Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

18 files changed, 289 insertions, 0 deletions

diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini
new file mode 100644
index 0000000000..7a5cbf999c
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini
@@ -0,0 +1,2 @@
+implementation-status: not-implementing

+bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1553130
\ No newline at end of file
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
new file mode 100644
index 0000000000..21cab9e30f
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
@@ -0,0 +1,16 @@
+[allow_csp_from-header.html]
+  [Cross origin iframe with an empty Allow-CSP-From header gets blocked.]
+    expected: FAIL
+
+  [Cross origin iframe without Allow-CSP-From header gets blocked.]
+    expected: FAIL
+
+  [Iframe with improper Allow-CSP-From header gets blocked.]
+    expected: FAIL
+
+  [Star Allow-CSP-From header enforces EmbeddingCSP.]
+    expected: FAIL
+
+  [Allow-CSP-From header enforces EmbeddingCSP.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
new file mode 100644
index 0000000000..f4848f7461
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
@@ -0,0 +1,7 @@
+[idlharness.window.html]
+  [HTMLIFrameElement interface: attribute csp]
+    expected: FAIL
+
+  [HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
new file mode 100644
index 0000000000..6977d4fe21
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
@@ -0,0 +1,13 @@
+[iframe-csp-attribute.html]
+  [<iframe> has a 'csp' attibute which is an empty string if undefined.]
+    expected: FAIL
+
+  [<iframe>'s csp attribute is always a string.]
+    expected: FAIL
+
+  [<iframe>'s 'csp content attribute reflects the IDL attribute.]
+    expected: FAIL
+
+  [<iframe>'s IDL attribute reflects the DOM attribute.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
new file mode 100644
index 0000000000..e13604688a
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
@@ -0,0 +1,28 @@
+[required-csp-header-cascade.html]
+  [Test same origin: Test same policy for both iframes]
+    expected: FAIL
+
+  [Test same origin: Test more restrictive policy on second iframe]
+    expected: FAIL
+
+  [Test same origin: Test less restrictive policy on second iframe]
+    expected: FAIL
+
+  [Test same origin: Test no policy on second iframe]
+    expected: FAIL
+
+  [Test same origin: Test no policy on first iframe]
+    expected: FAIL
+
+  [Test same origin: Test invalid policy on first iframe (bad directive)]
+    expected: FAIL
+
+  [Test same origin: Test invalid policy on first iframe (report directive)]
+    expected: FAIL
+
+  [Test same origin: Test invalid policy on second iframe (bad directive)]
+    expected: FAIL
+
+  [Test same origin: Test invalid policy on second iframe (report directive)]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
new file mode 100644
index 0000000000..b15f274358
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
@@ -0,0 +1,67 @@
+[required_csp-header.html]
+  [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.]
+    expected: FAIL
+
+  [Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+    expected: FAIL
+
+  [Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+    expected: FAIL
+
+  [Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+    expected: FAIL
+
+  [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+    expected: FAIL
+
+  [Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+    expected: FAIL
+
+  [Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+    expected: FAIL
+
+  [Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+    expected: FAIL
+
+  [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none']
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present]
+    expected: FAIL
+
+  [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
new file mode 100644
index 0000000000..652e50be05
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
@@ -0,0 +1,6 @@
+[subsumption_algorithm-general.html]
+  [Iframe with empty returned CSP should be blocked.]
+    expected: FAIL
+
+  [Iframe with a different CSP should be blocked.]
+    expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
new file mode 100644
index 0000000000..52a0659941
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
@@ -0,0 +1,18 @@
+[subsumption_algorithm-hashes.html]
+  [Returned should not include hashes not present in required csp.]
+    expected: FAIL
+
+  [Hashes do not have to be present in returned csp but must not allow all inline behavior.]
+    expected: FAIL
+
+  [Other expressions have to be subsumed.]
+    expected: FAIL
+
+  [Required csp must allow 'sha256-abc123'.]
+    expected: FAIL
+
+  [Effective policy is properly found where 'sha256-abc123' is not subsumed.]
+    expected: FAIL
+
+  ['sha256-abc123' is not subsumed by 'sha256-abc456'.]
+    expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
new file mode 100644
index 0000000000..ab926be2b7
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-host_sources-hosts.html]
+  [Host must match.]
+    expected: FAIL
+
+  [Hosts without wildcards must match.]
+    expected: FAIL
+
+  [More specific subdomain should not match.]
+    expected: FAIL
+
+  [Specified host should not match a wildcard host.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
new file mode 100644
index 0000000000..9cccb2793a
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
@@ -0,0 +1,10 @@
+[subsumption_algorithm-host_sources-paths.html]
+  [Returned CSP must specify a path.]
+    expected: FAIL
+
+  [Empty path is not subsumed by specified paths.]
+    expected: FAIL
+
+  [That should not be true when required csp specifies a specific page.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
new file mode 100644
index 0000000000..2e93544905
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
@@ -0,0 +1,15 @@
+[subsumption_algorithm-host_sources-ports.html]
+  [Specified ports must match.]
+    expected:
+      if debug and (os == "linux"): ["FAIL", "PASS"]
+      FAIL
+
+  [Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.]
+    expected: FAIL
+
+  [Wildcard port should not be subsumed by a default port.]
+    expected: FAIL
+
+  [Wildcard port should not be subsumed by a spcified port.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
new file mode 100644
index 0000000000..ec4dcc0177
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-host_sources-protocols.html]
+  [`https` is more restrictive than `http`.]
+    expected: FAIL
+
+  [`http:` does not subsume other protocols.]
+    expected: FAIL
+
+  [If scheme source is present in returned csp, it must be specified in required csp too.]
+    expected: FAIL
+
+  [All scheme sources must be subsumed.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
new file mode 100644
index 0000000000..1a05c2d95b
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
@@ -0,0 +1,26 @@
+[subsumption_algorithm-none.html]
+  [Required policy that allows `none` does not subsume empty list of policies.]
+    expected:
+      if (os == "linux") and debug: ["FAIL", "PASS"]
+      FAIL
+
+  [Required csp with effective `none` does not subsume a host source expression.]
+    expected:
+      if debug: ["FAIL", "PASS"]
+      FAIL
+
+  [Required csp with `none` does not subsume a host source expression.]
+    expected: FAIL
+
+  [Required csp with effective `none` does not subsume `none` of another directive.]
+    expected: FAIL
+
+  [Required csp with `none` does not subsume `none` of another directive.]
+    expected: FAIL
+
+  [Required csp with `none` does not subsume `none` of different directives.]
+    expected: FAIL
+
+  [Both required and returned csp are `none` for only one directive.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
new file mode 100644
index 0000000000..1fce751c20
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
@@ -0,0 +1,7 @@
+[subsumption_algorithm-self.html]
+  [Returned CSP must not allow 'self' if required CSP does not.]
+    expected: FAIL
+
+  [Returned 'self' should not be subsumed by a more secure version of origin's url.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
new file mode 100644
index 0000000000..acf6b7f871
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
@@ -0,0 +1,4 @@
+[subsumption_algorithm-strict_dynamic.html]
+  ['strict-dynamic' has to be allowed by required csp if it is present in returned csp.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
new file mode 100644
index 0000000000..4332f29925
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
@@ -0,0 +1,15 @@
+[subsumption_algorithm-unsafe_eval.html]
+  [No other keyword has the same effect as 'unsafe-eval'.]
+    expected: FAIL
+
+  [Other expressions have to be subsumed.]
+    expected:
+      if (os == "linux") and debug and not fission: ["FAIL", "PASS"]
+      FAIL
+
+  [Required csp must allow 'unsafe-eval'.]
+    expected: FAIL
+
+  [Effective policy is properly found where 'unsafe-eval' is not subsumed.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
new file mode 100644
index 0000000000..11d72acb84
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-unsafe_hashes.html]
+  [No other keyword has the same effect as 'unsafe-hashes'.]
+    expected: FAIL
+
+  [Other expressions have to be subsumed.]
+    expected: FAIL
+
+  [Required csp must allow 'unsafe-hashes'.]
+    expected: FAIL
+
+  [Effective policy is properly found where 'unsafe-hashes' is not subsumed.]
+    expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
new file mode 100644
index 0000000000..e99202a430
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
@@ -0,0 +1,16 @@
+[subsumption_algorithm-unsafe_inline.html]
+  [Required csp allows `strict-dynamic`, but retuned csp does.]
+    expected: FAIL
+
+  [Required csp does not allow `unsafe-inline`, but retuned csp does.]
+    expected: FAIL
+
+  [Effective returned csp allows 'unsafe-inline']
+    expected: FAIL
+
+  [Returned csp allows a nonce.]
+    expected: FAIL
+
+  [Returned csp allows a hash.]
+    expected: FAIL
+