diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/form-action')
16 files changed, 505 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html new file mode 100644 index 0000000000..bc81a63b62 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="form-action 'self'"> +</head> + +<body> + <form action='/content-security-policy/support/postmessage-pass-to-opener.html' + id='form_id' + target="_blank" + rel="opener"> + </form> + + <p> + Test that "form-action 'self'" works correctly when the form uses + target="_blank". If this test passes, a new window must open after pressing + "submit". + </p> +</body> + +<script> + async_test(t => { + document.addEventListener('securitypolicyviolation', function(e) { + t.unreached_func("Form submission was blocked."); + }); + + window.addEventListener('message', function(event) { + t.done(); + }) + + window.addEventListener("load", function() { + document.getElementById("form_id").submit(); + }); + }, "The form submission should not be blocked by the iframe's CSP."); +</script> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html new file mode 100644 index 0000000000..8727a82119 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> +<head> + <title>form-action-src-redirect-allowed-target-blank</title> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + function OnDocumentLoaded() { + let test = async_test("form submission targetting _blank allowed after a redirect"); + window.addEventListener("message", function(event) { + if (event.data == "DocumentNotBlocked") { + event.source.close(); + test.done(); + } + }); + + let form = document.getElementById("form"); + form.action = + "/content-security-policy/form-action/support/post-message-to-opener.sub.html"; + + let submit = document.getElementById("submit"); + submit.click(); + } + </script> +</head> +<body onload="OnDocumentLoaded();"> + <form id="form" method="GET" target="_blank" rel="opener"> + <input type="hidden" name="message" value="DocumentNotBlocked"> + <input type="submit" id="submit"> + </form> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html new file mode 100644 index 0000000000..81921d395e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html @@ -0,0 +1,34 @@ +<!DOCTYPE html> +<html> +<head> + <title>form-action-src-allowed-target-frame</title> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + function OnDocumentLoaded() { + let test = async_test("form submission targetting a frame allowed"); + window.addEventListener("message", function(event) { + if (event.data == "DocumentNotBlocked") { + test.done(); + } + }); + + let form = document.getElementById("form"); + form.action = + "/content-security-policy/form-action/support/post-message-to-parent.sub.html"; + + let submit = document.getElementById("submit"); + submit.click(); + } + </script> +</head> +<body onload="OnDocumentLoaded();"> + <form id="form" method="GET" target="frame"> + <input type="hidden" name="message" value="DocumentNotBlocked"> + <input type="submit" id="submit"> + </form> + <iframe name="frame"></iframe> +</body> +</html> + diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html new file mode 100644 index 0000000000..418d6f51b0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-allowed.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that allowed form actions work correctly.</p> + <div id="log"></div> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html new file mode 100644 index 0000000000..a113d9a264 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-blocked.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>form-action-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('violated-directive=' + e.violatedDirective); + }); + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + }, 0); + }); + setTimeout(function() {log("TEST COMPLETE");}, 1); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking form actions works correctly.</p> + <div id="log"></div> + + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html new file mode 100644 index 0000000000..58db5bf735 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self';"> + <title>form-action-src-default-ignored</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that default-src does not cascade to form-action.</p> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html new file mode 100644 index 0000000000..1dd7fbcd41 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('Fail'); + }); + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/content-security-policy/support/postmessage-pass.html" id="theform" method="get" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that allowed form actions work correctly + with GET and a redirect.</p> + <div id="log"></div> + </body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html new file mode 100644 index 0000000000..638badc73a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('violated-directive=' + e.violatedDirective); + }); + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="get" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that disallowed form actions are blocked + with GET and redirects.</p> + <div id="log"></div> +"></script> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html new file mode 100644 index 0000000000..6997ef6e86 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html @@ -0,0 +1,34 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> + <title>form-action-src-javascript-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script nonce='noncynonce'> + window.addEventListener('securitypolicyviolation', function(e) { + log('violated-directive=' + e.violatedDirective); + }); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + </script> +</head> + +<body> + <form action="javascript:log("FAIL!")" id="theform" method="post"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html new file mode 100644 index 0000000000..feae47ee79 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-javascript-prevented.html @@ -0,0 +1,46 @@ +<!DOCTYPE html> +<html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> +</head> + +<body> + <form action='/content-security-policy/support/postmessage-pass-to-opener.html' + id='form_id' + target="_blank"> + <input type="submit" /> + </form> + + <p> + Test that "form-action 'none'" doesn't create a violation report if the event was prevented. + </p> +</body> + +<script nonce='noncynonce'> + async_test(t => { + document.addEventListener('securitypolicyviolation', function(e) { + assert_unreached('Form submission was blocked.'); + }); + + window.addEventListener('message', function(event) { + assert_unreached('Form submission was blocked.'); + }) + + window.addEventListener("load", function() { + let form = document.getElementById("form_id"); + form.addEventListener("submit", e => { + e.preventDefault(); + setTimeout(() => { + t.done(); + }, 0); + }); + // clicking the input is used here as form.submit() will submit a form without an event and should also be blocked. + form.querySelector("input").click(); + }); + }, "The form submission should not be blocked by when javascript prevents the load."); +</script> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html new file mode 100644 index 0000000000..e1f23db73c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> +<head> + <title>form-action-src-redirect-allowed-target-blank</title> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + function OnDocumentLoaded() { + let test = async_test("form submission targetting _blank allowed after a redirect"); + window.addEventListener("message", function(event) { + if (event.data == "DocumentNotBlocked") { + event.source.close(); + test.done(); + } + }); + + let form = document.getElementById("form"); + let final_url = "/content-security-policy/form-action/support/post-message-to-opener.sub.html?message=DocumentNotBlocked"; + let redirect_url = "/common/redirect.py?location="; + form.action = redirect_url + encodeURIComponent(final_url); + + let submit = document.getElementById("submit"); + submit.click(); + } + </script> +</head> +<body onload="OnDocumentLoaded();"> + <form id="form" method="POST" target="_blank" rel="opener"> + <input type="submit" id="submit"> + </form> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html new file mode 100644 index 0000000000..6afd4459b0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html @@ -0,0 +1,34 @@ +<!DOCTYPE html> +<html> +<head> + <title>form-action-src-redirect-allowed-target-frame</title> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + function OnDocumentLoaded() { + let test = async_test("form submission targetting a frame allowed after a redirect"); + window.addEventListener("message", function(event) { + if (event.data == "DocumentNotBlocked") { + test.done(); + } + }); + + let form = document.getElementById("form"); + let final_url = "/content-security-policy/form-action/support/post-message-to-parent.sub.html?message=DocumentNotBlocked"; + let redirect_url = "/common/redirect.py?location="; + form.action = redirect_url + encodeURIComponent(final_url); + + let submit = document.getElementById("submit"); + submit.click(); + } + </script> +</head> +<body onload="OnDocumentLoaded();"> + <form id="form" method="POST" target="frame"> + <input type="submit" id="submit"> + </form> + <iframe name="frame"></iframe> +</body> +</html> + diff --git a/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html new file mode 100644 index 0000000000..ac25e03d5c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>form-action-src-redirect-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","blocked-uri=http://{{hosts[][]}}:{{ports[http][0]}}/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log('violated-directive=' + e.violatedDirective); + log('blocked-uri=' + e.blockedURI); + }); + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + setTimeout(function() {}, 1000); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form id="form1" action="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html new file mode 100644 index 0000000000..0348139057 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-opener.sub.html @@ -0,0 +1,3 @@ +<script> + opener.postMessage("{{GET[message]}}", "*"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html new file mode 100644 index 0000000000..63e464be21 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/form-action/support/post-message-to-parent.sub.html @@ -0,0 +1,3 @@ +<script> + parent.postMessage("{{GET[message]}}", "*"); +</script> |