summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/meta/content-security-policy/embedded-enforcement
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/meta/content-security-policy/embedded-enforcement
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/meta/content-security-policy/embedded-enforcement')
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini2
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini16
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini7
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini13
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini28
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini67
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini6
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini18
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini13
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini10
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini15
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini13
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini26
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini7
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini4
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini15
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini13
-rw-r--r--testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini16
18 files changed, 289 insertions, 0 deletions
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini
new file mode 100644
index 0000000000..7a5cbf999c
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini
@@ -0,0 +1,2 @@
+implementation-status: not-implementing
+bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1553130 \ No newline at end of file
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
new file mode 100644
index 0000000000..21cab9e30f
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini
@@ -0,0 +1,16 @@
+[allow_csp_from-header.html]
+ [Cross origin iframe with an empty Allow-CSP-From header gets blocked.]
+ expected: FAIL
+
+ [Cross origin iframe without Allow-CSP-From header gets blocked.]
+ expected: FAIL
+
+ [Iframe with improper Allow-CSP-From header gets blocked.]
+ expected: FAIL
+
+ [Star Allow-CSP-From header enforces EmbeddingCSP.]
+ expected: FAIL
+
+ [Allow-CSP-From header enforces EmbeddingCSP.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
new file mode 100644
index 0000000000..f4848f7461
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini
@@ -0,0 +1,7 @@
+[idlharness.window.html]
+ [HTMLIFrameElement interface: attribute csp]
+ expected: FAIL
+
+ [HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
new file mode 100644
index 0000000000..6977d4fe21
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini
@@ -0,0 +1,13 @@
+[iframe-csp-attribute.html]
+ [<iframe> has a 'csp' attibute which is an empty string if undefined.]
+ expected: FAIL
+
+ [<iframe>'s csp attribute is always a string.]
+ expected: FAIL
+
+ [<iframe>'s 'csp content attribute reflects the IDL attribute.]
+ expected: FAIL
+
+ [<iframe>'s IDL attribute reflects the DOM attribute.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
new file mode 100644
index 0000000000..e13604688a
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini
@@ -0,0 +1,28 @@
+[required-csp-header-cascade.html]
+ [Test same origin: Test same policy for both iframes]
+ expected: FAIL
+
+ [Test same origin: Test more restrictive policy on second iframe]
+ expected: FAIL
+
+ [Test same origin: Test less restrictive policy on second iframe]
+ expected: FAIL
+
+ [Test same origin: Test no policy on second iframe]
+ expected: FAIL
+
+ [Test same origin: Test no policy on first iframe]
+ expected: FAIL
+
+ [Test same origin: Test invalid policy on first iframe (bad directive)]
+ expected: FAIL
+
+ [Test same origin: Test invalid policy on first iframe (report directive)]
+ expected: FAIL
+
+ [Test same origin: Test invalid policy on second iframe (bad directive)]
+ expected: FAIL
+
+ [Test same origin: Test invalid policy on second iframe (report directive)]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
new file mode 100644
index 0000000000..b15f274358
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini
@@ -0,0 +1,67 @@
+[required_csp-header.html]
+ [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.]
+ expected: FAIL
+
+ [Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+ expected: FAIL
+
+ [Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+ expected: FAIL
+
+ [Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+ expected: FAIL
+
+ [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.]
+ expected: FAIL
+
+ [Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+ expected: FAIL
+
+ [Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+ expected: FAIL
+
+ [Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+ expected: FAIL
+
+ [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none']
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present]
+ expected: FAIL
+
+ [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
new file mode 100644
index 0000000000..652e50be05
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini
@@ -0,0 +1,6 @@
+[subsumption_algorithm-general.html]
+ [Iframe with empty returned CSP should be blocked.]
+ expected: FAIL
+
+ [Iframe with a different CSP should be blocked.]
+ expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
new file mode 100644
index 0000000000..52a0659941
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini
@@ -0,0 +1,18 @@
+[subsumption_algorithm-hashes.html]
+ [Returned should not include hashes not present in required csp.]
+ expected: FAIL
+
+ [Hashes do not have to be present in returned csp but must not allow all inline behavior.]
+ expected: FAIL
+
+ [Other expressions have to be subsumed.]
+ expected: FAIL
+
+ [Required csp must allow 'sha256-abc123'.]
+ expected: FAIL
+
+ [Effective policy is properly found where 'sha256-abc123' is not subsumed.]
+ expected: FAIL
+
+ ['sha256-abc123' is not subsumed by 'sha256-abc456'.]
+ expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
new file mode 100644
index 0000000000..ab926be2b7
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-host_sources-hosts.html]
+ [Host must match.]
+ expected: FAIL
+
+ [Hosts without wildcards must match.]
+ expected: FAIL
+
+ [More specific subdomain should not match.]
+ expected: FAIL
+
+ [Specified host should not match a wildcard host.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
new file mode 100644
index 0000000000..9cccb2793a
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini
@@ -0,0 +1,10 @@
+[subsumption_algorithm-host_sources-paths.html]
+ [Returned CSP must specify a path.]
+ expected: FAIL
+
+ [Empty path is not subsumed by specified paths.]
+ expected: FAIL
+
+ [That should not be true when required csp specifies a specific page.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
new file mode 100644
index 0000000000..2e93544905
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini
@@ -0,0 +1,15 @@
+[subsumption_algorithm-host_sources-ports.html]
+ [Specified ports must match.]
+ expected:
+ if debug and (os == "linux"): ["FAIL", "PASS"]
+ FAIL
+
+ [Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.]
+ expected: FAIL
+
+ [Wildcard port should not be subsumed by a default port.]
+ expected: FAIL
+
+ [Wildcard port should not be subsumed by a spcified port.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
new file mode 100644
index 0000000000..ec4dcc0177
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-host_sources-protocols.html]
+ [`https` is more restrictive than `http`.]
+ expected: FAIL
+
+ [`http:` does not subsume other protocols.]
+ expected: FAIL
+
+ [If scheme source is present in returned csp, it must be specified in required csp too.]
+ expected: FAIL
+
+ [All scheme sources must be subsumed.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
new file mode 100644
index 0000000000..1a05c2d95b
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini
@@ -0,0 +1,26 @@
+[subsumption_algorithm-none.html]
+ [Required policy that allows `none` does not subsume empty list of policies.]
+ expected:
+ if (os == "linux") and debug: ["FAIL", "PASS"]
+ FAIL
+
+ [Required csp with effective `none` does not subsume a host source expression.]
+ expected:
+ if debug: ["FAIL", "PASS"]
+ FAIL
+
+ [Required csp with `none` does not subsume a host source expression.]
+ expected: FAIL
+
+ [Required csp with effective `none` does not subsume `none` of another directive.]
+ expected: FAIL
+
+ [Required csp with `none` does not subsume `none` of another directive.]
+ expected: FAIL
+
+ [Required csp with `none` does not subsume `none` of different directives.]
+ expected: FAIL
+
+ [Both required and returned csp are `none` for only one directive.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
new file mode 100644
index 0000000000..1fce751c20
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini
@@ -0,0 +1,7 @@
+[subsumption_algorithm-self.html]
+ [Returned CSP must not allow 'self' if required CSP does not.]
+ expected: FAIL
+
+ [Returned 'self' should not be subsumed by a more secure version of origin's url.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
new file mode 100644
index 0000000000..acf6b7f871
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini
@@ -0,0 +1,4 @@
+[subsumption_algorithm-strict_dynamic.html]
+ ['strict-dynamic' has to be allowed by required csp if it is present in returned csp.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
new file mode 100644
index 0000000000..4332f29925
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini
@@ -0,0 +1,15 @@
+[subsumption_algorithm-unsafe_eval.html]
+ [No other keyword has the same effect as 'unsafe-eval'.]
+ expected: FAIL
+
+ [Other expressions have to be subsumed.]
+ expected:
+ if (os == "linux") and debug and not fission: ["FAIL", "PASS"]
+ FAIL
+
+ [Required csp must allow 'unsafe-eval'.]
+ expected: FAIL
+
+ [Effective policy is properly found where 'unsafe-eval' is not subsumed.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
new file mode 100644
index 0000000000..11d72acb84
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini
@@ -0,0 +1,13 @@
+[subsumption_algorithm-unsafe_hashes.html]
+ [No other keyword has the same effect as 'unsafe-hashes'.]
+ expected: FAIL
+
+ [Other expressions have to be subsumed.]
+ expected: FAIL
+
+ [Required csp must allow 'unsafe-hashes'.]
+ expected: FAIL
+
+ [Effective policy is properly found where 'unsafe-hashes' is not subsumed.]
+ expected: FAIL
+
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
new file mode 100644
index 0000000000..e99202a430
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini
@@ -0,0 +1,16 @@
+[subsumption_algorithm-unsafe_inline.html]
+ [Required csp allows `strict-dynamic`, but retuned csp does.]
+ expected: FAIL
+
+ [Required csp does not allow `unsafe-inline`, but retuned csp does.]
+ expected: FAIL
+
+ [Effective returned csp allows 'unsafe-inline']
+ expected: FAIL
+
+ [Returned csp allows a nonce.]
+ expected: FAIL
+
+ [Returned csp allows a hash.]
+ expected: FAIL
+