mirror of
https://github.com/servo/servo.git
synced 2025-08-03 04:30:10 +01:00
Check CSP for javascript:
URLs (#36709)
Also update a WPT test to fail-fast if the iframe incorrectly evaluates the `eval`. Before, it would run into a timeout if the implementation is correct. Now we reject the promise when an exception is thrown. Requires servo/rust-content-security-policy#6 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
parent
b8971e528f
commit
dd63325f50
16 changed files with 70 additions and 57 deletions
2
tests/wpt/meta/MANIFEST.json
vendored
2
tests/wpt/meta/MANIFEST.json
vendored
|
@ -571755,7 +571755,7 @@
|
|||
]
|
||||
],
|
||||
"eval-blocked-in-about-blank-iframe.html": [
|
||||
"054e75b52749b37530a02bc5ee0119ca5e76a474",
|
||||
"b2286f56a234a515cddec0e02439f9768e3a2905",
|
||||
[
|
||||
null,
|
||||
{}
|
||||
|
|
|
@ -1,10 +1,7 @@
|
|||
[to-javascript-parent-initiated-child-csp.html]
|
||||
expected: TIMEOUT
|
||||
[Should not have executed the javascript URL for\n iframe.contentWindow.location.href with child's CSP "script-src 'none'"]
|
||||
expected: TIMEOUT
|
||||
|
||||
[Should not have executed the javascript URL for\n iframe.src with child's CSP "script-src 'none'"]
|
||||
expected: NOTRUN
|
||||
expected: TIMEOUT
|
||||
|
||||
[Should not have executed the javascript URL for\n otherTabWithScriptSrcNone.location.href with child's CSP "script-src 'none'"]
|
||||
expected: NOTRUN
|
||||
|
|
|
@ -3,9 +3,6 @@
|
|||
[Should not have executed the javascript url for\n iframe.contentWindow.location.href]
|
||||
expected: FAIL
|
||||
|
||||
[Should not have executed the javascript url for\n iframe.src]
|
||||
expected: FAIL
|
||||
|
||||
[Should not have executed the javascript url for\n otherTab.location.href]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-strict_dynamic_javascript_uri.html]
|
||||
expected: TIMEOUT
|
||||
[Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
|
||||
expected: TIMEOUT
|
|
@ -1,13 +0,0 @@
|
|||
[script-src-trusted_types_eval_with_require_trusted_types_eval.html]
|
||||
expected: ERROR
|
||||
[Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via indirect `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `new Function` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `setTimeout` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
|
||||
expected: FAIL
|
|
@ -1,3 +1,4 @@
|
|||
[linenumber.tentative.html]
|
||||
expected: TIMEOUT
|
||||
[linenumber]
|
||||
expected: FAIL
|
||||
expected: NOTRUN
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
[eval-blocked-in-about-blank-iframe.html]
|
||||
expected: ERROR
|
||||
[eval-blocked-in-about-blank-iframe]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
[javascript_src_denied_missing_unsafe_hashes-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
|
@ -1,3 +0,0 @@
|
|||
[javascript_src_denied_missing_unsafe_hashes-window_location.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
|
@ -1,3 +0,0 @@
|
|||
[javascript_src_denied_wrong_hash-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to wrong hash]
|
||||
expected: FAIL
|
|
@ -1,3 +0,0 @@
|
|||
[javascript_src_denied_wrong_hash-window_location.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
|
@ -19,18 +19,27 @@
|
|||
const document_loaded = new Promise(resolve => window.onload = resolve);
|
||||
await document_loaded;
|
||||
|
||||
const eval_error = new Promise(resolve => {
|
||||
window.addEventListener('message', function(e) {
|
||||
assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame');
|
||||
if (e.data === 'PASS')
|
||||
resolve();
|
||||
const eval_error = new Promise((resolve, reject) => {
|
||||
window.addEventListener('message', function(event) {
|
||||
try {
|
||||
assert_not_equals(event.data, 'FAIL', 'eval was executed in the frame');
|
||||
if (event.data === 'PASS') {
|
||||
resolve();
|
||||
}
|
||||
} catch (e) {
|
||||
reject(e);
|
||||
}
|
||||
});
|
||||
});
|
||||
const csp_violation_report = new Promise(resolve => {
|
||||
window.addEventListener('message', function(e) {
|
||||
if (e.data["violated-directive"]) {
|
||||
assert_equals(e.data["violated-directive"], "script-src");
|
||||
resolve();
|
||||
const csp_violation_report = new Promise((resolve, reject) => {
|
||||
window.addEventListener('message', function(event) {
|
||||
try {
|
||||
if (event.data["violated-directive"]) {
|
||||
assert_equals(event.data["violated-directive"], "script-src");
|
||||
resolve();
|
||||
}
|
||||
} catch (e) {
|
||||
reject(e);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue