Check CSP for javascript: URLs (#36709)

Also update a WPT test to fail-fast if the iframe incorrectly
evaluates the `eval`. Before, it would run into a timeout if
the implementation is correct. Now we reject the promise
when an exception is thrown.

Requires servo/rust-content-security-policy#6

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-02 22:13:31 +02:00 committed by GitHub
parent b8971e528f
commit dd63325f50
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 70 additions and 57 deletions

View file

@ -571755,7 +571755,7 @@
]
],
"eval-blocked-in-about-blank-iframe.html": [
"054e75b52749b37530a02bc5ee0119ca5e76a474",
"b2286f56a234a515cddec0e02439f9768e3a2905",
[
null,
{}

View file

@ -1,10 +1,7 @@
[to-javascript-parent-initiated-child-csp.html]
expected: TIMEOUT
[Should not have executed the javascript URL for\n iframe.contentWindow.location.href with child's CSP "script-src 'none'"]
expected: TIMEOUT
[Should not have executed the javascript URL for\n iframe.src with child's CSP "script-src 'none'"]
expected: NOTRUN
expected: TIMEOUT
[Should not have executed the javascript URL for\n otherTabWithScriptSrcNone.location.href with child's CSP "script-src 'none'"]
expected: NOTRUN

View file

@ -3,9 +3,6 @@
[Should not have executed the javascript url for\n iframe.contentWindow.location.href]
expected: FAIL
[Should not have executed the javascript url for\n iframe.src]
expected: FAIL
[Should not have executed the javascript url for\n otherTab.location.href]
expected: TIMEOUT

View file

@ -1,4 +0,0 @@
[script-src-strict_dynamic_javascript_uri.html]
expected: TIMEOUT
[Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
expected: TIMEOUT

View file

@ -1,13 +0,0 @@
[script-src-trusted_types_eval_with_require_trusted_types_eval.html]
expected: ERROR
[Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via indirect `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via `new Function` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL
[Script injected via `setTimeout` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
expected: FAIL

View file

@ -1,3 +1,4 @@
[linenumber.tentative.html]
expected: TIMEOUT
[linenumber]
expected: FAIL
expected: NOTRUN

View file

@ -1,4 +1,3 @@
[eval-blocked-in-about-blank-iframe.html]
expected: ERROR
[eval-blocked-in-about-blank-iframe]
expected: TIMEOUT
expected: FAIL

View file

@ -1,3 +0,0 @@
[javascript_src_denied_missing_unsafe_hashes-href.html]
[javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
expected: FAIL

View file

@ -1,3 +0,0 @@
[javascript_src_denied_missing_unsafe_hashes-window_location.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

View file

@ -1,3 +0,0 @@
[javascript_src_denied_wrong_hash-href.html]
[javascript: navigation using <a href> should be refused due to wrong hash]
expected: FAIL

View file

@ -1,3 +0,0 @@
[javascript_src_denied_wrong_hash-window_location.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

View file

@ -19,18 +19,27 @@
const document_loaded = new Promise(resolve => window.onload = resolve);
await document_loaded;
const eval_error = new Promise(resolve => {
window.addEventListener('message', function(e) {
assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame');
if (e.data === 'PASS')
resolve();
const eval_error = new Promise((resolve, reject) => {
window.addEventListener('message', function(event) {
try {
assert_not_equals(event.data, 'FAIL', 'eval was executed in the frame');
if (event.data === 'PASS') {
resolve();
}
} catch (e) {
reject(e);
}
});
});
const csp_violation_report = new Promise(resolve => {
window.addEventListener('message', function(e) {
if (e.data["violated-directive"]) {
assert_equals(e.data["violated-directive"], "script-src");
resolve();
const csp_violation_report = new Promise((resolve, reject) => {
window.addEventListener('message', function(event) {
try {
if (event.data["violated-directive"]) {
assert_equals(event.data["violated-directive"], "script-src");
resolve();
}
} catch (e) {
reject(e);
}
});
});