mirror of
https://github.com/servo/servo.git
synced 2025-10-04 02:29:12 +01:00
Update web-platform-tests to revision be5419e845d39089ba6dc338c1bd0fa279108317
This commit is contained in:
Josh Matthews
parent
aa199307c8
commit
2b6f573eb5
3440 changed files with 109438 additions and 41750 deletions
|
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test that base does not affect report-uri</title>
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<!-- if base is used for resolving the URL to report to then we will not get a report -->
|
||||
<base href="http://nonexistent-origin.web-platform.test">
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var t1 = async_test("Test that image does not load");
|
||||
async_test(function(t2) {
|
||||
window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
|
||||
assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
|
||||
assert_equals(e.violatedDirective, "img-src");
|
||||
t2.done();
|
||||
}));
|
||||
}, "Event is fired");
|
||||
</script>
|
||||
<img src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png'
|
||||
onload='t1.unreached_func("The image should not have loaded");'
|
||||
onerror='t1.done();'>
|
||||
|
||||
<script async defer src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Set-Cookie: report-uri-does-not-respect-base-uri={{$id:uuid()}}; Path=/content-security-policy/base-uri
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<!-- This tests a bug that can occur when content layer CSP is not told
|
||||
about the CSP inherited from the parent document which leads to it not
|
||||
applying it to content layer CSP checks (such as frame-src with
|
||||
PlzNavigate on).
|
||||
Also see crbug.com/778658. -->
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var t = async_test("iframe still inherits correct CSP");
|
||||
</script>
|
||||
|
||||
<iframe id="x" srcdoc="<a href='about:blank'>123</a>"></iframe>
|
||||
|
||||
<script>
|
||||
window.onmessage = t.step_func_done(function(e) {
|
||||
assert_equals(e.data, "frame-src");
|
||||
});
|
||||
|
||||
x = document.getElementById('x');
|
||||
x.location = "";
|
||||
|
||||
// While document.write is deprecated I did not find another way to reproduce
|
||||
// the original exploit.
|
||||
x.contentDocument.write(
|
||||
'<script>window.addEventListener("securitypolicyviolation", function(e) {' +
|
||||
' window.top.postMessage(e.violatedDirective, "*");' +
|
||||
'});</scr' + 'ipt>' +
|
||||
'<iframe src="../support/fail.html"></iframe>'
|
||||
);
|
||||
x.contentDocument.close();
|
||||
</script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27''></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Set-Cookie: policy-inherited-correctly-by-plznavigate={{$id:uuid()}}; Path=/content-security-policy/generic/
|
||||
Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
<!DOCTYPE html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<!-- Tests that mutations inside a context that inherits a copy of the CSP list
|
||||
does not affect the parent context -->
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var t1 = async_test("Test that parent document image loads");
|
||||
var t2 = async_test("Test that embedded iframe document image does not load");
|
||||
var t3 = async_test("Test that spv event is fired");
|
||||
|
||||
window.onmessage = function(e) {
|
||||
if (e.data.type == 'spv') {
|
||||
t3.step(function() {
|
||||
assert_equals(e.data.violatedDirective, "img-src");
|
||||
t3.done();
|
||||
});
|
||||
} else if (e.data.type == 'imgload') {
|
||||
var img = document.createElement('img');
|
||||
img.src = "../support/pass.png";
|
||||
img.onload = function() { t1.done(); };
|
||||
img.onerror = t1.unreached_func('Should have loaded the image');
|
||||
document.body.appendChild(img);
|
||||
|
||||
t2.step(function() {
|
||||
assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP");
|
||||
t2.done();
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">',
|
||||
'<script>',
|
||||
' window.addEventListener("securitypolicyviolation", function(e) {',
|
||||
' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");',
|
||||
' });',
|
||||
'</scr' + 'ipt>',
|
||||
'<img src="../support/fail.png"',
|
||||
' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"',
|
||||
' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n');
|
||||
var i = document.createElement('iframe');
|
||||
i.srcdoc = srcdoc;
|
||||
document.body.appendChild(i);
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -114,6 +114,46 @@
|
|||
}, "createElement.setAttribute.");
|
||||
</script>
|
||||
|
||||
<!-- Custom Element -->
|
||||
<script nonce="abc">
|
||||
var eventList = [];
|
||||
class NonceElement extends HTMLElement {
|
||||
static get observedAttributes() {
|
||||
return ['nonce'];
|
||||
}
|
||||
|
||||
constructor() {
|
||||
super();
|
||||
}
|
||||
|
||||
attributeChangedCallback(name, oldValue, newValue) {
|
||||
eventList.push({
|
||||
type: "AttributeChanged",
|
||||
name: name,
|
||||
oldValue: oldValue,
|
||||
newValue: newValue
|
||||
});
|
||||
}
|
||||
|
||||
connectedCallback() {
|
||||
eventList.push({
|
||||
type: "Connected",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
customElements.define("nonce-element", NonceElement);
|
||||
</script>
|
||||
<nonce-element nonce="abc"></nonce-element>
|
||||
<script nonce="abc">
|
||||
test(t => {
|
||||
assert_equals(eventList.length, 3);
|
||||
assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" });
|
||||
assert_object_equals(eventList[1], { type: "Connected" });
|
||||
assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" });
|
||||
}, "Custom elements expose the correct events.");
|
||||
</script>
|
||||
|
||||
<!-- CSS Leakage -->
|
||||
<style>
|
||||
#cssTest { display: block; }
|
||||
|
|
|
|||
|
|
@ -38,68 +38,24 @@ dictionary SecurityPolicyViolationEventInit : EventInit {
|
|||
long lineNumber;
|
||||
long columnNumber;
|
||||
};
|
||||
|
||||
[
|
||||
Constructor(DOMString type, optional EventInit eventInitDict),
|
||||
Exposed=(Window,Worker)
|
||||
] interface Event {
|
||||
readonly attribute DOMString type;
|
||||
readonly attribute EventTarget? target;
|
||||
readonly attribute EventTarget? currentTarget;
|
||||
[MeasureAs=EventComposedPath, CallWith=ScriptState] sequence<EventTarget> composedPath();
|
||||
|
||||
const unsigned short NONE = 0;
|
||||
const unsigned short CAPTURING_PHASE = 1;
|
||||
const unsigned short AT_TARGET = 2;
|
||||
const unsigned short BUBBLING_PHASE = 3;
|
||||
readonly attribute unsigned short eventPhase;
|
||||
|
||||
[Measure] void stopPropagation();
|
||||
[Measure] void stopImmediatePropagation();
|
||||
|
||||
readonly attribute boolean bubbles;
|
||||
readonly attribute boolean cancelable;
|
||||
void preventDefault();
|
||||
readonly attribute boolean defaultPrevented;
|
||||
|
||||
[MeasureAs=EventComposed] readonly attribute boolean composed;
|
||||
|
||||
[Unforgeable] readonly attribute boolean isTrusted;
|
||||
|
||||
[CallWith=ScriptState] readonly attribute DOMHighResTimeStamp timeStamp;
|
||||
|
||||
[Measure] void initEvent(DOMString type, optional boolean bubbles = false, optional boolean cancelable = false);
|
||||
|
||||
// Non-standard APIs
|
||||
[MeasureAs=EventSrcElement] readonly attribute EventTarget srcElement;
|
||||
[MeasureAs=EventReturnValue, CallWith=ScriptState, ImplementedAs=legacyReturnValue] attribute boolean returnValue;
|
||||
[MeasureAs=EventCancelBubble, CallWith=ScriptState] attribute boolean cancelBubble;
|
||||
[MeasureAs=EventPath, CallWith=ScriptState] readonly attribute EventTarget[] path;
|
||||
};
|
||||
|
||||
[
|
||||
Constructor(),
|
||||
CheckSecurity=Receiver,
|
||||
Exposed=(Window,Worker),
|
||||
ImmutablePrototype
|
||||
] interface EventTarget {
|
||||
[Custom=(CallPrologue,CallEpilogue)] void addEventListener(DOMString type, EventListener? listener, optional (AddEventListenerOptions or boolean) options);
|
||||
[Custom=(CallPrologue,CallEpilogue)] void removeEventListener(DOMString type, EventListener? listener, optional (EventListenerOptions or boolean) options);
|
||||
[ImplementedAs=dispatchEventForBindings, RaisesException] boolean dispatchEvent(Event event);
|
||||
};
|
||||
|
||||
</script>
|
||||
<script>
|
||||
(function() {
|
||||
var idl_array = new IdlArray();
|
||||
var idls = document.getElementById('idl').textContent;
|
||||
idl_array.add_idls(idls);
|
||||
function do_test(dom_idl) {
|
||||
var idl_array = new IdlArray();
|
||||
idl_array.add_untested_idls(dom_idl);
|
||||
var idls = document.getElementById('idl').textContent;
|
||||
idl_array.add_idls(idls);
|
||||
|
||||
window.event_to_test = new SecurityPolicyViolationEvent({});
|
||||
window.event_to_test = new SecurityPolicyViolationEvent({});
|
||||
|
||||
idl_array.add_objects({
|
||||
SecurityPolicyViolationEvent: ['event_to_test']
|
||||
});
|
||||
idl_array.test();
|
||||
})();
|
||||
idl_array.add_objects({
|
||||
SecurityPolicyViolationEvent: ['event_to_test']
|
||||
});
|
||||
idl_array.test();
|
||||
}
|
||||
|
||||
promise_test(function() {
|
||||
return fetch("/interfaces/dom.idl").then(response => response.text())
|
||||
.then(do_test);
|
||||
}, "Test driver");
|
||||
</script>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,63 @@
|
|||
<!DOCTYPE html>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
|
||||
<script src="/resources/testharness.js" nonce="abc"></script>
|
||||
<script src="/resources/testharnessreport.js" nonce="abc"></script>
|
||||
<script nonce="abc">
|
||||
var t = async_test("Unnonced scripts generate reports.");
|
||||
var events = 0;
|
||||
var firstLine = 38;
|
||||
var expectations = {}
|
||||
expectations[firstLine] = true;
|
||||
expectations[firstLine + 3] = true;
|
||||
expectations[firstLine + 6] = true;
|
||||
expectations[firstLine + 9] = true;
|
||||
expectations[firstLine + 12] = true;
|
||||
expectations[firstLine + 15] = true;
|
||||
expectations[firstLine + 18] = true;
|
||||
expectations["/content-security-policy/support/nonce-should-be-blocked.js?1"] = true;
|
||||
expectations["/content-security-policy/support/nonce-should-be-blocked.js?2"] = true;
|
||||
expectations["/content-security-policy/support/nonce-should-be-blocked.js?3"] = true;
|
||||
expectations["/content-security-policy/support/nonce-should-be-blocked.js?4"] = true;
|
||||
expectations["/content-security-policy/support/nonce-should-be-blocked.js?5"] = true;
|
||||
|
||||
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
||||
if (e.lineNumber) {
|
||||
// Verify that the line is expected, then clear the expectation:
|
||||
assert_true(expectations[e.lineNumber], "Line number: " + e.lineNumber);
|
||||
assert_equals(e.blockedURI, "inline");
|
||||
} else {
|
||||
// Otherwise, verify that the URL is expected, then clear the expectation:
|
||||
var url = new URL(e.blockedURI);
|
||||
assert_true(expectations[url.pathname + url.search], "URL: " + e.blockedURI);
|
||||
}
|
||||
events++;
|
||||
if (events == 12)
|
||||
t.done();
|
||||
}));
|
||||
</script>
|
||||
<script>
|
||||
t.unreached_func("No nonce, no execution.")();
|
||||
</script>
|
||||
<script nonce="xyz">
|
||||
t.unreached_func("Bad nonce, no execution.")();
|
||||
</script>
|
||||
<script <script nonce="abc">
|
||||
t.unreached_func("'<script' attribute, no execution.")();
|
||||
</script>
|
||||
<script attribute<script nonce="abc">
|
||||
t.unreached_func("'attribute<script', no execution.")();
|
||||
</script>
|
||||
<script attribute=<script nonce="abc">
|
||||
t.unreached_func("'<script' value, no execution.")();
|
||||
</script>
|
||||
<script attribute=value<script nonce="abc">
|
||||
t.unreached_func("'value<script', no execution.")();
|
||||
</script>
|
||||
<script attribute="" attribute=<style nonce="abc">
|
||||
t.unreached_func("Duplicate attribute, no execution.")();
|
||||
</script>
|
||||
<script src="../support/nonce-should-be-blocked.js?1" <script nonce="abc"></script>
|
||||
<script src="../support/nonce-should-be-blocked.js?2" attribute=<script nonce="abc"></script>
|
||||
<script src="../support/nonce-should-be-blocked.js?3" <style nonce="abc"></script>
|
||||
<script src="../support/nonce-should-be-blocked.js?4" attribute=<style nonce="abc"></script>
|
||||
<script src="../support/nonce-should-be-blocked.js?5" attribute=<style nonce="abc"></script>
|
||||
|
|
@ -21,6 +21,9 @@
|
|||
long lineNumber;
|
||||
long columnNumber;
|
||||
};
|
||||
|
||||
interface Event {
|
||||
};
|
||||
</script>
|
||||
<script type="text/plain" id="tested">
|
||||
[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
|
||||
|
|
|
|||
|
|
@ -12,8 +12,13 @@
|
|||
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals("style-src", e.violatedDirective);
|
||||
}));
|
||||
|
||||
var l = document.createElement("link");
|
||||
l.setAttribute("href", "/content-security-policy/style-src/resources/style-src-import.sub.css");
|
||||
l.setAttribute("rel", "stylesheet");
|
||||
l.setAttribute("type", "text/css");
|
||||
document.head.appendChild(l);
|
||||
</script>
|
||||
<link href="/content-security-policy/style-src/resources/style-src-import.sub.css" rel=stylesheet type=text/css>
|
||||
</head>
|
||||
<body>
|
||||
<div id='log'></div>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
<script>
|
||||
test(function() { assert_unreached("FAIL")});
|
||||
</script>
|
||||
|
|
@ -0,0 +1 @@
|
|||
t.unreached_func(document.currentScript.getAttribute('src') + " should not execute.")();
|
||||
|
|
@ -2,7 +2,8 @@
|
|||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg width="6cm" height="5cm" viewBox="0 0 600 500"
|
||||
xmlns="http://www.w3.org/2000/svg" version="1.1">
|
||||
xmlns="http://www.w3.org/2000/svg" version="1.1"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<desc>using SVG as a resource doc should apply this doc's CSP</desc>
|
||||
|
||||
<use xlink:href="scripted.svg#postmessagescript" />
|
||||
|
|
|
|||
|
Before Width: | Height: | Size: 566 B After Width: | Height: | Size: 614 B |
Loading…
Add table
Add a link
Reference in a new issue