summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/generic
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 05:35:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 05:35:29 +0000
commit59203c63bb777a3bacec32fb8830fba33540e809 (patch)
tree58298e711c0ff0575818c30485b44a2f21bf28a0 /testing/web-platform/tests/content-security-policy/generic
parentAdding upstream version 126.0.1. (diff)
downloadfirefox-59203c63bb777a3bacec32fb8830fba33540e809.tar.xz
firefox-59203c63bb777a3bacec32fb8830fba33540e809.zip
Adding upstream version 127.0.upstream/127.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/generic')
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js27
2 files changed, 78 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
new file mode 100644
index 0000000000..7225cd359f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ let tests = [
+ {
+ "csp": "img-src http://{{host}}:{{ports[http][0]}}/",
+ "name": "Lowercase `http` should allow the image to load.",
+ },
+ {
+ "csp": "img-src HtTp://{{host}}:{{ports[http][0]}}/",
+ "name": "Mixed-case `http` should allow the image to load.",
+ },
+ {
+ "csp": "img-src HTTP://{{host}}:{{ports[http][0]}}/",
+ "name": "Uppercase `http` should allow the image to load.",
+ },
+ ];
+
+ tests.forEach(test => {
+ async_test(t => {
+ let url = "support/load_img_and_post_result_meta.sub.html?csp="
+ + encodeURIComponent(test.csp);
+ test_image_loads_as_expected(test, t, url);
+ }, test.name + " - meta tag");
+
+ async_test(t => {
+ let url = "support/load_img_and_post_result_header.html?csp="
+ + encodeURIComponent(test.csp);
+ test_image_loads_as_expected(test, t, url);
+ }, test.name + " - HTTP header");
+ });
+
+ function test_image_loads_as_expected(test, t, url) {
+ let i = document.createElement('iframe');
+ i.src = url;
+ window.addEventListener('message', t.step_func(function(e) {
+ if (e.source != i.contentWindow) return;
+ assert_equals(e.data, "img loaded");
+ t.done();
+ }));
+ document.body.appendChild(i);
+ }
+ </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
new file mode 100644
index 0000000000..d210cc6670
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
@@ -0,0 +1,27 @@
+setup(_ => {
+ const meta = document.createElement("meta");
+ meta.httpEquiv = "content-security-policy";
+ meta.content = "img-src http://*:{{ports[http][0]}}";
+ document.head.appendChild(meta);
+});
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onerror = t.step_func_done();
+ img.onload = t.unreached_func("`data:` image should have been blocked.");
+ img.src = ""
+}, "Host wildcard doesn't affect scheme matching.");
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onload = t.step_func_done();
+ img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+ img.src = "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www1).");
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onload = t.step_func_done();
+ img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+ img.src = "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www2).");