diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/img-src')
10 files changed, 290 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html new file mode 100644 index 0000000000..5c8ecdee13 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="img-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p> + <script> + var t = async_test("Test that image loads"); + window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered any violation events")); + + function createLink(rel, src) { + var link = document.createElement('link'); + link.rel = rel; + link.href = src; + link.onload = t.done(); + link.onerror = t.unreached_func('The image should have loaded'); + document.body.appendChild(link); + } + window.addEventListener('DOMContentLoaded', function() { + createLink('icon', '../support/pass.png'); + }); + + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html new file mode 100644 index 0000000000..cc882347a1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> +<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p> + <script> + var t = async_test("Test that image does not load"); + var t_spv = async_test("Test that spv event is fired"); + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'img-src'); + assert_true(e.blockedURI.endsWith('/support/fail.png')); + })); + + function createLink(rel, src) { + var link = document.createElement('link'); + link.rel = rel; + link.href = src; + link.onerror = t.done(); + link.onload = t.unreached_func('The image should not have loaded'); + document.head.appendChild(link); + } + window.addEventListener('DOMContentLoaded', function() { + createLink('icon', '../support/fail.png'); + }); + + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html new file mode 100644 index 0000000000..9e4e345a16 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html @@ -0,0 +1,35 @@ +<!DOCTYPE HTML> +<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{domains[www]}}:{{ports[http][0]}}"> +<html> +<head> + <title>img element src attribute must match src list.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + async_test(function(t) { + i = new Image(); + i.onload = t.step_func_done(); + i.onerror = t.unreached_func("The img should have loaded"); + i.src = '/content-security-policy/support/pass.png'; + }, "img-src for relative path should load"); + + async_test(function(t) { + i = new Image(); + i.onload = t.unreached_func("Image from unapproved domain was loaded."); + i.onerror = t.step_func_done(); + i.src = 'http://{{domains[www1]}}/content-security-policy/support/fail.png'; + }, "img-src from unapproved domains should not load"); + + async_test(function(t) { + i = new Image(); + i.onload = t.step_func_done(); + i.onerror = t.unreached_func("The img should have loaded"); + i.src = location.protocol + '//{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'; + }, "img-src from approved domains should load"); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html new file mode 100644 index 0000000000..23c33d5655 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}"> +<html> +<head> + <title>img-src with full host and wildcard blocks correctly.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + var t1 = async_test("img src does not match full host and wildcard csp directive"); + </script> + <img src='http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png' + onload='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });' + onerror='t1.done();'> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html new file mode 100644 index 0000000000..d2d36d1341 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}"> +<html> +<head> + <title>img-src works correctly with partial host wildcard.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + var t1 = async_test("img src matches correctly partial wildcard host csp directive"); + </script> + <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png' + onload='t1.done();' + onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html new file mode 100644 index 0000000000..9bc0326ef8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<meta http-equiv="Content-Security-Policy" content="img-src 'none';"> +<html> +<head> + <title>img element src attribute must match src list.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + var t1 = async_test("img-src with 'none' source should not match"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.step(function() { assert_unreached("Image should not have loaded"); t1.done(); });' + onerror='t1.done();'> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html new file mode 100644 index 0000000000..215c10089b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE HTML> +<meta http-equiv="Content-Security-Policy" content="img-src http://www.{{host}}:*"> +<html> +<head> + <title>img-src works correctly with port wildcard source</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + var t1 = async_test("img-src with wildcard port should match any port"); + </script> + <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png' + onload='t1.done();' + onerror='t1.step(function() { assert_unreached("Image should have loaded."); t1.done()} );'> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html new file mode 100644 index 0000000000..dd689c02f3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<html> + +<head> + <title>img-src-self-unique-origin</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> + <p> + The origin of an URL is called "unique" when it is considered to be + different from every origin, including itself. The origin of a + data-url is unique. When the current origin is unique, the CSP source + 'self' must not match any URL. + </p> + <script> + var iframe = document.createElement("iframe"); + iframe.src = encodeURI(`data:text/html, + <script> + /* Add the CSP: frame-src: 'self'. */ + var meta = document.createElement('meta'); + meta.httpEquiv = 'Content-Security-Policy'; + meta.content = "img-src 'self'"; + document.getElementsByTagName('head')[0].appendChild(meta); + + /* Notify the parent the image has been blocked. */ + window.addEventListener('securitypolicyviolation', e => { + if (e.originalPolicy == "img-src 'self'") + window.parent.postMessage('Test PASS', '*'); + }); + </scr`+`ipt> + + This image should be blocked by CSP: + <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img> + `); + if (window.async_test) { + async_test(t => { + window.addEventListener("message", e => { + if (e.data == "Test PASS") + t.done(); + }); + }, "Image's url must not match with 'self'. Image must be blocked."); + } + document.body.appendChild(iframe); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html new file mode 100644 index 0000000000..72326ee6fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<meta http-equiv="Content-Security-Policy" content="img-src *;"> +<html> +<head> + <title>img element src attribute must match src list.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <div id='log'/> + + <script> + var t1 = async_test("img-src with wildcard should match all"); + </script> + <img src='/content-security-policy/support/pass.png' + onload='t1.done();' + onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'> + + <script> + async_test(function(t) { + + var pngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAIAAAD/gAIDAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVR42u3QMQEAAAgDoGlyo1vBzwciUJlw1ApkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyfq2MosBSIeKONMAAAAASUVORK5CYII="; + + blobContents = [atob(pngBase64)]; + blob = new Blob(blobContents, {type: "image/png"}); + img = document.createElement("img"); + img.onerror = function (e) { + t.done(); + }; + img.onload = function () { + assert_unreached("Should not load blob img"); + t.done(); + }; + blobURL = window.URL.createObjectURL(blob); + img.src = blobURL; + + },"img-src with wildcard should not match blob"); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html new file mode 100644 index 0000000000..d7405cd255 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>report-blocked-data-uri</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["violated-directive=img-src"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + </script> + + <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="> + <div id="log"></div> +</body> + +</html> |