diff options
author | Josh Matthews <josh@joshmatthews.net> | 2017-10-30 09:31:22 -0400 |
---|---|---|
committer | Josh Matthews <josh@joshmatthews.net> | 2017-10-30 18:26:08 -0400 |
commit | 75736751d9ffa1489c67387b89b79d7ebd06611c (patch) | |
tree | da615fa4454d45743b6fe656d3fc9a1643695158 /tests/wpt/web-platform-tests/content-security-policy/script-src | |
parent | 1b73cf33525afbbe2d077554d1965b74ef9ae5e3 (diff) | |
download | servo-75736751d9ffa1489c67387b89b79d7ebd06611c.tar.gz servo-75736751d9ffa1489c67387b89b79d7ebd06611c.zip |
Update web-platform-tests to revision 14cfa4d648cc1c853b4153268df672d21425f8c1
Diffstat (limited to 'tests/wpt/web-platform-tests/content-security-policy/script-src')
62 files changed, 1053 insertions, 106 deletions
diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js index 7b6e85210d0..9bfe201711a 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_1.js @@ -1 +1,4 @@ -var dataScriptRan = false;
\ No newline at end of file +var dataScriptRan = false; + +var t_spv = async_test("Test that no report violation event was raised"); +window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event"));
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js index ba586810f5f..6e6c15d2235 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/10_1_support_2.js @@ -1,3 +1,5 @@ test(function () { assert_true(dataScriptRan, "data script ran"); - }, "Verify that data: as script src runs with this policy");
\ No newline at end of file + }, "Verify that data: as script src runs with this policy"); + +t_spv.done();
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js index cd093ac9423..a5d91dcab0f 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js @@ -1,4 +1,14 @@ (function () { + var t_spv = async_test("Test that securitypolicyviolation event is fired"); + var test_count = 2; + + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + if (--test_count <= 0) { + t_spv.done(); + } + })); + var dmTest = async_test("DOM manipulation inline tests"); var attachPoint = document.getElementById('attachHere'); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html new file mode 100644 index 00000000000..5a8cdec8472 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'"> + <title>injected-inline-script-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + </script> + <script src="support/inject-script.js"></script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html new file mode 100644 index 00000000000..07e2ae2871c --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';"> + <title>injected-inline-script-blocked</title> + <script nonce='abc' src="/resources/testharness.js"></script> + <script nonce='abc' src="/resources/testharnessreport.js"></script> + <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src",]'></script> + <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <script nonce='abc'> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + </script> + <script src="support/inject-script.js"></script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js index ea2be272a20..1f0d7ae7154 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js @@ -1,3 +1,6 @@ +var t_spv = async_test("Should not fire policy violation events"); +window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event")); + var inlineRan = false; onload = function() { @@ -5,4 +8,5 @@ onload = function() { assert_true(inlineRan, 'Unsafe inline script ran.')}, 'Inline script in a script tag should run with an unsafe-inline directive' ); + t_spv.done(); }
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js index 6e76b0a1781..0c6e5446041 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/inlineTests.js @@ -1,4 +1,13 @@ var t1 = async_test("Inline script block"); var t2 = async_test("Inline event handler"); -onload = function() {t1.done(); t2.done()}
\ No newline at end of file +onload = function() {t1.done(); t2.done()} + +var t_spv = async_test("Should not fire policy violation events"); +var test_count = 2; +window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { + assert_equals(e.violatedDirective, "script-src"); + if (--test_count <= 0) { + t_spv.done(); + } +})); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html index a8dd14f1c89..e02d66ae9c9 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html @@ -2,6 +2,7 @@ <html> <head> <title>Window.open should not open javascript url if not allowed.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';"> <script nonce='abc' src='/resources/testharness.js'></script> <script nonce='abc' src='/resources/testharnessreport.js'></script> </head> @@ -15,8 +16,5 @@ window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new'); </script> - - <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html index c83f512bff5..d66253c6a19 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html @@ -2,6 +2,7 @@ <html> <head> <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> <script src='inlineTests.js'></script> @@ -15,8 +16,5 @@ </script> <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers deleted file mode 100644 index d91fe1c87f1..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_1.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html index 137a16421db..a1bfdaeb15b 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html @@ -2,6 +2,7 @@ <html> <head> <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -11,6 +12,11 @@ <script> var dataScriptRan = false; + var t_spv = async_test("Test that securitypolicyviolation event is fired"); + + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + })); </script> <!-- This is our test case, but we don't expect it to actually execute if CSP is working. --> @@ -21,7 +27,5 @@ assert_false(dataScriptRan, "data script ran"); }, "Verify that data: as script src doesn't run with this policy"); </script> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script> </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers deleted file mode 100644 index 6c0c0fd0a76..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html index f1bfee2000a..a1e2f72cdb7 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html @@ -2,6 +2,7 @@ <html> <head> <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -14,7 +15,5 @@ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script> <script src="10_1_support_2.js"></script> - - <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> </body> </html>
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers deleted file mode 100644 index dfb6f345fc7..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html index a41310da9e7..a68945cb853 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html @@ -2,6 +2,7 @@ <html> <head> <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src *;"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> <script src='inlineTests.js'></script> @@ -15,8 +16,5 @@ </script> <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers deleted file mode 100644 index 4cf9c695051..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html index 255f5df9ce1..2641c867f63 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html @@ -2,6 +2,7 @@ <html> <head> <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title> + <meta http-equiv="Content-Security-Policy" content="script-src *;"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -16,8 +17,5 @@ <div id=emptyDiv></div> <script src="addInlineTestsWithDOMManipulation.js"></script> - - <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script> - </body> </html>
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers deleted file mode 100644 index 9c58f0efcd5..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html index 30e6f6870a8..bf7a6921b4d 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html @@ -2,6 +2,7 @@ <html> <head> <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> <script src='inlineSuccessTest.js'></script> @@ -13,8 +14,5 @@ <script> inlineRan = true; </script> - - <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers deleted file mode 100644 index 8227c6272dc..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_3.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html index 5293183d300..bfc66b2a8d0 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html @@ -2,6 +2,7 @@ <html> <head> <title>eval() should not run without 'unsafe-eval' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -10,6 +11,11 @@ <div id='log'></div> <script> + var t_spv = async_test("Test that securitypolicyviolation event is fired"); + + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + })); var evalRan = false; @@ -18,8 +24,5 @@ test(function() {assert_false(evalRan);}) </script> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers deleted file mode 100644 index 28ad14b609d..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html index 31664a16987..522b9c5f7c8 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html @@ -2,6 +2,7 @@ <html> <head> <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -12,15 +13,21 @@ <script> var t1 = async_test("window.setTimeout()"); var t2 = async_test("window.setInterval()"); + var t_spv = async_test("Test that securitypolicyviolation event is fired"); + var test_count = 2; + + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + if (--test_count <= 0) { + t_spv.done(); + } + })); + onload = function() {t1.done(); t2.done()} window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0); window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0); - </script> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers deleted file mode 100644 index 6bd48d1ded7..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html index 31382936f47..0ee6f587c5c 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html @@ -2,6 +2,7 @@ <html> <head> <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> @@ -10,6 +11,12 @@ <div id='log'></div> <script> + var t_spv = async_test("Test that securitypolicyviolation event is fired"); + + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + })); + test(function() { assert_throws( @@ -20,8 +27,5 @@ })}, "Unsafe eval ran in Function() constructor."); </script> - - <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script> - </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers deleted file mode 100644 index 314849bb972..00000000000 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers +++ /dev/null @@ -1,6 +0,0 @@ -Expires: Mon, 26 Jul 1997 05:00:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Cache-Control: post-check=0, pre-check=0, false -Pragma: no-cache -Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html index 75ff3424c05..70b31457278 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html @@ -22,7 +22,5 @@ t.done(); }); </script> - - <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script> </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers index 36203b7643a..89f99e621f8 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers @@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0, false Pragma: no-cache -Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} -Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file +Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; +Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc';
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html index 34fed6d94b3..da9e60f8743 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html @@ -22,7 +22,5 @@ t.done(); }); </script> - - <script nonce="abc" async defer src='../support/checkReport.sub.js?reportExists=false'></script> </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers index 114c560b28c..83fe7f7005e 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers @@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0, false Pragma: no-cache -Set-Cookie: script-src-multiple-policies-multiple-hashing-algorithms-work={{$id:uuid()}}; Path=/content-security-policy/script-src/ -Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} -Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file +Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; +Content-Security-Policy: script-src 'self' 'unsafe-inline';
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html new file mode 100644 index 00000000000..5a0dfe50e15 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';"> + <title>script-src-overrides-default-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + </script> +</head> + +<body onload="log('PASS 2 of 2')"> + <script> + log('PASS 1 of 2'); + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html index f0f7bcb7a04..16428b1a4de 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html @@ -8,6 +8,11 @@ </head> <body> <script nonce="abc"> + var t_spv = async_test("Should fire securitypolicyviolation event"); + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + assert_equals(e.disposition, "report"); + })); var externalRan = false; </script> <script src='./externalScript.js' @@ -16,8 +21,5 @@ test(function() { assert_true(externalRan, 'External script ran.'); }, 'External script in a script tag with matching SRI hash should run.'); - </script> - - <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> -</body> + </script></body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers index 0ccfd507f65..7f03464d4d3 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers @@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0, false Pragma: no-cache -Set-Cookie: script-src-report-only-policy-works-with-external-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/ Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc' -Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file +Content-Security-Policy-Report-Only: script-src 'nonce-abc';
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html index 82a88791bd5..9ae66611ea5 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html @@ -27,7 +27,5 @@ t.done(); }); </script> - - <script nonce="abc" async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> </body> </html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers index eaf175a8785..1237c247a67 100644 --- a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers @@ -2,6 +2,5 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0, false Pragma: no-cache -Set-Cookie: script-src-report-only-policy-works-with-hash-policy={{$id:uuid()}}; Path=/content-security-policy/script-src/ Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc' -Content-Security-Policy-Report-Only: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file +Content-Security-Policy-Report-Only: script-src 'nonce-abc';
\ No newline at end of file diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html new file mode 100644 index 00000000000..7bf3d89b672 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html @@ -0,0 +1,63 @@ +<!DOCTYPE html> +<html> + <head> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';"> + <title>script-src disallowed wildcard use</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + </head> + <body> + <script nonce="nonce"> + var t1 = async_test('data: URIs should not match *'); + t1.step(function() { + var script = document.createElement("script"); + script.src = 'data:application/javascript,'; + script.addEventListener('load', t1.step_func(function() { + assert_unreached('Should not successfully load data URI.'); + })); + script.addEventListener('error', t1.step_func(function() { + t1.done(); + })); + document.head.appendChild(script); + }); + + var t2 = async_test('blob: URIs should not match *'); + t2.step(function() { + var b = new Blob([''], { type: 'application/javascript' }); + var script = document.createElement('script'); + script.addEventListener('load', t2.step_func(function() { + assert_unreached('Should not successfully load blob URI.'); + })); + script.addEventListener('error', t2.step_func(function() { + t2.done(); + })); + + script.src = URL.createObjectURL(b); + document.head.appendChild(script); + }); + + var t3 = async_test('filesystem URIs should not match *'); + if (window.webkitRequestFileSystem) { + window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { + fs.root.getFile('fail.js', {create: true}, function(fileEntry) { + fileEntry.createWriter(function(fileWriter) { + var script = document.createElement('script'); + + script.addEventListener('load', t3.step_func(function() { + assert_unreached('Should not successfully load filesystem URI.'); + })); + script.addEventListener('error', t3.step_func(function() { + t3.done(); + })); + + script.src = fileEntry.toURL('application/javascript'); + document.body.appendChild(script); + }); + }); + }); + } else { + t3.done(); + } + </script> + </body> +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html new file mode 100644 index 00000000000..c46a99136d8 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';"> + <title>scripthash-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D"> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("Fail"); + }); + </script> + + <script> + alert_assert('PASS (1/4)'); + + </script> + <script> + alert_assert('PASS (2/4)'); + + </script> + <script> + alert_assert('PASS (3/4)'); + + </script> + <script> + alert_assert('PASS (4/4)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html new file mode 100644 index 00000000000..d254053eced --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html @@ -0,0 +1,72 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';"> + <title>scripthash-basic-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("Fail"); + }); + </script> + + <script> + var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); + var expected_alerts = ["PASS (1/1)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <script> + alert_assert('PASS (1/1)'); + + </script> + <script> + alert_assert('FAIL (1/4)'); + + </script> + <script> + alert_assert('FAIL (2/4)'); + + </script> + <script> + alert_assert('FAIL (3/4)'); + + </script> + <script> + alert_assert('FAIL (4/4)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html new file mode 100644 index 00000000000..6025a67179f --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> + <head> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';"> + <title>script-hash allowed from default-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce='abc'> + window.addEventListener('securitypolicyviolation', function(e) { + test(function() { assert_unreached("Should not have fired event")}); + }); + </script> + + <script>done();</script> + </head> + + <body> + <div id="log"></div> + </body> +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html new file mode 100644 index 00000000000..d7af328f4e3 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html @@ -0,0 +1,56 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';"> + + <title>scripthash-ignore-unsafeinline</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script> + <script> + var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); + var expected_alerts = ["PASS (1/1)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <script> + alert_assert('PASS (1/1)'); + + </script> + <script> + alert_assert('FAIL (1/1)'); + + </script> +</head> + +<body> + <p> + This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html new file mode 100644 index 00000000000..0c303630331 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html @@ -0,0 +1,72 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';"> + <title>scripthash-unicode-normalization</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +</head> + +<body> + <!-- The following two scripts contain two separate code points (U+00C5 + and U+212B, respectively) which, depending on your text editor, might be + rendered the same.However, their difference is important because, under + NFC normalization, they would become the same code point, which would be + against the spec. This test, therefore, validates that the scripts have + *different* hash values. --> + <script nonce="nonceynonce"> + var t_spv = async_test("Should fire securitypolicyviolation"); + window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src"); + })); + + var matchingContent = 'Å'; + var nonMatchingContent = 'Å'; + + // This script should have a hash value of + // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c= + var scriptContent1 = "window.finish('" + matchingContent + "');"; + + // This script should have a hash value of + // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM= + var scriptContent2 = "window.finish('" + nonMatchingContent + "');"; + + var script1 = document.createElement('script'); + var script2 = document.createElement('script'); + + script1.test = async_test("Only matching content runs even with NFC normalization."); + + var failure = function() { + assert_unreached(); + } + + window.finish = function(content) { + if (content == matchingContent) { + script1.test.step(function() { + script1.test.done(); + }); + } else { + script1.test.step(function() { + assert_unreached("nonMatchingContent script ran"); + }); + } + } + + script1.onerror = failure; + + document.body.appendChild(script2); + script2.textContent = scriptContent2; + document.body.appendChild(script1); + script1.textContent = scriptContent1; + </script> + + <p> + This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html new file mode 100644 index 00000000000..46fdabd62c5 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html @@ -0,0 +1,68 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';"> + <title>scriptnonce-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="noncynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + </script> + <script nonce="noncynonce"> + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("Fail"); + }); + + var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]'); + var expected_alerts = ["PASS (1/2)", "PASS (2/2)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self'; +--> + <script nonce="noncynonce"> + alert_assert('PASS (1/2)'); + + </script> + <script nonce="noncy+/nonce="> + alert_assert('PASS (2/2)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html new file mode 100644 index 00000000000..94a39973af2 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html @@ -0,0 +1,79 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';"> + <title>scriptnonce-and-scripthash</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="nonceynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + </script> + <script nonce="nonceynonce"> + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("violated-directive=" + e.violatedDirective); + }); + + var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]'); + var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src", "violated-directive=script-src"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; +--> + <script nonce="nonceynonce"> + alert_assert('PASS (1/3)'); + + </script> + <script> + alert_assert('PASS (2/3)'); + + </script> + <script nonce="nonceynonce"> + alert_assert('PASS (3/3)'); + + </script> + <script> + alert_assert('FAIL (1/2)'); + + </script> + <script nonce="notanonce"> + alert_assert('FAIL (2/2)'); + + </script> +</head> + +<body> + <p> + This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html new file mode 100644 index 00000000000..db94c1c5f4b --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> + <title>scriptnonce-basic-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src", "violated-directive=script-src", "violated-directive=script-src"]'></script> + <script nonce="noncynonce"> + alert_assert('PASS (closely-quoted nonce)'); + + </script> + <script nonce=" noncynonce "> + alert_assert('PASS (nonce w/whitespace)'); + + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("violated-directive=" + e.violatedDirective); + }); + </script> + <script nonce="noncynonce noncynonce"> + alert_assert('FAIL (1/3)'); + + </script> + <script> + alert_assert('FAIL (2/3)'); + + </script> + <script nonce="noncynonceno?"> + alert_assert('FAIL (3/3)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html new file mode 100644 index 00000000000..18a6899a5cd --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html @@ -0,0 +1,74 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';"> + <title>scriptnonce-ignore-unsafeinline</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce='noncynonce'> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("violated-directive=" + e.violatedDirective); + }); + </script> + <script nonce='noncynonce'> + var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src"]'); + var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self'; +--> + <script nonce="noncynonce"> + + + </script> + <script nonce="noncynonce"> + alert_assert('PASS (1/2)'); + </script> + <script nonce="noncy+/nonce="> + alert_assert('PASS (2/2)'); + + </script> + <script> + alert_assert('FAIL (1/1)'); + + </script> +</head> + +<body> + <p> + This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present. + </p> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html new file mode 100644 index 00000000000..7e4e848375d --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html @@ -0,0 +1,62 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';"> + <title>scriptnonce-redirect</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="noncynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + window.addEventListener('securitypolicyviolation', function(e) { + alert_assert("Fail"); + }); + </script> + <script nonce="noncynonce"> + var t_alert = async_test('Expecting alerts: ["PASS"]'); + var expected_alerts = ["PASS"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; +--> +</head> + +<body> + This tests whether a deferred script load caused by a redirect is properly allowed by a nonce. + <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script> + <script nonce="noncynonce"> + + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html new file mode 100644 index 00000000000..eea201865aa --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html @@ -0,0 +1,35 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';"> + <title>srcdoc-doesnt-bypass-script-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=script-src"]'></script> +</head> + +<body> + + <script nonce='abc'> + window.onmessage = function(e) { + log(e.data); + } + + var i = document.createElement('iframe'); + i.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + i.srcdoc = "<sc" + "ript nonce='abc'>" + + "window.addEventListener('securitypolicyviolation', function(e) {" + + "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" + + "</scr" + "ipt>" + + "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>"; + document.body.appendChild(i); + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js new file mode 100644 index 00000000000..c04033c46f0 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/inject-script.js @@ -0,0 +1,5 @@ +document.write("<script>log('Pass 1 of 2');</script>"); + +var s = document.createElement('script'); +s.textContent = "log('Pass 2 of 2');"; +document.body.appendChild(s); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js new file mode 100644 index 00000000000..69daa31d2f1 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/post-message.js @@ -0,0 +1 @@ +postMessage("importScripts allowed"); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js new file mode 100644 index 00000000000..9aa87129aee --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = eval("1 + 2 + 3"); +} catch (e) {} +postMessage(id === 0 ? "eval blocked" : "eval allowed"); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers new file mode 100644 index 00000000000..afdcc7c011b --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js new file mode 100644 index 00000000000..03d9bf4cbbc --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js @@ -0,0 +1,7 @@ +var fn = function() { + postMessage('Function() function blocked'); +} +try { + fn = new Function("", "postMessage('Function() function allowed');"); +} catch (e) {} +fn(); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers new file mode 100644 index 00000000000..afdcc7c011b --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js new file mode 100644 index 00000000000..0204de32cf1 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js @@ -0,0 +1,6 @@ +try { + importScripts("/content-security-policy/support/post-message.js"); + postMessage("importScripts allowed"); +} catch (e) { + postMessage("importScripts blocked"); +} diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers new file mode 100644 index 00000000000..57616b1fc2d --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js new file mode 100644 index 00000000000..a16827eddfc --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = setTimeout("postMessage('handler invoked')", 100); +} catch (e) {} +postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed"); diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers new file mode 100644 index 00000000000..57616b1fc2d --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html new file mode 100644 index 00000000000..9a264f2a240 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html @@ -0,0 +1,38 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>worker-eval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["eval blocked"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <p>This test loads a worker, delivered with its own policy. + The eval() call in the worker should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).</p> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + + try { + var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js'); + worker.onmessage = function(event) { + log(event.data); + }; + } catch (e) { + log(e); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html new file mode 100644 index 00000000000..8c1df9f6679 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>worker-function-function-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <p>This test loads a worker, delivered with its own policy. + The Function constructor should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).</p> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + try { + var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js'); + worker.onmessage = function(event) { + log(event.data); + }; + } catch (e) { + log(e); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html new file mode 100644 index 00000000000..28906138069 --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> + <title>worker-importscripts-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + var result = ''; + try { + var worker = new Worker('/content-security-policy/script-src/support/worker-importscripts.js'); + worker.onmessage = function(event) { + result = event.data; + test(function() { + assert_equals(result, 'importScripts blocked') + }); + log("TEST COMPLETE"); + }; + } catch (e) { + result = e; + test(function() { + assert_equals(result, 'importScripts blocked') + }); + log("TEST COMPLETE"); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html new file mode 100644 index 00000000000..da7771b9c4b --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html @@ -0,0 +1,32 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>worker-script-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + try { + var foo = new Worker('/content-security-policy/script-src/support/post-message.js'); + foo.onmessage = function(event) { + log("PASS"); + }; + } catch (e) { + log(e); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html new file mode 100644 index 00000000000..5f93433416b --- /dev/null +++ b/tests/wpt/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html @@ -0,0 +1,32 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';"> + <title>worker-set-timeout-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + try { + var worker = new Worker('/content-security-policy/script-src/support/worker-set-timeout.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> +</body> + +</html> |