summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/resource-hints
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /testing/web-platform/tests/content-security-policy/resource-hints
parentInitial commit. (diff)
downloadfirefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz
firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/resource-hints')
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html18
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html90
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html17
9 files changed, 268 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html
new file mode 100644
index 0000000000..c1954641b1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/content-security-policy/support/testharness-helper.js"></script>
+<script src="/content-security-policy/support/prefetch-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'unsafe-inline'; img-src http://{{domains[www2]}}:{{ports[http][0]}}"/>
+
+<script>
+ const { OTHER_ORIGIN, REMOTE_ORIGIN } = get_host_info();
+
+ promise_test(async (t) => {
+ const url = new URL("/common/dummy.xml", location.href);
+ assert_true(await try_to_prefetch(url, t));
+ }, "Prefetch should succeed when restricted by default-src but allowed by " +
+ "other directive");
+
+ promise_test(async (t) => {
+ const url = new URL("/common/dummy.xml", REMOTE_ORIGIN);
+ assert_false(await try_to_prefetch(url, t));
+ }, "Prefetch should fail when restricted by default-src and different " +
+ "origin allowed by other directive");
+
+ promise_test(async (t) => {
+ const url = new URL("/common/dummy.xml", OTHER_ORIGIN);
+ assert_true(await try_to_prefetch(url, t));
+ }, "Prefetch should succeed when restricted by default-src but origin " +
+ "allowed by other directive");
+</script>
+</head>
+<body></body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html
new file mode 100644
index 0000000000..fa31e941eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+ <head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'">
+ <script>
+ promise_test(async t => {
+ assert_true(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch should succeed when allowed by default-src');
+ </script>
+ </head>
+
+ <body>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html
new file mode 100644
index 0000000000..195c927a8d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+ <head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; font-src 'self'; child-src 'self';">
+ <script>
+ promise_test(async t => {
+ assert_true(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch should succeed when there is no default-src');
+ </script>
+ </head>
+
+ <body>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html
new file mode 100644
index 0000000000..fe7cce0efb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+ <!-- These policies are for test-harness itself-->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src *; connect-src 'none'">
+ <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src 'none'; connect-src *">
+ <script>
+ promise_test(async t => {
+ assert_true(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch should succeed when a directive in a policy is permissive, ' +
+ 'even if a subsequent policy overrides that.');
+ </script>
+ </head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html
new file mode 100644
index 0000000000..b53b021e6d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+ <head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
+ <script>
+ promise_test(async t => {
+ assert_false(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch should fail when restricted by default-src');
+ </script>
+ </head>
+
+ <body>
+ </body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html
new file mode 100644
index 0000000000..6780c80e8a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'">
+ <script>
+ promise_test(async t => {
+ assert_false(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch should fail when restricted by default-src');
+ </script>
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html
new file mode 100644
index 0000000000..b08d885c1e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html
@@ -0,0 +1,90 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src='/resources/testharness.js'></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src='/common/utils.js'></script>
+<script src='/content-security-policy/support/testharness-helper.js'></script>
+<script>
+
+const directives = {
+ 'script-src': true,
+ 'img-src': true,
+ 'connect-src': true,
+ 'object-src': true,
+ 'font-src': true,
+ 'manifest-src': true,
+ 'media-src': true,
+ 'style-src': true,
+ 'child-src': true,
+ 'frame-src': true,
+ 'worker-src': true,
+ 'base-uri': false,
+};
+
+function prefetch_with_csp_in_a_popup(byDirective, t) {
+ // Allow inline scripts so that we can run the postMessage script...
+ if (byDirective["script-src"] === "*")
+ byDirective["script-src"] = "* 'unsafe-inline'";
+ else
+ byDirective["script-src"] = "'unsafe-inline'";
+
+ const url = new URL('/content-security-policy/support/prefetch-with-csp.html', location.href);
+ const csp = Object.entries(byDirective).map(([key, value]) => `${key} ${value}`).join(";");
+ url.searchParams.set("pipe", `header(Content-Security-Policy, ${csp})`);
+ const uid = token();
+ url.searchParams.set("uid", uid);
+ const bc = new BroadcastChannel(uid);
+ const popup = window.open(url.href);
+ t.add_cleanup(() => popup.close());
+ return new Promise(resolve => {
+ bc.addEventListener("message", ({data}) => {
+ resolve(data);
+ });
+ });
+}
+
+for (const directive in directives) {
+ promise_test(async t => {
+ const byDirective = Object.fromEntries(Object.keys(directives).map(d => [d, "'none'"]));
+ byDirective[directive] = "*";
+ byDirective["default-src"] = "'none'";
+ const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+ assert_equals(prefetch_ok, directives[directive], directive);
+ }, `Test that ${directive} enabled with everything else disabled allows prefetching`);
+
+ promise_test(async t => {
+ const byDirective = {
+ "default-src": "'none'",
+ [directive]: "*",
+ };
+ const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+ assert_equals(prefetch_ok, directives[directive], directive);
+ }, `Test that ${directive} enabled with default-src disabled allows prefetching`);
+}
+
+promise_test(async t => {
+ const byDirective = {
+ "default-src": "'none'",
+ "script-src-elem": "* 'unsafe-inline'",
+ "script-src": "'none'",
+ };
+ const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+ assert_true(prefetch_ok);
+ }, `Test that permissive script-src-elem supersedes script-src`);
+
+promise_test(async t => {
+ const byDirective = {
+ "default-src": "'none'",
+ "script-src-elem": "'unsafe-inline'",
+ "script-src": "*",
+ };
+ const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t);
+ assert_true(prefetch_ok);
+}, `Test that permissive script-src supersedes script-src-elem`);
+
+</script>
+</head>
+<body>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html
new file mode 100644
index 0000000000..f9350bd657
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src='/common/utils.js'></script>
+<script src='/content-security-policy/support/testharness-helper.js'></script>
+<script src="/content-security-policy/support/prefetch-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; prefetch-src http://{{domains[www2]}}:{{ports[http][0]}}"/>
+
+<script>
+ promise_test(async (t) => {
+ assert_false(await
+ try_to_prefetch('http://{{domains[www2]}}:{{ports[http][0]}}/common/dummy.xml',
+ t));
+ }, "Prefetch should fail when restricted by default-src and allowed by " +
+ "unsupported prefetch-src directive (prefetch-src should be ignored)");
+</script>
+</head>
+<body></body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html
new file mode 100644
index 0000000000..87f2937b84
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/utils.js'></script>
+ <script src='/content-security-policy/support/testharness-helper.js'></script>
+ <script src='/content-security-policy/support/prefetch-helper.js'></script>
+ <script>
+ promise_test(async t => {
+ assert_true(await try_to_prefetch("/common/dummy.xml", t));
+ }, 'Prefetch succeeds when no CSP');
+ </script>
+</head>
+<body>
+</body>
+</html>