From 59203c63bb777a3bacec32fb8830fba33540e809 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 12 Jun 2024 07:35:29 +0200
Subject: Adding upstream version 127.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 ...ancestors-nested-cross-in-cross-self-block.html |  2 +-
 ...-ancestors-nested-cross-in-same-self-block.html |  2 +-
 ...-ancestors-nested-same-in-cross-self-block.html |  2 +-
 ...e-ancestors-nested-same-in-same-self-allow.html |  2 +-
 .../frame-ancestors-sandbox-same-origin-self.html  |  2 +-
 .../generic/case-insensitive-scheme.sub.html       | 51 ++++++++++++++++++++++
 .../generic/wildcard-host-part.sub.window.js       | 27 ++++++++++++
 .../script-src-strict_dynamic_hashes.html          | 13 +++++-
 .../script-src-strict_dynamic_hashes.html.headers  |  2 +-
 9 files changed, 96 insertions(+), 7 deletions(-)
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js

(limited to 'testing/web-platform/tests/content-security-policy')

diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
index 85b7f0efdc..eb7cbef866 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
@@ -7,7 +7,7 @@
 </head>
 <body>
     <script>
-        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
 
         testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
     </script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
index da97339711..8f9d94e7d6 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
@@ -7,7 +7,7 @@
 </head>
 <body>
     <script>
-        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
 
         testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
     </script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
index bae5992e86..f9d32eb3ed 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
@@ -7,7 +7,7 @@
 </head>
 <body>
     <script>
-        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
 
         testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
     </script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
index 747c563696..a4271dfd92 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
@@ -7,7 +7,7 @@
 </head>
 <body>
     <script>
-        test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
+        test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block render in same-origin nested frames.");
 
         testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
     </script>
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
index 4a2a19698d..825f9a8ae3 100644
--- a/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
+++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/frame-ancestors-sandbox-same-origin-self.html
@@ -11,7 +11,7 @@
       "should compare the child URL (self) against each parent's origin's URL" +
       " rather then URL. When the ancestors are sandboxed, they never match.");
 
-    testNestedSandboxedIFrame('self', SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+    testNestedSandboxedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
   </script>
 </body>
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
new file mode 100644
index 0000000000..7225cd359f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/case-insensitive-scheme.sub.html
@@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    let tests = [
+      {
+        "csp": "img-src http://{{host}}:{{ports[http][0]}}/",
+        "name": "Lowercase `http` should allow the image to load.",
+      },
+      {
+        "csp": "img-src HtTp://{{host}}:{{ports[http][0]}}/",
+        "name": "Mixed-case `http` should allow the image to load.",
+      },
+      {
+        "csp": "img-src HTTP://{{host}}:{{ports[http][0]}}/",
+        "name": "Uppercase `http` should allow the image to load.",
+      },
+    ];
+
+    tests.forEach(test => {
+      async_test(t => {
+        let url = "support/load_img_and_post_result_meta.sub.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - meta tag");
+
+      async_test(t => {
+        let url = "support/load_img_and_post_result_header.html?csp="
+            + encodeURIComponent(test.csp);
+        test_image_loads_as_expected(test, t, url);
+      }, test.name + " - HTTP header");
+    });
+
+    function test_image_loads_as_expected(test, t, url) {
+      let i = document.createElement('iframe');
+      i.src = url;
+      window.addEventListener('message', t.step_func(function(e) {
+        if (e.source != i.contentWindow) return;
+        assert_equals(e.data, "img loaded");
+        t.done();
+      }));
+      document.body.appendChild(i);
+    }
+  </script>
+</body>
+</html>
+
diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
new file mode 100644
index 0000000000..d210cc6670
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/wildcard-host-part.sub.window.js
@@ -0,0 +1,27 @@
+setup(_ => {
+  const meta = document.createElement("meta");
+  meta.httpEquiv = "content-security-policy";
+  meta.content = "img-src http://*:{{ports[http][0]}}";
+  document.head.appendChild(meta);
+});
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onerror = t.step_func_done();
+  img.onload = t.unreached_func("`data:` image should have been blocked.");
+  img.src = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="
+}, "Host wildcard doesn't affect scheme matching.");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www1).");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www2).");
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
index e4ce1e5944..02c5c9642b 100644
--- a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html
@@ -6,7 +6,7 @@
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>
 
-    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
+    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' -->
 </head>
 
 <body>
@@ -47,6 +47,17 @@
             document.body.appendChild(e);
         }, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');
     </script>
+
+    <script nonce='dummy'>
+        var externalRan = false;
+    </script>
+    <script src='./externalScript.js'
+        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+    <script nonce='dummy'>
+        test(function(t) {
+            assert_true(externalRan);
+        }, "External script in a script tag with matching SRI hash is allowed with `strict-dynamic`.");
+    </script>
 </body>
 
 </html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
index 0d824d8b0e..4d3d904c68 100644
--- a/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers
@@ -2,4 +2,4 @@ Expires: Mon, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
-Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA='
+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0='
-- 
cgit v1.2.3