Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-08 15:05:35 +01:00
Code Issues Projects Releases Packages Wiki Activity

Update web-platform-tests to revision e8bfc205e36ad699601212cd50083870bad9a75d

Browse source
This commit is contained in:
Ms2ger 2016-11-14 11:07:09 +01:00
parent 65dd6d4340
commit ccdb0a3458
1428 changed files with 118036 additions and 9786 deletions
Download patch file Download diff file Expand all files Collapse all files

31
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html Executable file
View file

@ -0,0 +1,31 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' -->
</head>
<body>
<h1>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</h1>
<div id='log'></div>
<script nonce='dummy'>
var evalScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.'));
try {
eval("evalScriptRan = true;");
} catch (e) {
assert_unreached("`eval` should be allowed with `strict-dynamic` with `unsafe-eval`.");
}
assert_true(evalScriptRan);
t.done();
}, "Script injected via `eval` is allowed with `strict-dynamic` with `unsafe-eval`.");
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval'

31
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html Executable file
View file

@ -0,0 +1,31 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' -->
</head>
<body>
<h1>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</h1>
<div id='log'></div>
<script nonce='dummy'>
var newFunctionScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.'));
try {
new Function('newFunctionScriptRan = true;')();
} catch (e) {
assert_unreached("`new Function()` should be allowed with `strict-dynamic` with `unsafe-eval`.");
}
assert_true(newFunctionScriptRan);
t.done();
}, "Script injected via `new Function()` is allowed with `strict-dynamic` with `unsafe-eval`.");
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval'

32
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html Executable file
View file

@ -0,0 +1,32 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Whitelists are discarded with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'self' 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Whitelists are discarded with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'whitelistedScript') {
assert_unreached('Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
assert_equals(e.effectiveDirective, 'script-src');
}));
}, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script id='whitelistedScript' src='simpleSourcedScript.js'></script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'self' 'strict-dynamic' 'nonce-dummy'

68
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html Executable file
View file

@ -0,0 +1,68 @@
<!DOCTYPE HTML>
<html>
<head>
<title>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served:
1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
2) Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2'
-->
</head>
<body>
<h1>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'unNonced-appendChild') {
assert_unreached('Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'unNonced-appendChild') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
var e = document.createElement('script');
e.id = 'unNonced-appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onload = t.unreached_func('OnLoad should not be triggered.');
document.body.appendChild(e);
}, 'Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'nonced-appendChild') {
t.done();
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'nonced-appendChild') {
return;
}
assert_unreached('No CSP violation report has fired.');
}));
var e = document.createElement('script');
e.setAttribute('nonce', 'dummy2');
e.id = 'nonced-appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` with a correct nonce is allowed with `strict-dynamic` + a nonce-only double policy.');
</script>
</body>
</html>

6
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers Executable file
View file

@ -0,0 +1,6 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2'

61
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html Executable file
View file

@ -0,0 +1,61 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served:
1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
2) Content-Security-Policy: script-src 'self' 'nonce-dummy'
-->
</head>
<body>
<h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'whitelisted-appendChild') {
t.done();
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
return;
}
assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
}));
var e = document.createElement('script');
e.id = 'whitelisted-appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
t.done();
}));
var e = document.createElement('script');
e.id = 'nonWhitelisted-appendChild';
e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
e.onload = t.unreached_func('OnLoad should not be triggered.');
document.body.appendChild(e);
}, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
</script>
</body>
</html>

6
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers Executable file
View file

@ -0,0 +1,6 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
Content-Security-Policy: script-src 'self' 'nonce-dummy'

44
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html Executable file
View file

@ -0,0 +1,44 @@
<!DOCTYPE HTML>
<html>
<head>
<title>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served:
1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
2) Content-Security-Policy-Report-Only: script-src 'none'
-->
</head>
<body>
<h1>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'appendChild-reportOnly') {
t.done();
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'appendChild-reportOnly') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
// Check that the violation comes from the Report-Only policy.
assert_equals(violation.originalPolicy, "script-src 'none'");
t.done();
}));
var e = document.createElement('script');
e.id = 'appendChild-reportOnly';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src \'none\'` policy.');
</script>
</body>
</html>

6
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers Executable file
View file

@ -0,0 +1,6 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
Content-Security-Policy-Report-Only: script-src 'none'

37
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html Executable file
View file

@ -0,0 +1,37 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1>
<div id='log'></div>
<script nonce='dummy'>
var evalScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
assert_false(evalScriptRan);
assert_equals(e.effectiveDirective, 'script-src');
}));
assert_throws(new Error(),
function() {
try {
eval("evalScriptRan = true;");
} catch (e) {
throw new Error();
}
});
}, "Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.");
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

52
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html Executable file
View file

@ -0,0 +1,52 @@
<!DOCTYPE HTML>
<html>
<head>
<title>`strict-dynamic` allows scripts matching hashes present in the policy.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' -->
</head>
<body>
<h1>`strict-dynamic` allows scripts matching hashes present in the policy.</h1>
<div id='log'></div>
<script nonce='dummy'>
var hashScriptRan = false;
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report has fired.');
});
</script>
<!-- Hash: 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' -->
<script>
hashScriptRan = true;
</script>
<script nonce='dummy'>
async_test(function(t) {
assert_true(hashScriptRan);
t.done();
}, "Script matching SHA256 hash is allowed with `strict-dynamic`.");
</script>
<!-- Hash: 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' -->
<script>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'hashScript') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'hashScript';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o='

32
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html Normal file
View file

@ -0,0 +1,32 @@
<!DOCTYPE HTML>
<html>
<head>
<title>`strict-dynamic` does not drop whitelists in `img-src`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: img-src 'strict-dynamic' 'self' -->
</head>
<body>
<h1>`strict-dynamic` does not drop whitelists in `img-src`.</h1>
<div id='log'></div>
<script nonce='dummy'>
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report has fired.');
});
async_test(function(t) {
var e = document.createElement('img');
e.id = 'whitelistedImage';
e.src = '/content-security-policy/support/pass.png';
e.onerror = t.unreached_func('Error should not be triggered.');
e.onload = t.step_func_done();
document.body.appendChild(e);
}, '`strict-dynamic` does not drop whitelists in `img-src`.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers Normal file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: img-src 'strict-dynamic' 'self'

76
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html Executable file
View file

@ -0,0 +1,76 @@
<!DOCTYPE HTML>
<html>
<head>
<title>A `strict-dynamic` policy can be served in a META tag.</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-dummy'">
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>A `strict-dynamic` policy can be served in a META tag.</h1>
<div id='log'></div>
<script nonce='dummy'>
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report has fired.');
});
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'appendChild') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'appendChild-incorrectNonce') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'appendChild-incorrectNonce';
e.src = 'simpleSourcedScript.js?' + e.id;
e.setAttribute('nonce', 'wrong');
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.appendChildViaTextContent = t.step_func_done();
var e = document.createElement('script');
e.id = 'appendChild-textContent';
e.textContent = "appendChildViaTextContent();";
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
var e = document.createElement('script');
e.id = 'appendChild-textContent-incorrectNonce';
e.setAttribute('nonce', 'wrong');
e.textContent = "appendChildViaTextContentIncorrectNonce();";
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
</script>
</body>
</html>

4
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers Executable file
View file

@ -0,0 +1,4 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache

37
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html Executable file
View file

@ -0,0 +1,37 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1>
<div id='log'></div>
<script nonce='dummy'>
var newFunctionScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
assert_false(newFunctionScriptRan);
assert_equals(e.effectiveDirective, 'script-src');
}));
assert_throws(new Error(),
function() {
try {
new Function('newFunctionScriptRan = true;')();
} catch (e) {
throw new Error();
}
});
}, "Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.");
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

76
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html Executable file
View file

@ -0,0 +1,76 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report has fired.');
});
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'appendChild') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'appendChild-incorrectNonce') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'appendChild-incorrectNonce';
e.src = 'simpleSourcedScript.js?' + e.id;
e.setAttribute('nonce', 'wrong');
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.appendChildViaTextContent = t.step_func_done();
var e = document.createElement('script');
e.id = 'appendChild-textContent';
e.textContent = "appendChildViaTextContent();";
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
var e = document.createElement('script');
e.id = 'appendChild-textContent-incorrectNonce';
e.setAttribute('nonce', 'wrong');
e.textContent = "appendChildViaTextContentIncorrectNonce();";
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

29
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html Executable file
View file

@ -0,0 +1,29 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
assert_equals(e.effectiveDirective, 'script-src');
}));
}, 'All the expected CSP violation reports have been fired.');
</script>
<script nonce='wrong'>
assert_unreached('Inline script with an incorrect nonce should not be executed.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

205
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html Executable file
View file

@ -0,0 +1,205 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite') {
assert_unreached('Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWrite') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.write('<scr' + 'ipt id="documentWrite" src="simpleSourcedScript.js?documentWrite"></scr' + 'ipt>');
}, 'Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln') {
assert_unreached('Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWriteln') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.writeln('<scr' + 'ipt id="documentWriteln" src="simpleSourcedScript.js?documentWriteln"></scr' + 'ipt>');
}, 'Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-deferred') {
assert_unreached('Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.write('<scr' + 'ipt defer id="documentWrite-deferred" src="simpleSourcedScript.js?documentWrite-deferred"></scr' + 'ipt>');
}, 'Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-deferred') {
assert_unreached('Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.writeln('<scr' + 'ipt defer id="documentWriteln-deferred" src="simpleSourcedScript.js?documentWriteln-deferred"></scr' + 'ipt>');
}, 'Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-async') {
assert_unreached('Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.write('<scr' + 'ipt async id="documentWrite-async" src="simpleSourcedScript.js?documentWrite-async"></scr' + 'ipt>');
}, 'Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-async') {
assert_unreached('Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.writeln('<scr' + 'ipt async id="documentWriteln-async" src="simpleSourcedScript.js?documentWriteln-async"></scr' + 'ipt>');
}, 'Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-deferred-async') {
assert_unreached('Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.write('<scr' + 'ipt defer async id="documentWrite-deferred-async" src="simpleSourcedScript.js?documentWrite-deferred-async"></scr' + 'ipt>');
}, 'Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-deferred-async') {
assert_unreached('Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
document.writeln('<scr' + 'ipt defer async id="documentWriteln-deferred-async " src="simpleSourcedScript.js?documentWriteln-deferred-async "></scr' + 'ipt>');
}, 'Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
var innerHTMLScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.target.id !== 'innerHTML') {
return;
}
assert_false(innerHTMLScriptRan);
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
var e = document.createElement('div');
e.innerHTML = "<img id='innerHTML' src='/nonexisting.jpg' onerror='innerHTMLScriptRan = true;' style='display:none'>";
document.body.appendChild(e);
}, 'Script injected via `innerHTML` is not allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
var insertAdjacentHTMLScriptRan = false;
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
if (violation.target.id !== 'insertAdjacentHTML') {
return;
}
assert_false(insertAdjacentHTMLScriptRan);
assert_equals(violation.effectiveDirective, 'script-src');
t.done();
}));
var e = document.createElement('div');
e.insertAdjacentHTML('afterbegin', "<img id='insertAdjacentHTML' src='/nonexisting.jpg' onerror='insertAdjacentHTMLScriptRan = true;' style='display:none'>");
document.body.appendChild(e);
}, 'Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

110
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html Executable file
View file

@ -0,0 +1,110 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>
<body>
<h1>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report has fired.');
});
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite') {
t.done();
}
}));
document.write('<scr' + 'ipt nonce="dummy" id="documentWrite" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln') {
t.done();
}
}));
document.writeln('<scr' + 'ipt nonce="dummy" id="documentWriteln" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-defer') {
t.done();
}
}));
document.write('<scr' + 'ipt defer nonce="dummy" id="documentWrite-defer" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted deferred script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-defer') {
t.done();
}
}));
document.writeln('<scr' + 'ipt defer nonce="dummy" id="documentWriteln-defer" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted deferred script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-async') {
t.done();
}
}));
document.write('<scr' + 'ipt async nonce="dummy" id="documentWrite-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-async') {
t.done();
}
}));
document.writeln('<scr' + 'ipt async nonce="dummy" id="documentWriteln-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWrite-defer-async') {
t.done();
}
}));
document.write('<scr' + 'ipt defer async nonce="dummy" id="documentWrite-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted deferred async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'documentWriteln-defer-async') {
t.done();
}
}));
document.writeln('<scr' + 'ipt defer async nonce="dummy" id="documentWriteln-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>');
}, 'Parser-inserted deferred async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.');
</script>
</body>
</html>

5
tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers Executable file
View file

@ -0,0 +1,5 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'

1
tests/wpt/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js Executable file
View file

@ -0,0 +1 @@
window.postMessage(document.currentScript.id, "*");