mirror of
https://github.com/servo/servo.git
synced 2025-08-06 14:10:11 +01:00
Update web-platform-tests to revision 14cfa4d648cc1c853b4153268df672d21425f8c1
This commit is contained in:
Josh Matthews
parent
1b73cf3352
commit
75736751d9
1213 changed files with 19434 additions and 12344 deletions
|
|
@ -1 +1,4 @@
|
|||
var dataScriptRan = false;
|
||||
var dataScriptRan = false;
|
||||
|
||||
var t_spv = async_test("Test that no report violation event was raised");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event"));
|
||||
|
|
@ -1,3 +1,5 @@
|
|||
test(function () {
|
||||
assert_true(dataScriptRan, "data script ran");
|
||||
}, "Verify that data: as script src runs with this policy");
|
||||
}, "Verify that data: as script src runs with this policy");
|
||||
|
||||
t_spv.done();
|
||||
|
|
@ -1,4 +1,14 @@
|
|||
(function () {
|
||||
var t_spv = async_test("Test that securitypolicyviolation event is fired");
|
||||
var test_count = 2;
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
if (--test_count <= 0) {
|
||||
t_spv.done();
|
||||
}
|
||||
}));
|
||||
|
||||
|
||||
var dmTest = async_test("DOM manipulation inline tests");
|
||||
var attachPoint = document.getElementById('attachHere');
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'">
|
||||
<title>injected-inline-script-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("Fail");
|
||||
});
|
||||
</script>
|
||||
<script src="support/inject-script.js"></script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
|
||||
<title>injected-inline-script-blocked</title>
|
||||
<script nonce='abc' src="/resources/testharness.js"></script>
|
||||
<script nonce='abc' src="/resources/testharnessreport.js"></script>
|
||||
<script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script>
|
||||
<script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script nonce='abc'>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
</script>
|
||||
<script src="support/inject-script.js"></script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,3 +1,6 @@
|
|||
var t_spv = async_test("Should not fire policy violation events");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event"));
|
||||
|
||||
var inlineRan = false;
|
||||
|
||||
onload = function() {
|
||||
|
|
@ -5,4 +8,5 @@ onload = function() {
|
|||
assert_true(inlineRan, 'Unsafe inline script ran.')},
|
||||
'Inline script in a script tag should run with an unsafe-inline directive'
|
||||
);
|
||||
t_spv.done();
|
||||
}
|
||||
|
|
@ -1,4 +1,13 @@
|
|||
var t1 = async_test("Inline script block");
|
||||
var t2 = async_test("Inline event handler");
|
||||
|
||||
onload = function() {t1.done(); t2.done()}
|
||||
onload = function() {t1.done(); t2.done()}
|
||||
|
||||
var t_spv = async_test("Should not fire policy violation events");
|
||||
var test_count = 2;
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
if (--test_count <= 0) {
|
||||
t_spv.done();
|
||||
}
|
||||
}));
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Window.open should not open javascript url if not allowed.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
|
||||
<script nonce='abc' src='/resources/testharness.js'></script>
|
||||
<script nonce='abc' src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -15,8 +16,5 @@
|
|||
|
||||
window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new');
|
||||
</script>
|
||||
|
||||
<script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<script src='inlineTests.js'></script>
|
||||
|
|
@ -15,8 +16,5 @@
|
|||
</script>
|
||||
|
||||
<img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -11,6 +12,11 @@
|
|||
|
||||
<script>
|
||||
var dataScriptRan = false;
|
||||
var t_spv = async_test("Test that securitypolicyviolation event is fired");
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
</script>
|
||||
|
||||
<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
|
||||
|
|
@ -21,7 +27,5 @@
|
|||
assert_false(dataScriptRan, "data script ran");
|
||||
}, "Verify that data: as script src doesn't run with this policy");
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -14,7 +15,5 @@
|
|||
<script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
|
||||
|
||||
<script src="10_1_support_2.js"></script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src *;">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<script src='inlineTests.js'></script>
|
||||
|
|
@ -15,8 +16,5 @@
|
|||
</script>
|
||||
|
||||
<img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src *;">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -16,8 +17,5 @@
|
|||
<div id=emptyDiv></div>
|
||||
|
||||
<script src="addInlineTestsWithDOMManipulation.js"></script>
|
||||
|
||||
<script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
<script src='inlineSuccessTest.js'></script>
|
||||
|
|
@ -13,8 +14,5 @@
|
|||
<script>
|
||||
inlineRan = true;
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>eval() should not run without 'unsafe-eval' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -10,6 +11,11 @@
|
|||
<div id='log'></div>
|
||||
|
||||
<script>
|
||||
var t_spv = async_test("Test that securitypolicyviolation event is fired");
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
|
||||
var evalRan = false;
|
||||
|
||||
|
|
@ -18,8 +24,5 @@
|
|||
test(function() {assert_false(evalRan);})
|
||||
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -12,15 +13,21 @@
|
|||
<script>
|
||||
var t1 = async_test("window.setTimeout()");
|
||||
var t2 = async_test("window.setInterval()");
|
||||
var t_spv = async_test("Test that securitypolicyviolation event is fired");
|
||||
var test_count = 2;
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
if (--test_count <= 0) {
|
||||
t_spv.done();
|
||||
}
|
||||
}));
|
||||
|
||||
|
||||
onload = function() {t1.done(); t2.done()}
|
||||
|
||||
window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
|
||||
window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
|
||||
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
|
|
@ -10,6 +11,12 @@
|
|||
<div id='log'></div>
|
||||
|
||||
<script>
|
||||
var t_spv = async_test("Test that securitypolicyviolation event is fired");
|
||||
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
|
||||
|
||||
test(function() {
|
||||
assert_throws(
|
||||
|
|
@ -20,8 +27,5 @@
|
|||
})}, "Unsafe eval ran in Function() constructor.");
|
||||
|
||||
</script>
|
||||
|
||||
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
|
|
@ -22,7 +22,5 @@
|
|||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
|
||||
Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc';
|
||||
|
|
@ -22,7 +22,5 @@
|
|||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc';
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline';
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';">
|
||||
<title>script-src-overrides-default-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("Fail");
|
||||
});
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body onload="log('PASS 2 of 2')">
|
||||
<script>
|
||||
log('PASS 1 of 2');
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -8,6 +8,11 @@
|
|||
</head>
|
||||
<body>
|
||||
<script nonce="abc">
|
||||
var t_spv = async_test("Should fire securitypolicyviolation event");
|
||||
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
assert_equals(e.disposition, "report");
|
||||
}));
|
||||
var externalRan = false;
|
||||
</script>
|
||||
<script src='./externalScript.js'
|
||||
|
|
@ -16,8 +21,5 @@
|
|||
test(function() {
|
||||
assert_true(externalRan, 'External script ran.');
|
||||
}, 'External script in a script tag with matching SRI hash should run.');
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
</body>
|
||||
</script></body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc'
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc';
|
||||
|
|
@ -27,7 +27,5 @@
|
|||
t.done();
|
||||
});
|
||||
</script>
|
||||
|
||||
<script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
|||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/
|
||||
Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
|
||||
Content-Security-Policy-Report-Only: script-src 'nonce-abc';
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';">
|
||||
<title>script-src disallowed wildcard use</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script nonce="nonce">
|
||||
var t1 = async_test('data: URIs should not match *');
|
||||
t1.step(function() {
|
||||
var script = document.createElement("script");
|
||||
script.src = 'data:application/javascript,';
|
||||
script.addEventListener('load', t1.step_func(function() {
|
||||
assert_unreached('Should not successfully load data URI.');
|
||||
}));
|
||||
script.addEventListener('error', t1.step_func(function() {
|
||||
t1.done();
|
||||
}));
|
||||
document.head.appendChild(script);
|
||||
});
|
||||
|
||||
var t2 = async_test('blob: URIs should not match *');
|
||||
t2.step(function() {
|
||||
var b = new Blob([''], { type: 'application/javascript' });
|
||||
var script = document.createElement('script');
|
||||
script.addEventListener('load', t2.step_func(function() {
|
||||
assert_unreached('Should not successfully load blob URI.');
|
||||
}));
|
||||
script.addEventListener('error', t2.step_func(function() {
|
||||
t2.done();
|
||||
}));
|
||||
|
||||
script.src = URL.createObjectURL(b);
|
||||
document.head.appendChild(script);
|
||||
});
|
||||
|
||||
var t3 = async_test('filesystem URIs should not match *');
|
||||
if (window.webkitRequestFileSystem) {
|
||||
window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
|
||||
fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
|
||||
fileEntry.createWriter(function(fileWriter) {
|
||||
var script = document.createElement('script');
|
||||
|
||||
script.addEventListener('load', t3.step_func(function() {
|
||||
assert_unreached('Should not successfully load filesystem URI.');
|
||||
}));
|
||||
script.addEventListener('error', t3.step_func(function() {
|
||||
t3.done();
|
||||
}));
|
||||
|
||||
script.src = fileEntry.toURL('application/javascript');
|
||||
document.body.appendChild(script);
|
||||
});
|
||||
});
|
||||
});
|
||||
} else {
|
||||
t3.done();
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';">
|
||||
<title>scripthash-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D">
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("Fail");
|
||||
});
|
||||
</script>
|
||||
|
||||
<script>
|
||||
alert_assert('PASS (1/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (2/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (3/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (4/4)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';">
|
||||
<title>scripthash-basic-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("Fail");
|
||||
});
|
||||
</script>
|
||||
|
||||
<script>
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
|
||||
var expected_alerts = ["PASS (1/1)"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (1/1)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (1/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (2/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (3/4)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (4/4)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';">
|
||||
<title>script-hash allowed from default-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script nonce='abc'>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
test(function() { assert_unreached("Should not have fired event")});
|
||||
});
|
||||
</script>
|
||||
|
||||
<script>done();</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';">
|
||||
|
||||
<title>scripthash-ignore-unsafeinline</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script>
|
||||
<script>
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]');
|
||||
var expected_alerts = ["PASS (1/1)"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (1/1)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (1/1)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
|
||||
<title>scripthash-unicode-normalization</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<!-- The following two scripts contain two separate code points (U+00C5
|
||||
and U+212B, respectively) which, depending on your text editor, might be
|
||||
rendered the same.However, their difference is important because, under
|
||||
NFC normalization, they would become the same code point, which would be
|
||||
against the spec. This test, therefore, validates that the scripts have
|
||||
*different* hash values. -->
|
||||
<script nonce="nonceynonce">
|
||||
var t_spv = async_test("Should fire securitypolicyviolation");
|
||||
window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
|
||||
assert_equals(e.violatedDirective, "script-src");
|
||||
}));
|
||||
|
||||
var matchingContent = 'Å';
|
||||
var nonMatchingContent = 'Å';
|
||||
|
||||
// This script should have a hash value of
|
||||
// sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
|
||||
var scriptContent1 = "window.finish('" + matchingContent + "');";
|
||||
|
||||
// This script should have a hash value of
|
||||
// sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
|
||||
var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
|
||||
|
||||
var script1 = document.createElement('script');
|
||||
var script2 = document.createElement('script');
|
||||
|
||||
script1.test = async_test("Only matching content runs even with NFC normalization.");
|
||||
|
||||
var failure = function() {
|
||||
assert_unreached();
|
||||
}
|
||||
|
||||
window.finish = function(content) {
|
||||
if (content == matchingContent) {
|
||||
script1.test.step(function() {
|
||||
script1.test.done();
|
||||
});
|
||||
} else {
|
||||
script1.test.step(function() {
|
||||
assert_unreached("nonMatchingContent script ran");
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
script1.onerror = failure;
|
||||
|
||||
document.body.appendChild(script2);
|
||||
script2.textContent = scriptContent2;
|
||||
document.body.appendChild(script1);
|
||||
script1.textContent = scriptContent1;
|
||||
</script>
|
||||
|
||||
<p>
|
||||
This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';">
|
||||
<title>scriptnonce-allowed</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script nonce="noncynonce">
|
||||
function log(msg) {
|
||||
test(function() {
|
||||
assert_unreached(msg)
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<script nonce="noncynonce">
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("Fail");
|
||||
});
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]');
|
||||
var expected_alerts = ["PASS (1/2)", "PASS (2/2)"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';
|
||||
-->
|
||||
<script nonce="noncynonce">
|
||||
alert_assert('PASS (1/2)');
|
||||
|
||||
</script>
|
||||
<script nonce="noncy+/nonce=">
|
||||
alert_assert('PASS (2/2)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,79 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';">
|
||||
<title>scriptnonce-and-scripthash</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script nonce="nonceynonce">
|
||||
function log(msg) {
|
||||
test(function() {
|
||||
assert_unreached(msg)
|
||||
});
|
||||
}
|
||||
</script>
|
||||
<script nonce="nonceynonce">
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
|
||||
var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
|
||||
-->
|
||||
<script nonce="nonceynonce">
|
||||
alert_assert('PASS (1/3)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('PASS (2/3)');
|
||||
|
||||
</script>
|
||||
<script nonce="nonceynonce">
|
||||
alert_assert('PASS (3/3)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (1/2)');
|
||||
|
||||
</script>
|
||||
<script nonce="notanonce">
|
||||
alert_assert('FAIL (2/2)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';">
|
||||
<title>scriptnonce-basic-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script>
|
||||
<script nonce="noncynonce">
|
||||
alert_assert('PASS (closely-quoted nonce)');
|
||||
|
||||
</script>
|
||||
<script nonce=" noncynonce ">
|
||||
alert_assert('PASS (nonce w/whitespace)');
|
||||
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
</script>
|
||||
<script nonce="noncynonce noncynonce">
|
||||
alert_assert('FAIL (1/3)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (2/3)');
|
||||
|
||||
</script>
|
||||
<script nonce="noncynonceno?">
|
||||
alert_assert('FAIL (3/3)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,74 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';">
|
||||
<title>scriptnonce-ignore-unsafeinline</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script nonce='noncynonce'>
|
||||
function log(msg) {
|
||||
test(function() {
|
||||
assert_unreached(msg)
|
||||
});
|
||||
}
|
||||
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
</script>
|
||||
<script nonce='noncynonce'>
|
||||
var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]');
|
||||
var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';
|
||||
-->
|
||||
<script nonce="noncynonce">
|
||||
|
||||
|
||||
</script>
|
||||
<script nonce="noncynonce">
|
||||
alert_assert('PASS (1/2)');
|
||||
</script>
|
||||
<script nonce="noncy+/nonce=">
|
||||
alert_assert('PASS (2/2)');
|
||||
|
||||
</script>
|
||||
<script>
|
||||
alert_assert('FAIL (1/1)');
|
||||
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present.
|
||||
</p>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';">
|
||||
<title>scriptnonce-redirect</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script nonce="noncynonce">
|
||||
function log(msg) {
|
||||
test(function() {
|
||||
assert_unreached(msg)
|
||||
});
|
||||
}
|
||||
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
alert_assert("Fail");
|
||||
});
|
||||
</script>
|
||||
<script nonce="noncynonce">
|
||||
var t_alert = async_test('Expecting alerts: ["PASS"]');
|
||||
var expected_alerts = ["PASS"];
|
||||
|
||||
function alert_assert(msg) {
|
||||
t_alert.step(function() {
|
||||
if (msg.match(/^FAIL/i)) {
|
||||
assert_unreached(msg);
|
||||
t_alert.done();
|
||||
}
|
||||
for (var i = 0; i < expected_alerts.length; i++) {
|
||||
if (expected_alerts[i] == msg) {
|
||||
assert_true(expected_alerts[i] == msg);
|
||||
expected_alerts.splice(i, 1);
|
||||
if (expected_alerts.length == 0) {
|
||||
t_alert.done();
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
assert_unreached('unexpected alert: ' + msg);
|
||||
t_log.done();
|
||||
});
|
||||
}
|
||||
|
||||
</script>
|
||||
<!-- enforcing policy:
|
||||
script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';
|
||||
-->
|
||||
</head>
|
||||
|
||||
<body>
|
||||
This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
|
||||
<script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script>
|
||||
<script nonce="noncynonce">
|
||||
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';">
|
||||
<title>srcdoc-doesnt-bypass-script-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<script nonce='abc'>
|
||||
window.onmessage = function(e) {
|
||||
log(e.data);
|
||||
}
|
||||
|
||||
var i = document.createElement('iframe');
|
||||
i.addEventListener('securitypolicyviolation', function(e) {
|
||||
log("violated-directive=" + e.violatedDirective);
|
||||
});
|
||||
|
||||
i.srcdoc = "<sc" + "ript nonce='abc'>" +
|
||||
"window.addEventListener('securitypolicyviolation', function(e) {" +
|
||||
"window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" +
|
||||
"</scr" + "ipt>" +
|
||||
"<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>";
|
||||
document.body.appendChild(i);
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
document.write("<script>log('Pass 1 of 2');</script>");
|
||||
|
||||
var s = document.createElement('script');
|
||||
s.textContent = "log('Pass 2 of 2');";
|
||||
document.body.appendChild(s);
|
||||
|
|
@ -0,0 +1 @@
|
|||
postMessage("importScripts allowed");
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
var id = 0;
|
||||
try {
|
||||
id = eval("1 + 2 + 3");
|
||||
} catch (e) {}
|
||||
postMessage(id === 0 ? "eval blocked" : "eval allowed");
|
||||
|
|
@ -0,0 +1 @@
|
|||
Content-Security-Policy: script-src 'unsafe-inline'
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
var fn = function() {
|
||||
postMessage('Function() function blocked');
|
||||
}
|
||||
try {
|
||||
fn = new Function("", "postMessage('Function() function allowed');");
|
||||
} catch (e) {}
|
||||
fn();
|
||||
|
|
@ -0,0 +1 @@
|
|||
Content-Security-Policy: script-src 'unsafe-inline'
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
try {
|
||||
importScripts("/content-security-policy/support/post-message.js");
|
||||
postMessage("importScripts allowed");
|
||||
} catch (e) {
|
||||
postMessage("importScripts blocked");
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
Content-Security-Policy: script-src 'none'
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
var id = 0;
|
||||
try {
|
||||
id = setTimeout("postMessage('handler invoked')", 100);
|
||||
} catch (e) {}
|
||||
postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed");
|
||||
|
|
@ -0,0 +1 @@
|
|||
Content-Security-Policy: script-src 'none'
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
|
||||
<title>worker-eval-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["eval blocked"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>This test loads a worker, delivered with its own policy.
|
||||
The eval() call in the worker should be forbidden by that
|
||||
policy. No report should be generated because the worker
|
||||
policy does not set a report-uri (although this parent
|
||||
resource does).</p>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log('Fail');
|
||||
});
|
||||
|
||||
try {
|
||||
var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js');
|
||||
worker.onmessage = function(event) {
|
||||
log(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
log(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
|
||||
<title>worker-function-function-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>This test loads a worker, delivered with its own policy.
|
||||
The Function constructor should be forbidden by that
|
||||
policy. No report should be generated because the worker
|
||||
policy does not set a report-uri (although this parent
|
||||
resource does).</p>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log('Fail');
|
||||
});
|
||||
try {
|
||||
var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js');
|
||||
worker.onmessage = function(event) {
|
||||
log(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
log(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
|
||||
<title>worker-importscripts-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
|
||||
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log('Fail');
|
||||
});
|
||||
var result = '';
|
||||
try {
|
||||
var worker = new Worker('/content-security-policy/script-src/support/worker-importscripts.js');
|
||||
worker.onmessage = function(event) {
|
||||
result = event.data;
|
||||
test(function() {
|
||||
assert_equals(result, 'importScripts blocked')
|
||||
});
|
||||
log("TEST COMPLETE");
|
||||
};
|
||||
} catch (e) {
|
||||
result = e;
|
||||
test(function() {
|
||||
assert_equals(result, 'importScripts blocked')
|
||||
});
|
||||
log("TEST COMPLETE");
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
|
||||
<title>worker-script-src</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src='../support/logTest.sub.js?logs=["PASS"]'></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=[]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log('Fail');
|
||||
});
|
||||
try {
|
||||
var foo = new Worker('/content-security-policy/script-src/support/post-message.js');
|
||||
foo.onmessage = function(event) {
|
||||
log("PASS");
|
||||
};
|
||||
} catch (e) {
|
||||
log(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';">
|
||||
<title>worker-set-timeout-blocked</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="../support/logTest.sub.js?logs=[]"></script>
|
||||
<script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<script>
|
||||
window.addEventListener('securitypolicyviolation', function(e) {
|
||||
log('Fail');
|
||||
});
|
||||
try {
|
||||
var worker = new Worker('/content-security-policy/script-src/support/worker-set-timeout.js');
|
||||
worker.onmessage = function(event) {
|
||||
alert_assert(event.data);
|
||||
};
|
||||
} catch (e) {
|
||||
alert_assert(e);
|
||||
}
|
||||
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Loading…
Add table
Add a link
Reference in a new issue