mirror of
https://github.com/servo/servo.git
synced 2025-08-25 15:18:22 +01:00
Update web-platform-tests to revision a806d658df3bcc3f05675ad8d08a6e109177c6b0
This commit is contained in:
WPT Sync Bot
parent
af777fcf15
commit
23dfe7c81e
155 changed files with 2487 additions and 546 deletions
|
|
@ -7,7 +7,7 @@
|
|||
<title>blob-urls-do-not-match-self</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
<title>default-src-inline-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src","violated-directive=script-src"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","violated-directive=script-src-elem"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<title>filesystem-urls-do-not-match-self</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
</head>
|
||||
|
||||
|
|
@ -19,7 +19,7 @@
|
|||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
|
||||
if(!window.webkitRequestFileSystem) {
|
||||
t_log = async_test();
|
||||
t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@
|
|||
var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
|
||||
var allowedScriptRan = false;
|
||||
var t_spv = async_test("Should fire violation events for every failed violation");
|
||||
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
</script>
|
||||
|
||||
|
|
|
|||
|
|
@ -2,16 +2,16 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>implicit port number matching fails with a different port</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' www.{{host}} 'unsafe-inline';">
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' www.{{host}} 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<script src='negativeTests.js'></script>
|
||||
<script>
|
||||
var t_spv = async_test("Should fire violation events for every failed violation");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
var head = document.getElementsByTagName('head')[0];
|
||||
var script = document.createElement('script');
|
||||
script.type = 'text/javascript';
|
||||
|
|
|
|||
|
|
@ -9,9 +9,9 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire violation events for every failed violation");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
var head = document.getElementsByTagName('head')[0];
|
||||
var script = document.createElement('script');
|
||||
script.type = 'text/javascript';
|
||||
|
|
|
|||
|
|
@ -9,9 +9,9 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire violation events for every failed violation");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
var head = document.getElementsByTagName('head')[0];
|
||||
var script = document.createElement('script');
|
||||
script.type = 'text/javascript';
|
||||
|
|
|
|||
|
|
@ -9,9 +9,9 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire violation events for every failed violation");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
var head = document.getElementsByTagName('head')[0];
|
||||
var script = document.createElement('script');
|
||||
script.type = 'text/javascript';
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<title>combine-header-and-meta-policies</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<!-- enforcing multiple policies:
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
|
||||
|
|
@ -23,7 +23,7 @@ Content-Security-Policy: img-src 'none'
|
|||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
|
||||
var img = document.createElement('img');
|
||||
img.src = '../support/fail.png';
|
||||
img.onerror = function() {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
if (e.target != element)
|
||||
return;
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
assert_equals(e.effectiveDirective, "script-src");
|
||||
assert_equals(e.effectiveDirective, "script-src-elem");
|
||||
assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
|
||||
element.remove();
|
||||
test.done();
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
var i = document.createElement("iframe");
|
||||
i.src = "javascript:'Fail.'";
|
||||
|
||||
assert_csp_event_for_element(t, i);
|
||||
assert_csp_event_for_element(t, i);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
async_test(t => {
|
||||
var i = document.createElement("iframe");
|
||||
|
||||
assert_csp_event_for_element(t, i);
|
||||
assert_csp_event_for_element(t, i);
|
||||
navigate_to_javascript_onload(t, i);
|
||||
|
||||
document.body.appendChild(i);
|
||||
|
|
@ -54,17 +54,17 @@
|
|||
var i = document.createElement("iframe");
|
||||
i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
|
||||
|
||||
assert_csp_event_for_element(t, i);
|
||||
assert_csp_event_for_element(t, i);
|
||||
navigate_to_javascript_onload(t, i);
|
||||
|
||||
document.body.appendChild(i);
|
||||
}, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
|
||||
|
||||
|
||||
async_test(t => {
|
||||
var i = document.createElement("iframe");
|
||||
i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
|
||||
|
||||
assert_csp_event_for_element(t, i);
|
||||
assert_csp_event_for_element(t, i);
|
||||
navigate_to_javascript_onload(t, i);
|
||||
|
||||
document.body.appendChild(i);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-inline';
|
||||
script-src 'nonce-abc';">
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should not fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
|
||||
</script>
|
||||
|
||||
<img src="../support/pass.png" onload="t.done()">
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'none';
|
||||
script-src 'unsafe-inline' 'self';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
|
||||
<img src="../support/pass.png" onload="t.unreached_func('Should not have executed the inline handler')">
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline';
|
||||
script-src-attr 'none';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation for the attribute");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
var t1 = async_test("Should execute the inline script block");
|
||||
</script>
|
||||
|
||||
<script>
|
||||
t1.done();
|
||||
</script>
|
||||
|
||||
<img src="../support/pass.png" onload="t.unreached_func('should not have run this event handler')">
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'nonce-def';
|
||||
script-src 'nonce-abc';">
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should not fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
|
||||
</script>
|
||||
|
||||
<script nonce='def'>
|
||||
t.done();
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'self';
|
||||
script-src-attr 'unsafe-inline'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should fire a security policy violation for the attribute");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
var t1 = async_test("Should execute the inline script attribute");
|
||||
</script>
|
||||
|
||||
<script>
|
||||
t.step_func(function() {
|
||||
assert_unreached("Should not have executed the inline script block");
|
||||
})
|
||||
</script>
|
||||
|
||||
<img src="../support/pass.png" onload="t1.done()">
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc';
|
||||
script-src 'nonce-abc' 'nonce-def';">
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should fire a spv event");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
</script>
|
||||
|
||||
<script nonce='def'>
|
||||
t.step_func(function() {
|
||||
assert_unreached("Should not have executed the inline block");
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'strict-dynamic' 'nonce-abc';
|
||||
script-src 'nonce-abc';">
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should not fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
|
||||
|
||||
var s = document.createElement('script');
|
||||
s.src = 'support/t_done.js';
|
||||
document.head.appendChild(s);
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-abc';
|
||||
script-src-elem 'nonce-abc';">
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
var t = async_test("Should fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/script-src-attr-elem/support/t_fail.js");
|
||||
}));
|
||||
|
||||
var s = document.createElement('script');
|
||||
s.src = 'support/t_fail.js';
|
||||
document.head.appendChild(s);
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1 @@
|
|||
t.done();
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
t.step(function() {
|
||||
assert_unreached("Should not loaded the script");
|
||||
});
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
var test_count = 2;
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
if (--test_count <= 0) {
|
||||
t_spv.done();
|
||||
}
|
||||
|
|
@ -25,4 +25,4 @@
|
|||
document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>');
|
||||
|
||||
dmTest.done();
|
||||
})();
|
||||
})();
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<title>injected-inline-script-blocked</title>
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
<script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script>
|
||||
<script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem",]'></script>
|
||||
<script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,22 @@
|
|||
var t1 = async_test("Inline script block");
|
||||
var t2 = async_test("Inline event handler");
|
||||
|
||||
onload = function() {t1.done(); t2.done()}
|
||||
onload = function() {t1.done(); t2.done();};
|
||||
|
||||
var t_spv = async_test("Should not fire policy violation events");
|
||||
var test_count = 2;
|
||||
var t_spv = async_test("Should fire policy violation events");
|
||||
var block_event_fired = false;
|
||||
var handler_event_fired = false;
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
if (--test_count <= 0) {
|
||||
t_spv.done();
|
||||
if (e.violatedDirective == "script-src-elem") {
|
||||
assert_false(block_event_fired);
|
||||
block_event_fired = true;
|
||||
} else if (e.violatedDirective == "script-src-attr") {
|
||||
assert_false(handler_event_fired);
|
||||
handler_event_fired = true;
|
||||
} else {
|
||||
assert_unreached("Unexpected directive broken");
|
||||
}
|
||||
if (block_event_fired && handler_event_fired) {
|
||||
t_spv.done();
|
||||
}
|
||||
}));
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
var t = async_test("Check that a securitypolicyviolation event is fired");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
<script nonce="abc">
|
||||
var t_spv = async_test("Should fire securitypolicyviolation event");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
assert_equals(e.disposition, "report");
|
||||
}));
|
||||
var externalRan = false;
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
var t = async_test("Test that script executes if allowed by proper hash values");
|
||||
var t_spv = async_test("Test that the securitypolicyviolation event is fired");
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
assert_equals(e.disposition, "report");
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
}));
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
}
|
||||
}));
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.effectiveDirective, 'script-src');
|
||||
assert_equals(e.effectiveDirective, 'script-src-elem');
|
||||
}));
|
||||
}, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
|
||||
</script>
|
||||
|
|
@ -29,4 +29,4 @@
|
|||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'unNonced-appendChild') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -65,4 +65,4 @@
|
|||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
|
||||
t.done();
|
||||
}));
|
||||
|
|
@ -58,4 +58,4 @@
|
|||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'appendChild-reportOnly') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
// Check that the violation comes from the Report-Only policy.
|
||||
assert_equals(violation.originalPolicy, "script-src 'none'");
|
||||
t.done();
|
||||
|
|
@ -41,4 +41,4 @@
|
|||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
async_test(function(t) {
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_false(javascriptUriScriptRan);
|
||||
assert_equals(e.effectiveDirective, 'script-src');
|
||||
assert_equals(e.effectiveDirective, 'script-src-elem');
|
||||
}));
|
||||
|
||||
document.getElementById('javascriptUri').click();
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
<script nonce='dummy'>
|
||||
async_test(function(t) {
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.effectiveDirective, 'script-src');
|
||||
assert_equals(e.effectiveDirective, 'script-src-elem');
|
||||
}));
|
||||
}, 'All the expected CSP violation reports have been fired.');
|
||||
</script>
|
||||
|
|
@ -26,4 +26,4 @@
|
|||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWrite') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -43,7 +43,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWriteln') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -62,7 +62,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -81,7 +81,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -100,7 +100,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -119,7 +119,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -138,7 +138,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -157,7 +157,7 @@
|
|||
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') {
|
||||
return;
|
||||
}
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-elem');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -173,7 +173,7 @@
|
|||
return;
|
||||
}
|
||||
assert_false(innerHTMLScriptRan);
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-attr');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -191,7 +191,7 @@
|
|||
return;
|
||||
}
|
||||
assert_false(insertAdjacentHTMLScriptRan);
|
||||
assert_equals(violation.effectiveDirective, 'script-src');
|
||||
assert_equals(violation.effectiveDirective, 'script-src-attr');
|
||||
t.done();
|
||||
}));
|
||||
|
||||
|
|
@ -202,4 +202,4 @@
|
|||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -20,9 +20,9 @@
|
|||
<script nonce="nonceynonce">
|
||||
var t_spv = async_test("Should fire securitypolicyviolation");
|
||||
window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
var matchingContent = 'Å';
|
||||
var nonMatchingContent = 'Å';
|
||||
|
||||
|
|
|
|||
|
|
@ -18,9 +18,9 @@
|
|||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
|
||||
var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"];
|
||||
var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src-elem", "violated-directive=script-src-elem"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<title>scriptnonce-basic-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]'></script>
|
||||
<script nonce="noncynonce">
|
||||
alert_assert('PASS (closely-quoted nonce)');
|
||||
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@
|
|||
});
|
||||
</script>
|
||||
<script nonce='noncynonce'>
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]');
|
||||
var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"];
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]');
|
||||
var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src-elem"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
|
|
|
|||
|
|
@ -7,25 +7,25 @@
|
|||
<title>srcdoc-doesnt-bypass-script-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
|
||||
<script nonce='abc'>
|
||||
window.onmessage = function(e) {
|
||||
log(e.data);
|
||||
}
|
||||
|
||||
|
||||
var i = document.createElement('iframe');
|
||||
i.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
i.srcdoc = "<sc" + "ript nonce='abc'>" +
|
||||
"window.addEventListener('securitypolicyviolation', function(e) {" +
|
||||
|
||||
i.srcdoc = "<sc" + "ript nonce='abc'>" +
|
||||
"window.addEventListener('securitypolicyviolation', function(e) {" +
|
||||
"window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" +
|
||||
"</scr" + "ipt>" +
|
||||
"</scr" + "ipt>" +
|
||||
"<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>";
|
||||
document.body.appendChild(i);
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-attr 'unsafe-inline';
|
||||
style-src 'none';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Should apply the style attribute");
|
||||
window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body style="background: green">
|
||||
<script>
|
||||
t.step(function() {
|
||||
assert_true(document.body.style.length > 0);
|
||||
t.done();
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-attr 'none';
|
||||
style-src 'unsafe-inline';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body style="background: green">
|
||||
<script>
|
||||
async_test(function(test) {
|
||||
assert_equals(document.body.style.length, 0);
|
||||
test.done();
|
||||
}, "The attribute style should not be applied");
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
|
||||
style-src-attr 'none';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation for the attribute");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body style="background: green">
|
||||
<style>
|
||||
body {background: blue;}
|
||||
</style>
|
||||
|
||||
<script>
|
||||
async_test(function(test) {
|
||||
assert_equals(document.body.style.length, 0);
|
||||
assert_equals(document.styleSheets.length, 1);
|
||||
test.done();
|
||||
}, "The attribute style should not be applied and the inline style should be applied");
|
||||
</script>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline';
|
||||
style-src 'none';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Inline style should be applied");
|
||||
window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event"));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<style>
|
||||
body {background: green;}
|
||||
</style>
|
||||
<script>
|
||||
t.step(function() {
|
||||
assert_equals(document.styleSheets.length, 1);
|
||||
t.done();
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
|
||||
script-src-attr 'unsafe-inline'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation for the inline block");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body style="background: green">
|
||||
<style>
|
||||
body {background: blue;}
|
||||
</style>
|
||||
|
||||
<script>
|
||||
async_test(function(test) {
|
||||
assert_true(document.body.style.length > 0);
|
||||
assert_equals(document.styleSheets.length, 0);
|
||||
test.done();
|
||||
}, "The inline style should not be applied and the attribute style should be applied");
|
||||
</script>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="style-src-elem 'none';
|
||||
style-src 'unsafe-inline';">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
var t = async_test("Should fire a security policy violation event");
|
||||
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<style>
|
||||
body {background: green;}
|
||||
</style>
|
||||
<script>
|
||||
async_test(function(test) {
|
||||
assert_equals(document.styleSheets.length, 0);
|
||||
test.done();
|
||||
}, "The inline style should not be applied");
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
<title>injected-inline-style-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=style-src","PASS"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=style-src-elem","PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
</head>
|
||||
|
||||
|
|
@ -17,14 +17,14 @@
|
|||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
</script>
|
||||
|
||||
|
||||
<div id="test1">
|
||||
PASS 1/2
|
||||
</div>
|
||||
<div id="test2">
|
||||
PASS 2/2
|
||||
</div>
|
||||
|
||||
|
||||
<script src="support/inject-style.js"></script>
|
||||
<script>
|
||||
log(document.styleSheets.length == 0 ? "PASS" : "FAIL");
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<title>inline-style-attribute-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=style-src","PASS"]'></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=style-src-attr","PASS"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
|
|
@ -16,7 +16,7 @@
|
|||
</script>
|
||||
</head>
|
||||
<body style="background-color: blue;">
|
||||
|
||||
|
||||
<script>
|
||||
log(document.body.style.length > 0 ? 'FAIL' : 'PASS');
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
|
||||
var l = document.createElement("link");
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
</head>
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-attr", e.violatedDirective);
|
||||
}));
|
||||
onload = t.step_func_done(function(e) {
|
||||
var contentEl = document.getElementById("content");
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
<style>
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
<style id="style1" nonce="not-nonceynonce"
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
<style nonce="not-nonceynonce">
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
<link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
var t_spv = async_test("Should fire a securitypolicyviolation event");
|
||||
|
||||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
assert_equals("style-src-elem", e.violatedDirective);
|
||||
}));
|
||||
</script>
|
||||
<link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css>
|
||||
|
|
|
|||
|
|
@ -12,9 +12,9 @@
|
|||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src"]');
|
||||
var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src"];
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]');
|
||||
var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
|
|
|
|||
|
|
@ -12,11 +12,11 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire securitypolicyviolation");
|
||||
window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "style-src");
|
||||
assert_equals(e.violatedDirective, "style-src-elem");
|
||||
}));
|
||||
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
<style nonce="noncynonce">
|
||||
#test1 {
|
||||
color: green;
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire securitypolicyviolation");
|
||||
window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "style-src");
|
||||
}));
|
||||
assert_equals(e.violatedDirective, "style-src-elem");
|
||||
}));
|
||||
</script>
|
||||
<style nonce="noncynonce">
|
||||
#test {
|
||||
|
|
|
|||
|
|
@ -8,10 +8,10 @@
|
|||
<script>
|
||||
var t_spv = async_test("Should fire violation event");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
assert_equals(e.violatedDirective, "script-src-elem");
|
||||
}));
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
|
@ -20,7 +20,7 @@
|
|||
not redirect to a different resource.</p>
|
||||
<div id="log"></div>
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
|
||||
|
||||
<svg width="6cm" height="5cm" viewBox="0 0 600 500"
|
||||
xmlns="http://www.w3.org/2000/svg" version="1.1">
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
var t1 = async_test("Test that the javascript: src is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
var t1 = async_test("Test that the javascript: src is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
window.onmessage = t1.unreached_func("Should have not received any message");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
var t1 = async_test("Test that the javascript: src is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
var t1 = async_test("Test that the javascript: src is not allowed to run");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
window.onmessage = t1.unreached_func("Should have not received any message");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-elem');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -6,16 +6,16 @@
|
|||
<title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title>
|
||||
<script src='/resources/testharness.js' nonce='abc'></script>
|
||||
<script src='/resources/testharnessreport.js' nonce='abc'></script>
|
||||
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id='log'></div>
|
||||
<script nonce='abc'>
|
||||
var t1 = async_test("Test that the inline event handler is not allowed to run");
|
||||
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -12,9 +12,9 @@
|
|||
<div id='log'></div>
|
||||
<script nonce='abc'>
|
||||
var t1 = async_test("Test that the inline event handler is not allowed to run");
|
||||
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'script-src');
|
||||
assert_equals(e.violatedDirective, 'script-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@
|
|||
<div id='log'></div>
|
||||
<script>
|
||||
var t1 = async_test("Test that the inline style attribute is blocked");
|
||||
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src');
|
||||
assert_equals(e.violatedDirective, 'style-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
var t1 = async_test("Test that the inline style attribute is blocked");
|
||||
|
||||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, 'style-src');
|
||||
assert_equals(e.violatedDirective, 'style-src-attr');
|
||||
assert_equals(e.blockedURI, 'inline');
|
||||
}));
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue