Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-10 16:05:43 +01:00
Code Issues Projects Releases Packages Wiki Activity

Run all CSP tests in CI by default. (#36436)

Browse source 
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.

Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577

Signed-off-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Josh Matthews 2025-04-10 04:09:23 -04:00 committed by GitHub
parent a0730d7154
commit c16ca22970
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
509 changed files with 5492 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[eval-allowed-in-report-only-mode-and-sends-report.html]
[Violation report status OK.]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/injected-inline-script-blocked.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[injected-inline-script-blocked.sub.html]
[Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]]
expected: FAIL

4
tests/wpt/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[javascript-window-open-blocked.html]
expected: TIMEOUT
[Check that a securitypolicyviolation event is fired]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/script-src/nonce-enforce-blocked.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[nonce-enforce-blocked.html]
[Unnonced scripts generate reports.]
expected: FAIL

7
tests/wpt/meta/content-security-policy/script-src/script-src-1_1.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-1_1.html]
expected: TIMEOUT
[Inline event handler]
expected: FAIL
[Should fire policy violation events]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/script-src/script-src-1_10.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-1_10.html]
expected: TIMEOUT
[Test that securitypolicyviolation event is fired]
expected: NOTRUN

7
tests/wpt/meta/content-security-policy/script-src/script-src-1_2.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-1_2.html]
expected: TIMEOUT
[Inline event handler]
expected: FAIL
[Should fire policy violation events]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/script-src/script-src-1_2_1.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-1_2_1.html]
expected: TIMEOUT
[Test that securitypolicyviolation event is fired]
expected: NOTRUN

7
tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-report-only-policy-works-with-external-hash-policy.html]
expected: TIMEOUT
[Should fire securitypolicyviolation event]
expected: NOTRUN
[External script in a script tag with matching SRI hash should run.]
expected: FAIL

4
tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-report-only-policy-works-with-hash-policy.html]
expected: TIMEOUT
[Test that the securitypolicyviolation event is fired]
expected: NOTRUN

9
tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini vendored Normal file
View file

@ -0,0 +1,9 @@
[script-src-sri_hash.sub.html]
[multiple matching integrity]
expected: FAIL
[partially matching integrity]
expected: FAIL
[External script in a script tag with matching SRI hash should run.]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[script-src-strict_dynamic_discard_source_expressions.html]
[Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.]
expected: FAIL

4
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-strict_dynamic_double_policy_different_nonce.html]
expected: TIMEOUT
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
expected: TIMEOUT
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-strict_dynamic_javascript_uri.html]
expected: TIMEOUT
[Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
expected: TIMEOUT

7
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-strict_dynamic_meta_tag.html]
expected: TIMEOUT
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
expected: TIMEOUT
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.]
expected: TIMEOUT

7
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-strict_dynamic_non_parser_inserted.html]
expected: TIMEOUT
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.]
expected: TIMEOUT
[Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
expected: TIMEOUT
[All the expected CSP violation reports have been fired.]
expected: TIMEOUT

31
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini vendored Normal file
View file

@ -0,0 +1,31 @@
[script-src-strict_dynamic_parser_inserted.html]
expected: TIMEOUT
[Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: TIMEOUT
[Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
expected: TIMEOUT
[Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.]
expected: TIMEOUT

7
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html.ini vendored Normal file
View file

@ -0,0 +1,7 @@
[script-src-strict_dynamic_worker.https.html]
expected: TIMEOUT
[Shared worker is allowed via 'strict-dynamic']
expected: FAIL
[Service worker is allowed via 'strict-dynamic']
expected: TIMEOUT

13
tests/wpt/meta/content-security-policy/script-src/script-src-trusted_types_eval_with_require_trusted_types_eval.html.ini vendored Normal file
View file

@ -0,0 +1,13 @@
[script-src-trusted_types_eval_with_require_trusted_types_eval.html]
expected: ERROR
[Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via indirect `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via `new Function` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via `setTimeout` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/scripthash-case-insensitive.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[scripthash-case-insensitive.sub.html]
[Expecting alerts: ["PASS (1/6)","PASS (2/6)","PASS (3/6)","PASS (4/6)","PASS (5/6)","PASS (6/6)"\]]
expected: FAIL

4
tests/wpt/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[scripthash-unicode-normalization.sub.html]
expected: TIMEOUT
[Should fire securitypolicyviolation]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[scriptnonce-and-scripthash.sub.html]
expected: TIMEOUT
[Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[scriptnonce-basic-blocked.sub.html]
[Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"\]]
expected: FAIL

4
tests/wpt/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini vendored Normal file
View file

@ -0,0 +1,4 @@
[scriptnonce-ignore-unsafeinline.sub.html]
expected: TIMEOUT
[Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[srcdoc-doesnt-bypass-script-src.sub.html]
[Expecting logs: ["violated-directive=script-src-elem"\]]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/worker-data-set-timeout.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[worker-data-set-timeout.sub.html]
[Shared worker with data: url inherits CSP]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/worker-eval-blocked.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[worker-eval-blocked.sub.html]
[Expecting logs: ["eval blocked"\]]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/worker-function-function-blocked.sub.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[worker-function-function-blocked.sub.html]
[Expecting logs: ["Function() function blocked"\]]
expected: FAIL

6
tests/wpt/meta/content-security-policy/script-src/worker-importscripts.sub.html.ini vendored Normal file
View file

@ -0,0 +1,6 @@
[worker-importscripts.sub.html]
[Dedicated worker delivers its own CSP]
expected: FAIL
[Shared worker delivers its own CSP]
expected: FAIL

6
tests/wpt/meta/content-security-policy/script-src/worker-set-timeout.sub.html.ini vendored Normal file
View file

@ -0,0 +1,6 @@
[worker-set-timeout.sub.html]
[Dedicated worker delivers its own CSP]
expected: FAIL
[Shared worker delivers its own CSP]
expected: FAIL