diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/reporting-api')
20 files changed, 335 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html new file mode 100644 index 0000000000..ffdebe0eb3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html @@ -0,0 +1,56 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that reports using the report-api service are sent when there's a violation</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <meta http-equiv="content-security-policy" content="script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group"> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + + async_test(function(t3) { + var observer = new ReportingObserver(function(reports, observer) { + t3.step(function() { + assert_equals(reports.length, 1); + + // Ensure that the contents of the report are valid. + var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/" + var document_url = base_url + "reporting-api/report-to-directive-allowed-in-meta.https.sub.html"; + assert_equals(reports[0].type, "csp-violation"); + assert_equals(reports[0].url, document_url); + assert_equals(reports[0].body.documentURL, document_url); + assert_equals(reports[0].body.referrer, ""); + assert_equals(reports[0].body.blockedURL, + base_url + "support/fail.png"); + assert_equals(reports[0].body.effectiveDirective, "img-src"); + assert_equals(reports[0].body.originalPolicy, + "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group"); + assert_equals(reports[0].body.sourceFile, document_url); + assert_equals(reports[0].body.sample, ""); + assert_equals(reports[0].body.disposition, "enforce"); + assert_equals(reports[0].body.statusCode, 200); + assert_equals(reports[0].body.lineNumber, 54); + assert_equals(reports[0].body.columnNumber, 0); + }); + + t3.done(); + }); + observer.observe(); + }, "Report is observable to ReportingObserver"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.unreached_func("The image should not have loaded");' + onerror='t1.done();'> + + <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers new file mode 100644 index 0000000000..6f3ff61a03 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-to-directive-allowed-in-meta={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html new file mode 100644 index 0000000000..cb3842854c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that reports using the report-api service are not sent when there's not validation</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image loads"); + window.addEventListener("securitypolicyviolation", + t1.unreached_func("Should not have triggered a violation event")); + </script> + <img src='/content-security-policy/support/pass.png' + onload='t1.done();' + onerror='t1.unreached_func("The image should have loaded");'> + + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers new file mode 100644 index 0000000000..65b5afc5c8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" +Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'self'; report-to csp-group diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html new file mode 100644 index 0000000000..302025669d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that report-only policies still work with report-to</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.done();' + onerror='t1.unreached_func("The image should have loaded");'> + + <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers new file mode 100644 index 0000000000..d1365ac3f7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" +Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html new file mode 100644 index 0000000000..82f0e6e7a7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that report-to ignores tokens after the first one</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.unreached_func("The image should not have loaded");' + onerror='t1.done();'> + <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. --> + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers new file mode 100644 index 0000000000..4de556aeef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-report-to-only-sends-reports-to-first-endpoint={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group csp-group-2 +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}", csp-group-2="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html new file mode 100644 index 0000000000..ab62f47fb4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.unreached_func("The image should not have loaded");' + onerror='t1.done();'> + <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers new file mode 100644 index 0000000000..dfd3a4ed5a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}"; report-to csp-group +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}" diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html new file mode 100644 index 0000000000..eadbb54f43 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that report-to overrides report-uri. This tests report-uri after report-to in the policy</title> <meta name=timeout content=long> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.unreached_func("The image should not have loaded");' + onerror='t1.done();'> + <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers new file mode 100644 index 0000000000..87dfcf8789 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group; report-uri "/reporting/resources/report.py?op=put&reportID={{$id}}" +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{uuid()}}" diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html new file mode 100644 index 0000000000..94f14d94e4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html @@ -0,0 +1,55 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that reports using the report-api service are sent when there's a violation</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + var t1 = async_test("Test that image does not load"); + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); + assert_equals(e.violatedDirective, "img-src"); + t2.done(); + })); + }, "Event is fired"); + + async_test(function(t3) { + var observer = new ReportingObserver(function(reports, observer) { + t3.step(function() { + assert_equals(reports.length, 1); + + // Ensure that the contents of the report are valid. + var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/" + var document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation.https.sub.html"; + assert_equals(reports[0].type, "csp-violation"); + assert_equals(reports[0].url, document_url); + assert_equals(reports[0].body.documentURL, document_url); + assert_equals(reports[0].body.referrer, ""); + assert_equals(reports[0].body.blockedURL, + base_url + "support/fail.png"); + assert_equals(reports[0].body.effectiveDirective, "img-src"); + assert_equals(reports[0].body.originalPolicy, + "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group"); + assert_equals(reports[0].body.sourceFile, document_url); + assert_equals(reports[0].body.sample, ""); + assert_equals(reports[0].body.disposition, "enforce"); + assert_equals(reports[0].body.statusCode, 200); + assert_equals(reports[0].body.lineNumber, 53); + assert_equals(reports[0].body.columnNumber, 0); + }); + + t3.done(); + }); + observer.observe(); + }, "Report is observable to ReportingObserver"); + </script> + <img src='/content-security-policy/support/fail.png' + onload='t1.unreached_func("The image should not have loaded");' + onerror='t1.done();'> + + <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers new file mode 100644 index 0000000000..e6e488d4aa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers @@ -0,0 +1,7 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" +Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html new file mode 100644 index 0000000000..672c46e1aa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that reports using the report-api service are sent when there's a frame-ancestors violation</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <iframe src="https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/reporting-api/support/non-embeddable-frame.html?id={{$id:uuid()}}"></iframe> + + <!-- Check that a report is sent to the child's reporting endpoint --> + <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-ancestors%20%27none%27&reportID={{$id}}'></script> + + <!-- Check that no report is sent to the parent's reporting endpoint --> + <script async defer src='../support/checkReport.sub.js?reportExists=false&testName=No%20report%20to%20parent.'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers new file mode 100644 index 0000000000..bf4e24e77e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-ancestors.https.sub.html.sub.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: reporting-api-works-on-frame-ancestors={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html new file mode 100644 index 0000000000..b83a05ce4b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Test that reports using the report-api service are sent when there's a violation</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <script> + async_test(function(t2) { + window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { + assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.html"); + assert_equals(e.violatedDirective, "frame-src"); + t2.done(); + })); + }, "Event is fired"); + </script> + <iframe src="../support/fail.html"></iframe> + + <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-src%20%27none%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers new file mode 100644 index 0000000000..f85c8d26e4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: reporting-api-works-on-frame-src={{$id:uuid()}}; Path=/content-security-policy/reporting-api +Reporting-Endpoints: csp-group="https://{{host}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{$id}}" +Content-Security-Policy: script-src 'self' 'unsafe-inline'; frame-src 'none'; report-to csp-group diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html new file mode 100644 index 0000000000..94e1707e85 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html @@ -0,0 +1 @@ +FAIL diff --git a/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers new file mode 100644 index 0000000000..26d794e1d3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting-api/support/non-embeddable-frame.html.sub.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{hosts[alt][]}}:{{ports[https][0]}}/reporting/resources/report.py?op=put&reportID={{GET[id]}}" }] } +Content-Security-Policy: frame-ancestors 'none'; report-to csp-group |