Check CSP for javascript: URLs (#36709)

Also update a WPT test to fail-fast if the iframe incorrectly evaluates the `eval`. Before, it would run into a timeout if the implementation is correct. Now we reject the promise when an exception is thrown. Requires servo/rust-content-security-policy#6 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-08-30 09:38:19 +01:00 · 2025-05-02 22:13:31 +02:00 · 2025-05-02 22:13:31 +02:00 · dd63325f50
commit dd63325f50
parent b8971e528f
16 changed files with 70 additions and 57 deletions
--- a/tests/wpt/meta/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html.ini
+++ b/tests/wpt/meta/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html.ini
@ -1,10 +1,7 @@
 [to-javascript-parent-initiated-child-csp.html]
  expected: TIMEOUT
-  [Should not have executed the javascript URL for\n        iframe.contentWindow.location.href with child's CSP "script-src 'none'"]
-    expected: TIMEOUT
-
  [Should not have executed the javascript URL for\n        iframe.src with child's CSP "script-src 'none'"]
-    expected: NOTRUN
+    expected: TIMEOUT

  [Should not have executed the javascript URL for\n        otherTabWithScriptSrcNone.location.href with child's CSP "script-src 'none'"]
    expected: NOTRUN
--- a/tests/wpt/meta/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html.ini
+++ b/tests/wpt/meta/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html.ini
@ -3,9 +3,6 @@
  [Should not have executed the javascript url for\n      iframe.contentWindow.location.href]
    expected: FAIL

-  [Should not have executed the javascript url for\n      iframe.src]
-    expected: FAIL
-
  [Should not have executed the javascript url for\n      otherTab.location.href]
    expected: TIMEOUT

--- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
@ -1,4 +0,0 @@
-[script-src-strict_dynamic_javascript_uri.html]
-  expected: TIMEOUT
-  [Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
--- a/tests/wpt/meta/content-security-policy/script-src/script-src-trusted_types_eval_with_require_trusted_types_eval.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/script-src-trusted_types_eval_with_require_trusted_types_eval.html.ini
@ -1,13 +0,0 @@
-[script-src-trusted_types_eval_with_require_trusted_types_eval.html]
-  expected: ERROR
-  [Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via indirect `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via `new Function` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via `setTimeout` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/securitypolicyviolation/linenumber.tentative.html.ini
+++ b/tests/wpt/meta/content-security-policy/securitypolicyviolation/linenumber.tentative.html.ini
@ -1,3 +1,4 @@
 [linenumber.tentative.html]
+  expected: TIMEOUT
  [linenumber]
-    expected: FAIL
+    expected: NOTRUN
--- a/tests/wpt/meta/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html.ini
@ -1,4 +1,3 @@
 [eval-blocked-in-about-blank-iframe.html]
-  expected: ERROR
  [eval-blocked-in-about-blank-iframe]
-    expected: TIMEOUT
+    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html.ini
@ -1,3 +0,0 @@
-[javascript_src_denied_missing_unsafe_hashes-href.html]
-  [javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html.ini
@ -1,3 +0,0 @@
-[javascript_src_denied_missing_unsafe_hashes-window_location.html]
-  [Test that the javascript: src is not allowed to run]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html.ini
@ -1,3 +0,0 @@
-[javascript_src_denied_wrong_hash-href.html]
-  [javascript: navigation using <a href> should be refused due to wrong hash]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html.ini
+++ b/tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html.ini
@ -1,3 +0,0 @@
-[javascript_src_denied_wrong_hash-window_location.html]
-  [Test that the javascript: src is not allowed to run]
-    expected: FAIL