached('interval')", 1000);
|
||||
assert_unreached('interval');
|
||||
} catch (e) {
|
||||
}
|
||||
}, "setInterval() should have a sample.");
|
||||
|
||||
async_test(t => {
|
||||
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
||||
if (e.blockedURI == "eval" &&
|
||||
e.sample == "assert_unreached('timeout')") {
|
||||
t.done();
|
||||
}
|
||||
}));
|
||||
try {
|
||||
setTimeout("assert_unreached('timeout')", 1000);
|
||||
assert_unreached('timeout');
|
||||
} catch (e) {
|
||||
}
|
||||
}, "setTimeout() should have a sample.");
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,19 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Multiple policies with different hashing algorithms still work.</title>
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var t = async_test("Test that style loads if allowed by proper hash values");
|
||||
document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event"));
|
||||
</script>
|
||||
|
||||
<!-- test will time out if this style is not allowed to load -->
|
||||
<style onload="t.done();" onerror="t.unreached_func('Should have loaded the style');">p {color:blue;}</style>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: style-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/style-src/
|
||||
Content-Security-Policy: style-src 'sha256-rB6kiow2O3eFUeTNyyLeK3wV0+l7vNB90J1aqllKvjg='; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: style-src 'sha384-DAShdG5sejEaOdWfT+TQMRP5mHssKiUNjFggNnElIvIoj048XQlacVRs+za2AM1a'; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Binary file not shown.
|
|
@ -1,6 +1,6 @@
|
|||
@font-face {
|
||||
font-family: 'Ahem';
|
||||
src: url('/content-security-policy/support/Ahem.ttf');
|
||||
src: url('/fonts/Ahem.ttf');
|
||||
}
|
||||
|
||||
body {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
self.a = false;
|
||||
importScripts('/content-security-policy/support/var-a.js');
|
||||
postMessage({ 'executed': self.a });
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;">
|
||||
<title>Event handlers should be allowed if a matching hash and 'unsafe-hashed-attributes' are present</title>
|
||||
<script src='/resources/testharness.js' nonce='abc'></script>
|
||||
<script src='/resources/testharnessreport.js' nonce='abc'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id='log'></div>
|
||||
<script nonce='abc'>
|
||||
var t1 = async_test("Test that the inline event handler is allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event"));
|
||||
</script>
|
||||
<img src='../support/pass.png'
|
||||
onload='t1.done();'>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;">
|
||||
<title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashed-attributes'</title>
|
||||
<script src='/resources/testharness.js' nonce='abc'></script>
|
||||
<script src='/resources/testharnessreport.js' nonce='abc'></script>
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id='log'></div>
|
||||
<script nonce='abc'>
|
||||
var t1 = async_test("Test that the inline event handler is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
<img src='../support/pass.png'
|
||||
onload='t1.unreached_func("Should not have executed handler");'>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
|
||||
<title>Event handlers should be not allowed if a matching hash is not present</title>
|
||||
<script src='/resources/testharness.js' nonce='abc'></script>
|
||||
<script src='/resources/testharnessreport.js' nonce='abc'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id='log'></div>
|
||||
<script nonce='abc'>
|
||||
var t1 = async_test("Test that the inline event handler is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
<img src='../support/pass.png'
|
||||
onload='t1.unreached_func("Should not have executed handler");'>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Loading…
Add table
Add a link
Reference in a new issue