Sync WPT with upstream (29-06-2025) (#37774)

Automated downstream sync of changes from upstream as of 29-06-2025 [no-wpt-sync] Signed-off-by: WPT Sync Bot <ghbot+wpt-sync@servo.org>
2025-09-30 16:49:16 +01:00 · 2025-06-29 03:47:33 +02:00 · 2025-06-29 03:47:33 +02:00 · 9a0f2be162
commit 9a0f2be162
parent e1c037815c
548 changed files with 15671 additions and 4682 deletions
--- a/tests/wpt/meta/content-security-policy/parsing/invalid-bytes.html.ini
+++ b/tests/wpt/meta/content-security-policy/parsing/invalid-bytes.html.ini
@ -0,0 +1,55 @@
+[invalid-bytes.html]
+  expected: TIMEOUT
+  [CSP: "img-src 'none'\\x01" should allow rendering (Invalid directive ignored).]
+    expected: TIMEOUT
+
+  [CSP: "img-src 'none' http:\\x01" should allow rendering (Invalid directive ignored).]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self'\\x01" should allow rendering (Invalid directive ignored).]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none'; media-src 'self'\\x01" should block rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self'; media-src 'self'\\x01" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self', img-src 'self'\\x01" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none', img-src 'self'\\x01" should block rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self', img-src\\x01" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none', img-src\\x01" should block rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none'\\x7f" should allow rendering (Invalid directive ignored).]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none' http:\\x7f" should allow rendering (Invalid directive ignored).]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self'\\x7f" should allow rendering (Invalid directive ignored).]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none'; media-src 'self'\\x7f" should block rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self'; media-src 'self'\\x7f" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self', img-src 'self'\\x7f" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none', img-src 'self'\\x7f" should block rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'self', img-src\\x7f" should allow rendering.]
+    expected: NOTRUN
+
+  [CSP: "img-src 'none', img-src\\x7f" should block rendering.]
+    expected: NOTRUN
--- a/tests/wpt/meta/content-security-policy/script-src/tentative/script-url-allowed-by-hash.https.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/tentative/script-url-allowed-by-hash.https.html.ini
@ -0,0 +1,36 @@
+[script-url-allowed-by-hash.https.html]
+  [script-src should allow script by its url hash - header]
+    expected: FAIL
+
+  [A parseable url-hash should ignore hostname allowlists - header]
+    expected: FAIL
+
+  [default-src should allow script by its url hash - header]
+    expected: FAIL
+
+  [script-src-elem should allow script by its url hash - header]
+    expected: FAIL
+
+  [url hashes should allow dynamically inserted script if allowlisted - header]
+    expected: FAIL
+
+  [url hashes should allow redirected scripts - header]
+    expected: FAIL
+
+  [script-src should allow script by its url hash - metatag]
+    expected: FAIL
+
+  [A parseable url-hash should ignore hostname allowlists - metatag]
+    expected: FAIL
+
+  [default-src should allow script by its url hash - metatag]
+    expected: FAIL
+
+  [script-src-elem should allow script by its url hash - metatag]
+    expected: FAIL
+
+  [url hashes should allow dynamically inserted script if allowlisted - metatag]
+    expected: FAIL
+
+  [url hashes should allow redirected scripts - metatag]
+    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/script-src/tentative/url-hash-in-header-and-meta.https.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/tentative/url-hash-in-header-and-meta.https.html.ini
@ -0,0 +1,6 @@
+[url-hash-in-header-and-meta.https.html]
+  [more lax meta tag should still allow script]
+    expected: FAIL
+
+  [multiple meta tags should apply most strict policy - both lax]
+    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-eval/tentative/eval-allowed-by-hash.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-eval/tentative/eval-allowed-by-hash.sub.html.ini
@ -0,0 +1,4 @@
+[eval-allowed-by-hash.sub.html]
+  expected: ERROR
+  [Expecting alerts: ["PASS (1 of 2)","PASS (2 of 2)"\]]
+    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-eval/tentative/eval-hashes-override-unsafe-eval.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-eval/tentative/eval-hashes-override-unsafe-eval.sub.html.ini
@ -0,0 +1,9 @@
+[eval-hashes-override-unsafe-eval.sub.html]
+  [Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"\]]
+    expected: FAIL
+
+  [eval-blocked]
+    expected: FAIL
+
+  [eval-blocked 1]
+    expected: FAIL