mirror of
https://github.com/servo/servo.git
synced 2025-06-06 16:45:39 +00:00
Check CSP for inline event handlers (#36510)
This also ensures that document now reports all violations and we set the correct directive. With these changes, all `script-src-attr-elem` WPT tests pass. Part of #36437 Requires servo/rust-content-security-policy#3 to land first Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe
GitHub
parent
70b3e24816
commit
2a81987590
64 changed files with 58 additions and 569 deletions
|
|
@ -4017,13 +4017,18 @@ impl Document {
|
|||
.get_attribute(&ns!(), &local_name!("nonce"))
|
||||
.map(|attr| Cow::Owned(attr.value().to_string())),
|
||||
};
|
||||
// TODO: Instead of ignoring violations, report them.
|
||||
self.get_csp_list()
|
||||
.map(|c| {
|
||||
c.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
|
||||
.0
|
||||
})
|
||||
.unwrap_or(csp::CheckResult::Allowed)
|
||||
let (result, violations) = match self.get_csp_list() {
|
||||
None => {
|
||||
return csp::CheckResult::Allowed;
|
||||
},
|
||||
Some(csp_list) => {
|
||||
csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
|
||||
},
|
||||
};
|
||||
|
||||
self.global().report_csp_violations(violations);
|
||||
|
||||
result
|
||||
}
|
||||
|
||||
/// Prevent any JS or layout from running until the corresponding call to
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ use std::mem;
|
|||
use std::ops::{Deref, DerefMut};
|
||||
use std::rc::Rc;
|
||||
|
||||
use content_security_policy as csp;
|
||||
use deny_public_fields::DenyPublicFields;
|
||||
use dom_struct::dom_struct;
|
||||
use fnv::FnvHasher;
|
||||
|
|
@ -551,9 +552,25 @@ impl EventTarget {
|
|||
url: ServoUrl,
|
||||
line: usize,
|
||||
ty: &str,
|
||||
source: DOMString,
|
||||
source: &str,
|
||||
) {
|
||||
let handler = InternalRawUncompiledHandler { source, line, url };
|
||||
if let Some(element) = self.downcast::<Element>() {
|
||||
let doc = element.owner_document();
|
||||
if doc.should_elements_inline_type_behavior_be_blocked(
|
||||
element.upcast(),
|
||||
csp::InlineCheckType::ScriptAttribute,
|
||||
source,
|
||||
) == csp::CheckResult::Blocked
|
||||
{
|
||||
return;
|
||||
}
|
||||
};
|
||||
|
||||
let handler = InternalRawUncompiledHandler {
|
||||
source: DOMString::from(source),
|
||||
line,
|
||||
url,
|
||||
};
|
||||
self.set_inline_event_listener(
|
||||
Atom::from(ty),
|
||||
Some(InlineEventListener::Uncompiled(handler)),
|
||||
|
|
|
|||
|
|
@ -3450,12 +3450,15 @@ impl GlobalScope {
|
|||
|
||||
pub(crate) fn report_csp_violations(&self, violations: Vec<Violation>) {
|
||||
for violation in violations {
|
||||
let sample = match violation.resource {
|
||||
ViolationResource::Inline { .. } | ViolationResource::Url(_) => None,
|
||||
ViolationResource::TrustedTypePolicy { sample } => Some(sample),
|
||||
let (sample, resource) = match violation.resource {
|
||||
ViolationResource::Inline { .. } => (None, "inline".to_owned()),
|
||||
ViolationResource::Url(url) => (None, url.into()),
|
||||
ViolationResource::TrustedTypePolicy { sample } => {
|
||||
(Some(sample), "trusted-types-policy".to_owned())
|
||||
},
|
||||
};
|
||||
let report = CSPViolationReportBuilder::default()
|
||||
.resource("eval".to_owned())
|
||||
.resource(resource)
|
||||
.sample(sample)
|
||||
.effective_directive(violation.directive.name)
|
||||
.build(self);
|
||||
|
|
|
|||
|
|
@ -201,13 +201,14 @@ impl VirtualMethods for HTMLBodyElement {
|
|||
&local_name!("onresize") |
|
||||
&local_name!("onunload") |
|
||||
&local_name!("onerror") => {
|
||||
let source = &**attr.value();
|
||||
let evtarget = window.upcast::<EventTarget>(); // forwarded event
|
||||
let source_line = 1; //TODO(#9604) obtain current JS execution line
|
||||
evtarget.set_event_handler_uncompiled(
|
||||
window.get_url(),
|
||||
source_line,
|
||||
&name[2..],
|
||||
DOMString::from((**attr.value()).to_owned()),
|
||||
source,
|
||||
);
|
||||
false
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1084,14 +1084,14 @@ impl VirtualMethods for HTMLElement {
|
|||
let element = self.as_element();
|
||||
match (attr.local_name(), mutation) {
|
||||
(name, AttributeMutation::Set(_)) if name.starts_with("on") => {
|
||||
let source = &**attr.value();
|
||||
let evtarget = self.upcast::<EventTarget>();
|
||||
let source_line = 1; //TODO(#9604) get current JS execution line
|
||||
evtarget.set_event_handler_uncompiled(
|
||||
self.owner_window().get_url(),
|
||||
source_line,
|
||||
&name[2..],
|
||||
// FIXME(ajeffrey): Convert directly from AttrValue to DOMString
|
||||
DOMString::from(&**attr.value()),
|
||||
source,
|
||||
);
|
||||
},
|
||||
(&local_name!("form"), mutation) if self.is_form_associated_custom_element() => {
|
||||
|
|
|
|||
2
tests/wpt/include.ini
vendored
2
tests/wpt/include.ini
vendored
|
|
@ -13,6 +13,8 @@ skip: true
|
|||
skip: true
|
||||
[content-security-policy]
|
||||
skip: false
|
||||
[embedded-enforcement]
|
||||
skip: true
|
||||
[cors]
|
||||
skip: false
|
||||
[css]
|
||||
|
|
|
|||
|
|
@ -1,6 +1,3 @@
|
|||
[report-uri-does-not-respect-base-uri.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[default-src-inline-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[default-src-strict_dynamic_and_unsafe_inline.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the inline block]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
[allow_csp_from-header.html]
|
||||
expected: TIMEOUT
|
||||
[Same origin iframes with an empty Allow-CSP-From header get blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Same origin iframes without Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Same origin iframes are blocked if Allow-CSP-From does not match origin.]
|
||||
expected: FAIL
|
||||
|
||||
[Cross origin iframe with an empty Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Cross origin iframe without Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with improper Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Star Allow-CSP-From header enforces EmbeddingCSP.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[Allow-CSP-From header enforces EmbeddingCSP.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[blocked-iframe-are-cross-origin.html]
|
||||
[Document blocked by embedded enforcement and its parent are cross-origin]
|
||||
expected: FAIL
|
||||
|
||||
[Two same-origin iframes must appear as cross-origin when one is blocked]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[change-csp-attribute-and-history-navigation.html]
|
||||
[Iframe csp attribute changed before history navigation of local scheme.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe csp attribute changed before history navigation of network scheme.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[idlharness.window.html]
|
||||
[HTMLIFrameElement interface: attribute csp]
|
||||
expected: FAIL
|
||||
|
||||
[HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[iframe-csp-attribute.html]
|
||||
[<iframe> has a 'csp' attibute which is an empty string if undefined.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s csp attribute is always a string.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s 'csp content attribute reflects the IDL attribute.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s IDL attribute reflects the DOM attribute.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
[required-csp-header-cascade.html]
|
||||
[Test same origin: Test same policy for both iframes]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test more restrictive policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test less restrictive policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test no policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test no policy on first iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on first iframe (bad directive name)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on first iframe (report directive)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on second iframe (bad directive name)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on second iframe (report directive)]
|
||||
expected: FAIL
|
||||
|
|
@ -1,141 +0,0 @@
|
|||
[required_csp-header.html]
|
||||
[Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes]
|
||||
expected: FAIL
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
[subsumption_algorithm-general.html]
|
||||
[Iframe with empty returned CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with less restricting CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with a different CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Host wildcard *.a.com does not match a.com]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe should block if intersection allows sources which are not in required_csp.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe should block if intersection allows sources which are not in required_csp (other ordering).]
|
||||
expected: FAIL
|
||||
|
||||
[Removed plugin-types directive should be ignored 3.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
[subsumption_algorithm-hashes.html]
|
||||
[Returned should not include hashes not present in required csp.]
|
||||
expected: FAIL
|
||||
|
||||
[Hashes do not have to be present in returned csp but must not allow all inline behavior.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'sha256-abc123'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'sha256-abc123' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
['sha256-abc123' is not subsumed by 'sha256-abc456'.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-hosts.html]
|
||||
[Host must match.]
|
||||
expected: FAIL
|
||||
|
||||
[Hosts without wildcards must match.]
|
||||
expected: FAIL
|
||||
|
||||
[More specific subdomain should not match.]
|
||||
expected: FAIL
|
||||
|
||||
[Specified host should not match a wildcard host.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-paths.html]
|
||||
[Returned CSP must specify a path.]
|
||||
expected: FAIL
|
||||
|
||||
[Empty path is not subsumed by specified paths.]
|
||||
expected: FAIL
|
||||
|
||||
[That should not be true when required csp specifies a specific page.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-ports.html]
|
||||
[Specified ports must match.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard port should not be subsumed by a default port.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard port should not be subsumed by a spcified port.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-protocols.html]
|
||||
[`https` is more restrictive than `http`.]
|
||||
expected: FAIL
|
||||
|
||||
[`http:` does not subsume other protocols.]
|
||||
expected: FAIL
|
||||
|
||||
[If scheme source is present in returned csp, it must be specified in required csp too.]
|
||||
expected: FAIL
|
||||
|
||||
[All scheme sources must be subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-nonces.html]
|
||||
[A nonce has to be returned if required by the embedder.]
|
||||
expected: FAIL
|
||||
|
||||
[Nonce intersection is still done on exact match - matching nonces.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions still have to be subsumed - negative test]
|
||||
expected: FAIL
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
[subsumption_algorithm-none.html]
|
||||
[Required policy that allows `none` does not subsume empty list of policies.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with effective `none` does not subsume a host source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume a host source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with effective `none` does not subsume `none` of another directive.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume `none` of another directive.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume `none` of different directives.]
|
||||
expected: FAIL
|
||||
|
||||
[Both required and returned csp are `none` for only one directive.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[subsumption_algorithm-self.html]
|
||||
[Returned CSP must not allow 'self' if required CSP does not.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned 'self' should not be subsumed by a more secure version of origin's url.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
[subsumption_algorithm-source_list-wildcards.html]
|
||||
[Wildcard does not subsume empty list.]
|
||||
expected: FAIL
|
||||
|
||||
[Empty source list does not subsume a wildcard source list.]
|
||||
expected: FAIL
|
||||
|
||||
['none' does not subsume a wildcard source list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list does not subsume `data:` scheme source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list does not subsume `blob:` scheme source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Source expressions do not subsume effective nonce expressions.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list is not subsumed by a host expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with keywords is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.]
|
||||
expected: FAIL
|
||||
|
||||
[The same as above but for 'unsafe-inline'.]
|
||||
expected: FAIL
|
||||
|
||||
[`data:` is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[`blob:` is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-strict_dynamic.html]
|
||||
['strict-dynamic' is effective only for `script-src`.]
|
||||
expected: FAIL
|
||||
|
||||
['strict-dynamic' is properly handled for finding effective policy.]
|
||||
expected: FAIL
|
||||
|
||||
['strict-dynamic' has to be allowed by required csp if it is present in returned csp.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_eval.html]
|
||||
[No other keyword has the same effect as 'unsafe-eval'.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'unsafe-eval'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'unsafe-eval' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_hashes.html]
|
||||
[No other keyword has the same effect as 'unsafe-hashes'.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'unsafe-hashes'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'unsafe-hashes' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_inline.html?9-last]
|
||||
[Required csp allows `strict-dynamic`, but retuned csp does.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp does not allow `unsafe-inline`, but retuned csp does.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned csp allows a nonce.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned csp allows a hash.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective returned csp allows 'unsafe-inline']
|
||||
expected: FAIL
|
||||
|
||||
|
||||
[subsumption_algorithm-unsafe_inline.html?1-8]
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
[frame-ancestors-path-ignored.window.html]
|
||||
[A 'frame-ancestors' CSP directive with a URL that includes a path should be ignored.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
[frame-src-cross-origin-same-document-navigation.window.html]
|
||||
expected: OK
|
||||
[frame-src-cross-origin-same-document-navigation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
[304-response-should-update-csp.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the first frame does not use nonce def]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
||||
[Test that the second frame does not use nonce abc]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[directive-name-case-insensitive.sub.html]
|
||||
[Test that the www2 image throws a violation event]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
[media-src-7_1_2.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
|
|
@ -2,6 +2,3 @@
|
|||
expected: TIMEOUT
|
||||
[Disallowed audio source element]
|
||||
expected: NOTRUN
|
||||
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,8 +1,5 @@
|
|||
[media-src-blocked.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Disallowed async video src]
|
||||
expected: FAIL
|
||||
|
||||
[Disallowed async video source element]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[invalid-directive.html]
|
||||
expected: TIMEOUT
|
||||
[Even if an unknown directive is specified, img-src is honored.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,7 +1,4 @@
|
|||
[report-to-directive-allowed-in-meta.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-overrides-report-uri-1.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-overrides-report-uri-2.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +1,4 @@
|
|||
[reporting-api-sends-reports-on-violation.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-attr-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation event]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-allowed-attr-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-blocked-attr-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a spv event]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[strict-dynamic-elem-blocked-src-allowed.sub.html]
|
||||
[Should fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[injected-inline-script-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[script-src-1_1.html]
|
||||
expected: TIMEOUT
|
||||
[Inline event handler]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire policy violation events]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[script-src-1_2.html]
|
||||
expected: TIMEOUT
|
||||
[Inline event handler]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire policy violation events]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-1_2_1.html]
|
||||
expected: TIMEOUT
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
[script-src-strict_dynamic_double_policy_different_nonce.html]
|
||||
expected: TIMEOUT
|
||||
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-src-strict_dynamic_meta_tag.html]
|
||||
expected: TIMEOUT
|
||||
expected: ERROR
|
||||
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-src-strict_dynamic_non_parser_inserted.html]
|
||||
expected: TIMEOUT
|
||||
expected: ERROR
|
||||
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
|
||||
expected: TIMEOUT
|
||||
[All the expected CSP violation reports have been fired.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scripthash-unicode-normalization.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire securitypolicyviolation]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scriptnonce-and-scripthash.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scriptnonce-ignore-unsafeinline.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
[script-sample-no-opt-in.html]
|
||||
expected: ERROR
|
||||
expected: TIMEOUT
|
||||
[Inline script should not have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-sample.html]
|
||||
expected: ERROR
|
||||
expected: TIMEOUT
|
||||
[Inline script should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script_event_handlers_denied_missing_unsafe_hashes.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script_event_handlers_denied_wrong_hash.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: NOTRUN
|
||||
Loading…
Add table
Add a link
Reference in a new issue