mirror of
https://github.com/servo/servo.git
synced 2025-08-06 22:15:33 +01:00
Check CSP for inline event handlers (#36510)
This also ensures that document now reports all violations and we set the correct directive. With these changes, all `script-src-attr-elem` WPT tests pass. Part of #36437 Requires servo/rust-content-security-policy#3 to land first Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe
GitHub
parent
70b3e24816
commit
2a81987590
64 changed files with 58 additions and 569 deletions
2
tests/wpt/include.ini
vendored
2
tests/wpt/include.ini
vendored
|
|
@ -13,6 +13,8 @@ skip: true
|
|||
skip: true
|
||||
[content-security-policy]
|
||||
skip: false
|
||||
[embedded-enforcement]
|
||||
skip: true
|
||||
[cors]
|
||||
skip: false
|
||||
[css]
|
||||
|
|
|
|||
|
|
@ -1,6 +1,3 @@
|
|||
[report-uri-does-not-respect-base-uri.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[default-src-inline-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[default-src-strict_dynamic_and_unsafe_inline.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the inline block]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
[allow_csp_from-header.html]
|
||||
expected: TIMEOUT
|
||||
[Same origin iframes with an empty Allow-CSP-From header get blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Same origin iframes without Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Same origin iframes are blocked if Allow-CSP-From does not match origin.]
|
||||
expected: FAIL
|
||||
|
||||
[Cross origin iframe with an empty Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Cross origin iframe without Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with improper Allow-CSP-From header gets blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Star Allow-CSP-From header enforces EmbeddingCSP.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[Allow-CSP-From header enforces EmbeddingCSP.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[blocked-iframe-are-cross-origin.html]
|
||||
[Document blocked by embedded enforcement and its parent are cross-origin]
|
||||
expected: FAIL
|
||||
|
||||
[Two same-origin iframes must appear as cross-origin when one is blocked]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[change-csp-attribute-and-history-navigation.html]
|
||||
[Iframe csp attribute changed before history navigation of local scheme.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe csp attribute changed before history navigation of network scheme.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[idlharness.window.html]
|
||||
[HTMLIFrameElement interface: attribute csp]
|
||||
expected: FAIL
|
||||
|
||||
[HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[iframe-csp-attribute.html]
|
||||
[<iframe> has a 'csp' attibute which is an empty string if undefined.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s csp attribute is always a string.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s 'csp content attribute reflects the IDL attribute.]
|
||||
expected: FAIL
|
||||
|
||||
[<iframe>'s IDL attribute reflects the DOM attribute.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
[required-csp-header-cascade.html]
|
||||
[Test same origin: Test same policy for both iframes]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test more restrictive policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test less restrictive policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test no policy on second iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test no policy on first iframe]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on first iframe (bad directive name)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on first iframe (report directive)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on second iframe (bad directive name)]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Test invalid policy on second iframe (report directive)]
|
||||
expected: FAIL
|
||||
|
|
@ -1,141 +0,0 @@
|
|||
[required_csp-header.html]
|
||||
[Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present]
|
||||
expected: FAIL
|
||||
|
||||
[Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes]
|
||||
expected: FAIL
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
[subsumption_algorithm-general.html]
|
||||
[Iframe with empty returned CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with less restricting CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe with a different CSP should be blocked.]
|
||||
expected: FAIL
|
||||
|
||||
[Host wildcard *.a.com does not match a.com]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe should block if intersection allows sources which are not in required_csp.]
|
||||
expected: FAIL
|
||||
|
||||
[Iframe should block if intersection allows sources which are not in required_csp (other ordering).]
|
||||
expected: FAIL
|
||||
|
||||
[Removed plugin-types directive should be ignored 3.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
[subsumption_algorithm-hashes.html]
|
||||
[Returned should not include hashes not present in required csp.]
|
||||
expected: FAIL
|
||||
|
||||
[Hashes do not have to be present in returned csp but must not allow all inline behavior.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'sha256-abc123'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'sha256-abc123' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
['sha256-abc123' is not subsumed by 'sha256-abc456'.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-hosts.html]
|
||||
[Host must match.]
|
||||
expected: FAIL
|
||||
|
||||
[Hosts without wildcards must match.]
|
||||
expected: FAIL
|
||||
|
||||
[More specific subdomain should not match.]
|
||||
expected: FAIL
|
||||
|
||||
[Specified host should not match a wildcard host.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-paths.html]
|
||||
[Returned CSP must specify a path.]
|
||||
expected: FAIL
|
||||
|
||||
[Empty path is not subsumed by specified paths.]
|
||||
expected: FAIL
|
||||
|
||||
[That should not be true when required csp specifies a specific page.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-ports.html]
|
||||
[Specified ports must match.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard port should not be subsumed by a default port.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard port should not be subsumed by a spcified port.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-host_sources-protocols.html]
|
||||
[`https` is more restrictive than `http`.]
|
||||
expected: FAIL
|
||||
|
||||
[`http:` does not subsume other protocols.]
|
||||
expected: FAIL
|
||||
|
||||
[If scheme source is present in returned csp, it must be specified in required csp too.]
|
||||
expected: FAIL
|
||||
|
||||
[All scheme sources must be subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-nonces.html]
|
||||
[A nonce has to be returned if required by the embedder.]
|
||||
expected: FAIL
|
||||
|
||||
[Nonce intersection is still done on exact match - matching nonces.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions still have to be subsumed - negative test]
|
||||
expected: FAIL
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
[subsumption_algorithm-none.html]
|
||||
[Required policy that allows `none` does not subsume empty list of policies.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with effective `none` does not subsume a host source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume a host source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with effective `none` does not subsume `none` of another directive.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume `none` of another directive.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp with `none` does not subsume `none` of different directives.]
|
||||
expected: FAIL
|
||||
|
||||
[Both required and returned csp are `none` for only one directive.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[subsumption_algorithm-self.html]
|
||||
[Returned CSP must not allow 'self' if required CSP does not.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned 'self' should not be subsumed by a more secure version of origin's url.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
[subsumption_algorithm-source_list-wildcards.html]
|
||||
[Wildcard does not subsume empty list.]
|
||||
expected: FAIL
|
||||
|
||||
[Empty source list does not subsume a wildcard source list.]
|
||||
expected: FAIL
|
||||
|
||||
['none' does not subsume a wildcard source list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list does not subsume `data:` scheme source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list does not subsume `blob:` scheme source expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Source expressions do not subsume effective nonce expressions.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard source list is not subsumed by a host expression.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with keywords is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.]
|
||||
expected: FAIL
|
||||
|
||||
[The same as above but for 'unsafe-inline'.]
|
||||
expected: FAIL
|
||||
|
||||
[`data:` is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
||||
[`blob:` is not subsumed by a wildcard list.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[subsumption_algorithm-strict_dynamic.html]
|
||||
['strict-dynamic' is effective only for `script-src`.]
|
||||
expected: FAIL
|
||||
|
||||
['strict-dynamic' is properly handled for finding effective policy.]
|
||||
expected: FAIL
|
||||
|
||||
['strict-dynamic' has to be allowed by required csp if it is present in returned csp.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_eval.html]
|
||||
[No other keyword has the same effect as 'unsafe-eval'.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'unsafe-eval'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'unsafe-eval' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_hashes.html]
|
||||
[No other keyword has the same effect as 'unsafe-hashes'.]
|
||||
expected: FAIL
|
||||
|
||||
[Other expressions have to be subsumed.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp must allow 'unsafe-hashes'.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective policy is properly found where 'unsafe-hashes' is not subsumed.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
[subsumption_algorithm-unsafe_inline.html?9-last]
|
||||
[Required csp allows `strict-dynamic`, but retuned csp does.]
|
||||
expected: FAIL
|
||||
|
||||
[Required csp does not allow `unsafe-inline`, but retuned csp does.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned csp allows a nonce.]
|
||||
expected: FAIL
|
||||
|
||||
[Returned csp allows a hash.]
|
||||
expected: FAIL
|
||||
|
||||
[Effective returned csp allows 'unsafe-inline']
|
||||
expected: FAIL
|
||||
|
||||
|
||||
[subsumption_algorithm-unsafe_inline.html?1-8]
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
[frame-ancestors-path-ignored.window.html]
|
||||
[A 'frame-ancestors' CSP directive with a URL that includes a path should be ignored.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
[frame-src-cross-origin-same-document-navigation.window.html]
|
||||
expected: OK
|
||||
[frame-src-cross-origin-same-document-navigation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
[304-response-should-update-csp.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the first frame does not use nonce def]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
||||
[Test that the second frame does not use nonce abc]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[directive-name-case-insensitive.sub.html]
|
||||
[Test that the www2 image throws a violation event]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
[media-src-7_1_2.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
|
|
@ -2,6 +2,3 @@
|
|||
expected: TIMEOUT
|
||||
[Disallowed audio source element]
|
||||
expected: NOTRUN
|
||||
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,8 +1,5 @@
|
|||
[media-src-blocked.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Disallowed async video src]
|
||||
expected: FAIL
|
||||
|
||||
[Disallowed async video source element]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[invalid-directive.html]
|
||||
expected: TIMEOUT
|
||||
[Even if an unknown directive is specified, img-src is honored.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,7 +1,4 @@
|
|||
[report-to-directive-allowed-in-meta.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-overrides-report-uri-1.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[reporting-api-report-to-overrides-report-uri-2.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +1,4 @@
|
|||
[reporting-api-sends-reports-on-violation.https.sub.html]
|
||||
[Event is fired]
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-attr-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation event]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-allowed-attr-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-blocked-attr-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-elem-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a spv event]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[strict-dynamic-elem-blocked-src-allowed.sub.html]
|
||||
[Should fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[injected-inline-script-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[script-src-1_1.html]
|
||||
expected: TIMEOUT
|
||||
[Inline event handler]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire policy violation events]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[script-src-1_2.html]
|
||||
expected: TIMEOUT
|
||||
[Inline event handler]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire policy violation events]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-1_2_1.html]
|
||||
expected: TIMEOUT
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +1,3 @@
|
|||
[script-src-strict_dynamic_double_policy_different_nonce.html]
|
||||
expected: TIMEOUT
|
||||
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-src-strict_dynamic_meta_tag.html]
|
||||
expected: TIMEOUT
|
||||
expected: ERROR
|
||||
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-src-strict_dynamic_non_parser_inserted.html]
|
||||
expected: TIMEOUT
|
||||
expected: ERROR
|
||||
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
|
||||
expected: TIMEOUT
|
||||
[All the expected CSP violation reports have been fired.]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scripthash-unicode-normalization.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire securitypolicyviolation]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scriptnonce-and-scripthash.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[scriptnonce-ignore-unsafeinline.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]]
|
||||
expected: TIMEOUT
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
[script-sample-no-opt-in.html]
|
||||
expected: ERROR
|
||||
expected: TIMEOUT
|
||||
[Inline script should not have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[script-sample.html]
|
||||
expected: ERROR
|
||||
expected: TIMEOUT
|
||||
[Inline script should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
[script_event_handlers_denied_missing_unsafe_hashes.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script_event_handlers_denied_wrong_hash.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: NOTRUN
|
||||
Loading…
Add table
Add a link
Reference in a new issue