summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/img-src
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/img-src')
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html40
-rw-r--r--testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html25
10 files changed, 290 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html
new file mode 100644
index 0000000000..5c8ecdee13
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/icon-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p>
+ <script>
+ var t = async_test("Test that image loads");
+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered any violation events"));
+
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ link.onload = t.done();
+ link.onerror = t.unreached_func('The image should have loaded');
+ document.body.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', '../support/pass.png');
+ });
+
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html
new file mode 100644
index 0000000000..cc882347a1
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/icon-blocked.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p>
+ <script>
+ var t = async_test("Test that image does not load");
+ var t_spv = async_test("Test that spv event is fired");
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'img-src');
+ assert_true(e.blockedURI.endsWith('/support/fail.png'));
+ }));
+
+ function createLink(rel, src) {
+ var link = document.createElement('link');
+ link.rel = rel;
+ link.href = src;
+ link.onerror = t.done();
+ link.onload = t.unreached_func('The image should not have loaded');
+ document.head.appendChild(link);
+ }
+ window.addEventListener('DOMContentLoaded', function() {
+ createLink('icon', '../support/fail.png');
+ });
+
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html
new file mode 100644
index 0000000000..9e4e345a16
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.sub.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{domains[www]}}:{{ports[http][0]}}">
+<html>
+<head>
+ <title>img element src attribute must match src list.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ async_test(function(t) {
+ i = new Image();
+ i.onload = t.step_func_done();
+ i.onerror = t.unreached_func("The img should have loaded");
+ i.src = '/content-security-policy/support/pass.png';
+ }, "img-src for relative path should load");
+
+ async_test(function(t) {
+ i = new Image();
+ i.onload = t.unreached_func("Image from unapproved domain was loaded.");
+ i.onerror = t.step_func_done();
+ i.src = 'http://{{domains[www1]}}/content-security-policy/support/fail.png';
+ }, "img-src from unapproved domains should not load");
+
+ async_test(function(t) {
+ i = new Image();
+ i.onload = t.step_func_done();
+ i.onerror = t.unreached_func("The img should have loaded");
+ i.src = location.protocol + '//{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png';
+ }, "img-src from approved domains should load");
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html
new file mode 100644
index 0000000000..23c33d5655
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}">
+<html>
+<head>
+ <title>img-src with full host and wildcard blocks correctly.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ var t1 = async_test("img src does not match full host and wildcard csp directive");
+ </script>
+ <img src='http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png'
+ onload='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'
+ onerror='t1.done();'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html
new file mode 100644
index 0000000000..d2d36d1341
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}">
+<html>
+<head>
+ <title>img-src works correctly with partial host wildcard.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ var t1 = async_test("img src matches correctly partial wildcard host csp directive");
+ </script>
+ <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+ onload='t1.done();'
+ onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html
new file mode 100644
index 0000000000..9bc0326ef8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-none-blocks.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src 'none';">
+<html>
+<head>
+ <title>img element src attribute must match src list.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ var t1 = async_test("img-src with 'none' source should not match");
+ </script>
+ <img src='/content-security-policy/support/fail.png'
+ onload='t1.step(function() { assert_unreached("Image should not have loaded"); t1.done(); });'
+ onerror='t1.done();'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html
new file mode 100644
index 0000000000..215c10089b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<meta http-equiv="Content-Security-Policy" content="img-src http://www.{{host}}:*">
+<html>
+<head>
+ <title>img-src works correctly with port wildcard source</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ var t1 = async_test("img-src with wildcard port should match any port");
+ </script>
+ <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+ onload='t1.done();'
+ onerror='t1.step(function() { assert_unreached("Image should have loaded."); t1.done()} );'>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html
new file mode 100644
index 0000000000..dd689c02f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>img-src-self-unique-origin</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+ <p>
+ The origin of an URL is called "unique" when it is considered to be
+ different from every origin, including itself. The origin of a
+ data-url is unique. When the current origin is unique, the CSP source
+ 'self' must not match any URL.
+ </p>
+ <script>
+ var iframe = document.createElement("iframe");
+ iframe.src = encodeURI(`data:text/html,
+ <script>
+ /* Add the CSP: frame-src: 'self'. */
+ var meta = document.createElement('meta');
+ meta.httpEquiv = 'Content-Security-Policy';
+ meta.content = "img-src 'self'";
+ document.getElementsByTagName('head')[0].appendChild(meta);
+
+ /* Notify the parent the image has been blocked. */
+ window.addEventListener('securitypolicyviolation', e => {
+ if (e.originalPolicy == "img-src 'self'")
+ window.parent.postMessage('Test PASS', '*');
+ });
+ </scr`+`ipt>
+
+ This image should be blocked by CSP:
+ <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img>
+ `);
+ if (window.async_test) {
+ async_test(t => {
+ window.addEventListener("message", e => {
+ if (e.data == "Test PASS")
+ t.done();
+ });
+ }, "Image's url must not match with 'self'. Image must be blocked.");
+ }
+ document.body.appendChild(iframe);
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html
new file mode 100644
index 0000000000..72326ee6fc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-wildcard-allowed.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="img-src *;">
+<html>
+<head>
+ <title>img element src attribute must match src list.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <div id='log'/>
+
+ <script>
+ var t1 = async_test("img-src with wildcard should match all");
+ </script>
+ <img src='/content-security-policy/support/pass.png'
+ onload='t1.done();'
+ onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'>
+
+ <script>
+ async_test(function(t) {
+
+ var pngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAIAAAD/gAIDAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVR42u3QMQEAAAgDoGlyo1vBzwciUJlw1ApkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyfq2MosBSIeKONMAAAAASUVORK5CYII=";
+
+ blobContents = [atob(pngBase64)];
+ blob = new Blob(blobContents, {type: "image/png"});
+ img = document.createElement("img");
+ img.onerror = function (e) {
+ t.done();
+ };
+ img.onload = function () {
+ assert_unreached("Should not load blob img");
+ t.done();
+ };
+ blobURL = window.URL.createObjectURL(blob);
+ img.src = blobURL;
+
+ },"img-src with wildcard should not match blob");
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html
new file mode 100644
index 0000000000..d7405cd255
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/img-src/report-blocked-data-uri.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>report-blocked-data-uri</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["violated-directive=img-src"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+ </script>
+
+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+ <div id="log"></div>
+</body>
+
+</html>