summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy')
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js27
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html13
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers2
9 files changed, 96 insertions, 7 deletions
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
index 85b7f0efdc..eb7cbef866 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
@@ -7,7 +7,7 @@
</head>
<body>
<script>
- test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
</script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
index da97339711..8f9d94e7d6 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
@@ -7,7 +7,7 @@
</head>
<body>
<script>
- test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
</script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
index bae5992e86..f9d32eb3ed 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
@@ -7,7 +7,7 @@
</head>
<body>
<script>
- test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
</script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
index 747c563696..a4271dfd92 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
@@ -7,7 +7,7 @@
</head>
<body>
<script>
- test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
</script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
index 4a2a19698d..825f9a8ae3 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
@@ -11,7 +11,7 @@
"should compare the child URL (self) against each parent's origin's URL" +
" rather then URL. When the ancestors are sandboxed, they never match.");
- testNestedSandboxedIFrame('self', SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+ testNestedSandboxedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
</script>
</body>
</html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
new file mode 100644
index 0000000000..7225cd359f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <script>
+ let tests = [
+ {
+ "csp": "img-src http://{{host}}:{{ports[http][0]}}/",
+ "name": "Lowercase `http` should allow the image to load.",
+ },
+ {
+ "csp": "img-src HtTp://{{host}}:{{ports[http][0]}}/",
+ "name": "Mixed-case `http` should allow the image to load.",
+ },
+ {
+ "csp": "img-src HTTP://{{host}}:{{ports[http][0]}}/",
+ "name": "Uppercase `http` should allow the image to load.",
+ },
+ ];
+
+ tests.forEach(test => {
+ async_test(t => {
+ let url = "support/load_img_and_post_result_meta.sub.html?csp="
+ + encodeURIComponent(test.csp);
+ test_image_loads_as_expected(test, t, url);
+ }, test.name + " - meta tag");
+
+ async_test(t => {
+ let url = "support/load_img_and_post_result_header.html?csp="
+ + encodeURIComponent(test.csp);
+ test_image_loads_as_expected(test, t, url);
+ }, test.name + " - HTTP header");
+ });
+
+ function test_image_loads_as_expected(test, t, url) {
+ let i = document.createElement('iframe');
+ i.src = url;
+ window.addEventListener('message', t.step_func(function(e) {
+ if (e.source != i.contentWindow) return;
+ assert_equals(e.data, "img loaded");
+ t.done();
+ }));
+ document.body.appendChild(i);
+ }
+ </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
new file mode 100644
index 0000000000..d210cc6670
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
@@ -0,0 +1,27 @@
+setup(_ => {
+ const meta = document.createElement("meta");
+ meta.httpEquiv = "content-security-policy";
+ meta.content = "img-src http://*:{{ports[http][0]}}";
+ document.head.appendChild(meta);
+});
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onerror = t.step_func_done();
+ img.onload = t.unreached_func("`data:` image should have been blocked.");
+ img.src = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="
+}, "Host wildcard doesn't affect scheme matching.");
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onload = t.step_func_done();
+ img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+ img.src = "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www1).");
+
+async_test((t) => {
+ const img = document.createElement("img");
+ img.onload = t.step_func_done();
+ img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+ img.src = "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www2).");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
index e4ce1e5944..02c5c9642b 100644
--- a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
@@ -6,7 +6,7 @@
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
- <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' -->
</head>
<body>
@@ -47,6 +47,17 @@
document.body.appendChild(e);
}, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');
</script>
+
+ <script nonce='dummy'>
+ var externalRan = false;
+ </script>
+ <script src='./externalScript.js'
+ integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+ <script nonce='dummy'>
+ test(function(t) {
+ assert_true(externalRan);
+ }, "External script in a script tag with matching SRI hash is allowed with `strict-dynamic`.");
+ </script>
</body>
</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
index 0d824d8b0e..4d3d904c68 100644
--- a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
@@ -2,4 +2,4 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0, false
Pragma: no-cache
-Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA='
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0='
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-08 07:56:36 +0000