diff options
| author | Tim van der Lippe <TimvdLippe@users.noreply.github.com> | 2025-04-17 23:11:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-17 21:11:25 +0000 |
| commit | 2a81987590622feabd1beedb3c7cc87d6a88c85a (patch) | |
| tree | 1615f7c11bcbeeab8c43dad58c3980a7e072d32e | |
| parent | 70b3e248168f1277e282a269bd1bf754fa7b784c (diff) | |
| download | servo-2a81987590622feabd1beedb3c7cc87d6a88c85a.tar.gz servo-2a81987590622feabd1beedb3c7cc87d6a88c85a.zip | |
Check CSP for inline event handlers (#36510)
This also ensures that document now reports all violations and we set
the correct directive.
With these changes, all `script-src-attr-elem` WPT tests pass.
Part of #36437
Requires servo/rust-content-security-policy#3 to land first
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
64 files changed, 58 insertions, 569 deletions
diff --git a/components/script/dom/document.rs b/components/script/dom/document.rs index b775bdd4582..0d39a12c15e 100644 --- a/components/script/dom/document.rs +++ b/components/script/dom/document.rs @@ -4017,13 +4017,18 @@ impl Document { .get_attribute(&ns!(), &local_name!("nonce")) .map(|attr| Cow::Owned(attr.value().to_string())), }; - // TODO: Instead of ignoring violations, report them. - self.get_csp_list() - .map(|c| { - c.should_elements_inline_type_behavior_be_blocked(&element, type_, source) - .0 - }) - .unwrap_or(csp::CheckResult::Allowed) + let (result, violations) = match self.get_csp_list() { + None => { + return csp::CheckResult::Allowed; + }, + Some(csp_list) => { + csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source) + }, + }; + + self.global().report_csp_violations(violations); + + result } /// Prevent any JS or layout from running until the corresponding call to diff --git a/components/script/dom/eventtarget.rs b/components/script/dom/eventtarget.rs index ea76bbf2a8b..1a5aafb0ae7 100644 --- a/components/script/dom/eventtarget.rs +++ b/components/script/dom/eventtarget.rs @@ -11,6 +11,7 @@ use std::mem; use std::ops::{Deref, DerefMut}; use std::rc::Rc; +use content_security_policy as csp; use deny_public_fields::DenyPublicFields; use dom_struct::dom_struct; use fnv::FnvHasher; @@ -551,9 +552,25 @@ impl EventTarget { url: ServoUrl, line: usize, ty: &str, - source: DOMString, + source: &str, ) { - let handler = InternalRawUncompiledHandler { source, line, url }; + if let Some(element) = self.downcast::<Element>() { + let doc = element.owner_document(); + if doc.should_elements_inline_type_behavior_be_blocked( + element.upcast(), + csp::InlineCheckType::ScriptAttribute, + source, + ) == csp::CheckResult::Blocked + { + return; + } + }; + + let handler = InternalRawUncompiledHandler { + source: DOMString::from(source), + line, + url, + }; self.set_inline_event_listener( Atom::from(ty), Some(InlineEventListener::Uncompiled(handler)), diff --git a/components/script/dom/globalscope.rs b/components/script/dom/globalscope.rs index e56f4693e35..2582291ed87 100644 --- a/components/script/dom/globalscope.rs +++ b/components/script/dom/globalscope.rs @@ -3450,12 +3450,15 @@ impl GlobalScope { pub(crate) fn report_csp_violations(&self, violations: Vec<Violation>) { for violation in violations { - let sample = match violation.resource { - ViolationResource::Inline { .. } | ViolationResource::Url(_) => None, - ViolationResource::TrustedTypePolicy { sample } => Some(sample), + let (sample, resource) = match violation.resource { + ViolationResource::Inline { .. } => (None, "inline".to_owned()), + ViolationResource::Url(url) => (None, url.into()), + ViolationResource::TrustedTypePolicy { sample } => { + (Some(sample), "trusted-types-policy".to_owned()) + }, }; let report = CSPViolationReportBuilder::default() - .resource("eval".to_owned()) + .resource(resource) .sample(sample) .effective_directive(violation.directive.name) .build(self); diff --git a/components/script/dom/htmlbodyelement.rs b/components/script/dom/htmlbodyelement.rs index ba3316f889b..5cd877cdf82 100644 --- a/components/script/dom/htmlbodyelement.rs +++ b/components/script/dom/htmlbodyelement.rs @@ -201,13 +201,14 @@ impl VirtualMethods for HTMLBodyElement { &local_name!("onresize") | &local_name!("onunload") | &local_name!("onerror") => { + let source = &**attr.value(); let evtarget = window.upcast::<EventTarget>(); // forwarded event let source_line = 1; //TODO(#9604) obtain current JS execution line evtarget.set_event_handler_uncompiled( window.get_url(), source_line, &name[2..], - DOMString::from((**attr.value()).to_owned()), + source, ); false }, diff --git a/components/script/dom/htmlelement.rs b/components/script/dom/htmlelement.rs index 14c85603740..0cdfebf5342 100644 --- a/components/script/dom/htmlelement.rs +++ b/components/script/dom/htmlelement.rs @@ -1084,14 +1084,14 @@ impl VirtualMethods for HTMLElement { let element = self.as_element(); match (attr.local_name(), mutation) { (name, AttributeMutation::Set(_)) if name.starts_with("on") => { + let source = &**attr.value(); let evtarget = self.upcast::<EventTarget>(); let source_line = 1; //TODO(#9604) get current JS execution line evtarget.set_event_handler_uncompiled( self.owner_window().get_url(), source_line, &name[2..], - // FIXME(ajeffrey): Convert directly from AttrValue to DOMString - DOMString::from(&**attr.value()), + source, ); }, (&local_name!("form"), mutation) if self.is_form_associated_custom_element() => { diff --git a/tests/wpt/include.ini b/tests/wpt/include.ini index 6cafe653196..fdbd71b9ee6 100644 --- a/tests/wpt/include.ini +++ b/tests/wpt/include.ini @@ -13,6 +13,8 @@ skip: true skip: true [content-security-policy] skip: false + [embedded-enforcement] + skip: true [cors] skip: false [css] diff --git a/tests/wpt/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini b/tests/wpt/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini index efaa0fc8ca4..e3d7c23eef2 100644 --- a/tests/wpt/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.ini @@ -1,6 +1,3 @@ [report-uri-does-not-respect-base-uri.sub.html] - [Event is fired] - expected: FAIL - [Violation report status OK.] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/default-src/default-src-inline-blocked.sub.html.ini b/tests/wpt/meta/content-security-policy/default-src/default-src-inline-blocked.sub.html.ini deleted file mode 100644 index c2b9c5f26c7..00000000000 --- a/tests/wpt/meta/content-security-policy/default-src/default-src-inline-blocked.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[default-src-inline-blocked.sub.html] - [Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"\]] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html.ini b/tests/wpt/meta/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html.ini deleted file mode 100644 index e1b9ec3f770..00000000000 --- a/tests/wpt/meta/content-security-policy/default-src/default-src-strict_dynamic_and_unsafe_inline.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[default-src-strict_dynamic_and_unsafe_inline.html] - expected: TIMEOUT - [Should fire a security policy violation for the inline block] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini deleted file mode 100644 index 3cf8d56a5d6..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini +++ /dev/null @@ -1,25 +0,0 @@ -[allow_csp_from-header.html] - expected: TIMEOUT - [Same origin iframes with an empty Allow-CSP-From header get blocked.] - expected: FAIL - - [Same origin iframes without Allow-CSP-From header gets blocked.] - expected: FAIL - - [Same origin iframes are blocked if Allow-CSP-From does not match origin.] - expected: FAIL - - [Cross origin iframe with an empty Allow-CSP-From header gets blocked.] - expected: FAIL - - [Cross origin iframe without Allow-CSP-From header gets blocked.] - expected: FAIL - - [Iframe with improper Allow-CSP-From header gets blocked.] - expected: FAIL - - [Star Allow-CSP-From header enforces EmbeddingCSP.] - expected: TIMEOUT - - [Allow-CSP-From header enforces EmbeddingCSP.] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini deleted file mode 100644 index 31c147a6ece..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[blocked-iframe-are-cross-origin.html] - [Document blocked by embedded enforcement and its parent are cross-origin] - expected: FAIL - - [Two same-origin iframes must appear as cross-origin when one is blocked] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini deleted file mode 100644 index c8205878128..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/change-csp-attribute-and-history-navigation.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[change-csp-attribute-and-history-navigation.html] - [Iframe csp attribute changed before history navigation of local scheme.] - expected: FAIL - - [Iframe csp attribute changed before history navigation of network scheme.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini deleted file mode 100644 index 551c76a0058..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini +++ /dev/null @@ -1,6 +0,0 @@ -[idlharness.window.html] - [HTMLIFrameElement interface: attribute csp] - expected: FAIL - - [HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini deleted file mode 100644 index 000df37abc1..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[iframe-csp-attribute.html] - [<iframe> has a 'csp' attibute which is an empty string if undefined.] - expected: FAIL - - [<iframe>'s csp attribute is always a string.] - expected: FAIL - - [<iframe>'s 'csp content attribute reflects the IDL attribute.] - expected: FAIL - - [<iframe>'s IDL attribute reflects the DOM attribute.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini deleted file mode 100644 index 19ac0a5a7e6..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini +++ /dev/null @@ -1,27 +0,0 @@ -[required-csp-header-cascade.html] - [Test same origin: Test same policy for both iframes] - expected: FAIL - - [Test same origin: Test more restrictive policy on second iframe] - expected: FAIL - - [Test same origin: Test less restrictive policy on second iframe] - expected: FAIL - - [Test same origin: Test no policy on second iframe] - expected: FAIL - - [Test same origin: Test no policy on first iframe] - expected: FAIL - - [Test same origin: Test invalid policy on first iframe (bad directive name)] - expected: FAIL - - [Test same origin: Test invalid policy on first iframe (report directive)] - expected: FAIL - - [Test same origin: Test invalid policy on second iframe (bad directive name)] - expected: FAIL - - [Test same origin: Test invalid policy on second iframe (report directive)] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini deleted file mode 100644 index 784d7df63b8..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini +++ /dev/null @@ -1,141 +0,0 @@ -[required_csp-header.html] - [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.] - expected: FAIL - - [Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] - expected: FAIL - - [Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] - expected: FAIL - - [Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] - expected: FAIL - - [Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] - expected: FAIL - - [Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] - expected: FAIL - - [Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] - expected: FAIL - - [Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] - expected: FAIL - - [Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path] - expected: FAIL - - [Test same origin: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon] - expected: FAIL - - [Test same origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon] - expected: FAIL - - [Test cross origin redirect: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon] - expected: FAIL - - [Test cross origin redirect of cross origin iframe: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present] - expected: FAIL - - [Test Required-CSP value on `csp` change: Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present] - expected: FAIL - - [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini deleted file mode 100644 index 17be9612c26..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini +++ /dev/null @@ -1,21 +0,0 @@ -[subsumption_algorithm-general.html] - [Iframe with empty returned CSP should be blocked.] - expected: FAIL - - [Iframe with less restricting CSP should be blocked.] - expected: FAIL - - [Iframe with a different CSP should be blocked.] - expected: FAIL - - [Host wildcard *.a.com does not match a.com] - expected: FAIL - - [Iframe should block if intersection allows sources which are not in required_csp.] - expected: FAIL - - [Iframe should block if intersection allows sources which are not in required_csp (other ordering).] - expected: FAIL - - [Removed plugin-types directive should be ignored 3.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini deleted file mode 100644 index 52a06599411..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini +++ /dev/null @@ -1,18 +0,0 @@ -[subsumption_algorithm-hashes.html] - [Returned should not include hashes not present in required csp.] - expected: FAIL - - [Hashes do not have to be present in returned csp but must not allow all inline behavior.] - expected: FAIL - - [Other expressions have to be subsumed.] - expected: FAIL - - [Required csp must allow 'sha256-abc123'.] - expected: FAIL - - [Effective policy is properly found where 'sha256-abc123' is not subsumed.] - expected: FAIL - - ['sha256-abc123' is not subsumed by 'sha256-abc456'.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini deleted file mode 100644 index d45034b98bb..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[subsumption_algorithm-host_sources-hosts.html] - [Host must match.] - expected: FAIL - - [Hosts without wildcards must match.] - expected: FAIL - - [More specific subdomain should not match.] - expected: FAIL - - [Specified host should not match a wildcard host.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini deleted file mode 100644 index a209654a16a..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini +++ /dev/null @@ -1,9 +0,0 @@ -[subsumption_algorithm-host_sources-paths.html] - [Returned CSP must specify a path.] - expected: FAIL - - [Empty path is not subsumed by specified paths.] - expected: FAIL - - [That should not be true when required csp specifies a specific page.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini deleted file mode 100644 index 71eee1cc3a6..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[subsumption_algorithm-host_sources-ports.html] - [Specified ports must match.] - expected: FAIL - - [Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.] - expected: FAIL - - [Wildcard port should not be subsumed by a default port.] - expected: FAIL - - [Wildcard port should not be subsumed by a spcified port.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini deleted file mode 100644 index 7667e7f2f15..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[subsumption_algorithm-host_sources-protocols.html] - [`https` is more restrictive than `http`.] - expected: FAIL - - [`http:` does not subsume other protocols.] - expected: FAIL - - [If scheme source is present in returned csp, it must be specified in required csp too.] - expected: FAIL - - [All scheme sources must be subsumed.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini deleted file mode 100644 index beac34a684b..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html.ini +++ /dev/null @@ -1,9 +0,0 @@ -[subsumption_algorithm-nonces.html] - [A nonce has to be returned if required by the embedder.] - expected: FAIL - - [Nonce intersection is still done on exact match - matching nonces.] - expected: FAIL - - [Other expressions still have to be subsumed - negative test] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini deleted file mode 100644 index 32ef4ddd0df..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini +++ /dev/null @@ -1,21 +0,0 @@ -[subsumption_algorithm-none.html] - [Required policy that allows `none` does not subsume empty list of policies.] - expected: FAIL - - [Required csp with effective `none` does not subsume a host source expression.] - expected: FAIL - - [Required csp with `none` does not subsume a host source expression.] - expected: FAIL - - [Required csp with effective `none` does not subsume `none` of another directive.] - expected: FAIL - - [Required csp with `none` does not subsume `none` of another directive.] - expected: FAIL - - [Required csp with `none` does not subsume `none` of different directives.] - expected: FAIL - - [Both required and returned csp are `none` for only one directive.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini deleted file mode 100644 index 6fc6208a3db..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[subsumption_algorithm-self.html] - [Returned CSP must not allow 'self' if required CSP does not.] - expected: FAIL - - [Returned 'self' should not be subsumed by a more secure version of origin's url.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini deleted file mode 100644 index bb05e009d9e..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html.ini +++ /dev/null @@ -1,45 +0,0 @@ -[subsumption_algorithm-source_list-wildcards.html] - [Wildcard does not subsume empty list.] - expected: FAIL - - [Empty source list does not subsume a wildcard source list.] - expected: FAIL - - ['none' does not subsume a wildcard source list.] - expected: FAIL - - [Wildcard source list does not subsume `data:` scheme source expression.] - expected: FAIL - - [Wildcard source list does not subsume `blob:` scheme source expression.] - expected: FAIL - - [Source expressions do not subsume effective nonce expressions.] - expected: FAIL - - [Wildcard source list is not subsumed by a host expression.] - expected: FAIL - - [Wildcard list with keywords is not subsumed by a wildcard list.] - expected: FAIL - - [Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.] - expected: FAIL - - [Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.] - expected: FAIL - - [Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.] - expected: FAIL - - [Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.] - expected: FAIL - - [The same as above but for 'unsafe-inline'.] - expected: FAIL - - [`data:` is not subsumed by a wildcard list.] - expected: FAIL - - [`blob:` is not subsumed by a wildcard list.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini deleted file mode 100644 index 1ac21eb5c3f..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini +++ /dev/null @@ -1,9 +0,0 @@ -[subsumption_algorithm-strict_dynamic.html] - ['strict-dynamic' is effective only for `script-src`.] - expected: FAIL - - ['strict-dynamic' is properly handled for finding effective policy.] - expected: FAIL - - ['strict-dynamic' has to be allowed by required csp if it is present in returned csp.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini deleted file mode 100644 index e5f8147c981..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[subsumption_algorithm-unsafe_eval.html] - [No other keyword has the same effect as 'unsafe-eval'.] - expected: FAIL - - [Other expressions have to be subsumed.] - expected: FAIL - - [Required csp must allow 'unsafe-eval'.] - expected: FAIL - - [Effective policy is properly found where 'unsafe-eval' is not subsumed.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini deleted file mode 100644 index be8fe1e17a1..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini +++ /dev/null @@ -1,12 +0,0 @@ -[subsumption_algorithm-unsafe_hashes.html] - [No other keyword has the same effect as 'unsafe-hashes'.] - expected: FAIL - - [Other expressions have to be subsumed.] - expected: FAIL - - [Required csp must allow 'unsafe-hashes'.] - expected: FAIL - - [Effective policy is properly found where 'unsafe-hashes' is not subsumed.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini b/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini deleted file mode 100644 index 7921da71005..00000000000 --- a/tests/wpt/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini +++ /dev/null @@ -1,18 +0,0 @@ -[subsumption_algorithm-unsafe_inline.html?9-last] - [Required csp allows `strict-dynamic`, but retuned csp does.] - expected: FAIL - - [Required csp does not allow `unsafe-inline`, but retuned csp does.] - expected: FAIL - - [Returned csp allows a nonce.] - expected: FAIL - - [Returned csp allows a hash.] - expected: FAIL - - [Effective returned csp allows 'unsafe-inline'] - expected: FAIL - - -[subsumption_algorithm-unsafe_inline.html?1-8] diff --git a/tests/wpt/meta/content-security-policy/frame-ancestors/frame-ancestors-path-ignored.window.js.ini b/tests/wpt/meta/content-security-policy/frame-ancestors/frame-ancestors-path-ignored.window.js.ini new file mode 100644 index 00000000000..493d04ea590 --- /dev/null +++ b/tests/wpt/meta/content-security-policy/frame-ancestors/frame-ancestors-path-ignored.window.js.ini @@ -0,0 +1,3 @@ +[frame-ancestors-path-ignored.window.html] + [A 'frame-ancestors' CSP directive with a URL that includes a path should be ignored.] + expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js.ini b/tests/wpt/meta/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js.ini index 84d3f383610..b22b217fc25 100644 --- a/tests/wpt/meta/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js.ini +++ b/tests/wpt/meta/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js.ini @@ -1,3 +1,4 @@ [frame-src-cross-origin-same-document-navigation.window.html] + expected: OK [frame-src-cross-origin-same-document-navigation] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini b/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini index 50fb992352a..f4f10d1a85c 100644 --- a/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini @@ -1,7 +1,6 @@ [304-response-should-update-csp.sub.html] - expected: TIMEOUT [Test that the first frame does not use nonce def] - expected: NOTRUN + expected: FAIL [Test that the second frame does not use nonce abc] - expected: NOTRUN + expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/generic/directive-name-case-insensitive.sub.html.ini b/tests/wpt/meta/content-security-policy/generic/directive-name-case-insensitive.sub.html.ini deleted file mode 100644 index 69bab8d00c4..00000000000 --- a/tests/wpt/meta/content-security-policy/generic/directive-name-case-insensitive.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[directive-name-case-insensitive.sub.html] - [Test that the www2 image throws a violation event] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini b/tests/wpt/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini index 78c6e629154..cb39752b7cf 100644 --- a/tests/wpt/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/media-src/media-src-7_1_2.sub.html.ini @@ -1,3 +1,4 @@ [media-src-7_1_2.sub.html] + expected: TIMEOUT [Test that securitypolicyviolation events are fired] - expected: FAIL + expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini b/tests/wpt/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini index 7985a3a7478..790f54981cc 100644 --- a/tests/wpt/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/media-src/media-src-7_2_2.sub.html.ini @@ -2,6 +2,3 @@ expected: TIMEOUT [Disallowed audio source element] expected: NOTRUN - - [Test that securitypolicyviolation events are fired] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini b/tests/wpt/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini index afee3a14784..8ea44b08e0b 100644 --- a/tests/wpt/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/media-src/media-src-blocked.sub.html.ini @@ -1,8 +1,5 @@ [media-src-blocked.sub.html] expected: TIMEOUT - [Disallowed async video src] - expected: FAIL - [Disallowed async video source element] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/parsing/invalid-directive.html.ini b/tests/wpt/meta/content-security-policy/parsing/invalid-directive.html.ini deleted file mode 100644 index 8d9f04e0f62..00000000000 --- a/tests/wpt/meta/content-security-policy/parsing/invalid-directive.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[invalid-directive.html] - expected: TIMEOUT - [Even if an unknown directive is specified, img-src is honored.] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.ini index 507866f56bd..950bcfb5a23 100644 --- a/tests/wpt/meta/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.ini @@ -1,7 +1,4 @@ [report-to-directive-allowed-in-meta.https.sub.html] - [Event is fired] - expected: FAIL - [Report is observable to ReportingObserver] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.ini deleted file mode 100644 index b364374296d..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html] - [Event is fired] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini deleted file mode 100644 index 430f81a94a9..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[reporting-api-report-to-overrides-report-uri-1.https.sub.html] - [Event is fired] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini deleted file mode 100644 index b33bec4e299..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[reporting-api-report-to-overrides-report-uri-2.https.sub.html] - [Event is fired] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.ini index 6aca7743484..2e2c16c80c7 100644 --- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.ini @@ -1,7 +1,4 @@ [reporting-api-sends-reports-on-violation.https.sub.html] - [Event is fired] - expected: FAIL - [Report is observable to ReportingObserver] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html.ini b/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html.ini deleted file mode 100644 index 7d63c9c4aa8..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-attr-blocked-src-allowed.html] - expected: TIMEOUT - [Should fire a security policy violation event] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html.ini b/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html.ini deleted file mode 100644 index 26cdda4bcb0..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-elem-allowed-attr-blocked.html] - expected: TIMEOUT - [Should fire a security policy violation for the attribute] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html.ini b/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html.ini deleted file mode 100644 index dbcc0e32fea..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-elem-blocked-attr-allowed.html] - expected: TIMEOUT - [Should fire a security policy violation for the attribute] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html.ini b/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html.ini deleted file mode 100644 index 2b588c54a1b..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-elem-blocked-src-allowed.html] - expected: TIMEOUT - [Should fire a spv event] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html.ini deleted file mode 100644 index d9d532f939f..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[strict-dynamic-elem-blocked-src-allowed.sub.html] - [Should fire a security policy violation event] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/injected-inline-script-blocked.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/injected-inline-script-blocked.sub.html.ini deleted file mode 100644 index a238a868a00..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/injected-inline-script-blocked.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[injected-inline-script-blocked.sub.html] - [Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-1_1.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-1_1.html.ini deleted file mode 100644 index 539ba1d3fe6..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-1_1.html.ini +++ /dev/null @@ -1,7 +0,0 @@ -[script-src-1_1.html] - expected: TIMEOUT - [Inline event handler] - expected: FAIL - - [Should fire policy violation events] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-1_2.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-1_2.html.ini deleted file mode 100644 index 3b78af2b156..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-1_2.html.ini +++ /dev/null @@ -1,7 +0,0 @@ -[script-src-1_2.html] - expected: TIMEOUT - [Inline event handler] - expected: FAIL - - [Should fire policy violation events] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-1_2_1.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-1_2_1.html.ini deleted file mode 100644 index b67e9008738..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-1_2_1.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-1_2_1.html] - expected: TIMEOUT - [Test that securitypolicyviolation event is fired] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini index 64a53f8c449..33ba231777c 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini @@ -1,4 +1,3 @@ [script-src-strict_dynamic_double_policy_different_nonce.html] - expected: TIMEOUT [Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.] - expected: TIMEOUT + expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini index 6a8346f0e25..c9d74462151 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini @@ -1,4 +1,3 @@ [script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html] - expected: TIMEOUT [Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.] - expected: TIMEOUT + expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.ini index eaee0eea6e0..77fdfb89f19 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.ini @@ -1,5 +1,5 @@ [script-src-strict_dynamic_meta_tag.html] - expected: TIMEOUT + expected: ERROR [Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.ini index f25fbbe74d1..ca8b9d7bd1f 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.ini @@ -1,5 +1,5 @@ [script-src-strict_dynamic_non_parser_inserted.html] - expected: TIMEOUT + expected: ERROR [Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini deleted file mode 100644 index 95e07a69fd6..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html] - expected: TIMEOUT - [All the expected CSP violation reports have been fired.] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini deleted file mode 100644 index 9884e4545fd..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/scripthash-unicode-normalization.sub.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[scripthash-unicode-normalization.sub.html] - expected: TIMEOUT - [Should fire securitypolicyviolation] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini deleted file mode 100644 index ebb9846200d..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[scriptnonce-and-scripthash.sub.html] - expected: TIMEOUT - [Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini deleted file mode 100644 index a002d68b3a0..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[scriptnonce-ignore-unsafeinline.sub.html] - expected: TIMEOUT - [Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini b/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini index a7ebd4aff51..b12f81377d1 100644 --- a/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini +++ b/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini @@ -1,5 +1,5 @@ [script-sample-no-opt-in.html] - expected: ERROR + expected: TIMEOUT [Inline script should not have a sample.] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini b/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini index d5f06d70c53..f4c315396f6 100644 --- a/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini +++ b/tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini @@ -1,5 +1,5 @@ [script-sample.html] - expected: ERROR + expected: TIMEOUT [Inline script should have a sample.] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html.ini b/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html.ini deleted file mode 100644 index 1b173ed7507..00000000000 --- a/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script_event_handlers_denied_missing_unsafe_hashes.html] - expected: TIMEOUT - [Test that the inline event handler is not allowed to run] - expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html.ini b/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html.ini deleted file mode 100644 index 85499b57550..00000000000 --- a/tests/wpt/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script_event_handlers_denied_wrong_hash.html] - expected: TIMEOUT - [Test that the inline event handler is not allowed to run] - expected: NOTRUN |