diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/meta/content-security-policy/embedded-enforcement | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/meta/content-security-policy/embedded-enforcement')
18 files changed, 289 insertions, 0 deletions
diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini new file mode 100644 index 0000000000..7a5cbf999c --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/__dir__.ini @@ -0,0 +1,2 @@ +implementation-status: not-implementing
+bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1553130
\ No newline at end of file diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini new file mode 100644 index 0000000000..21cab9e30f --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/allow_csp_from-header.html.ini @@ -0,0 +1,16 @@ +[allow_csp_from-header.html] + [Cross origin iframe with an empty Allow-CSP-From header gets blocked.] + expected: FAIL + + [Cross origin iframe without Allow-CSP-From header gets blocked.] + expected: FAIL + + [Iframe with improper Allow-CSP-From header gets blocked.] + expected: FAIL + + [Star Allow-CSP-From header enforces EmbeddingCSP.] + expected: FAIL + + [Allow-CSP-From header enforces EmbeddingCSP.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini new file mode 100644 index 0000000000..f4848f7461 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/idlharness.window.js.ini @@ -0,0 +1,7 @@ +[idlharness.window.html] + [HTMLIFrameElement interface: attribute csp] + expected: FAIL + + [HTMLIFrameElement interface: document.createElement("iframe") must inherit property "csp" with the proper type] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini new file mode 100644 index 0000000000..6977d4fe21 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/iframe-csp-attribute.html.ini @@ -0,0 +1,13 @@ +[iframe-csp-attribute.html] + [<iframe> has a 'csp' attibute which is an empty string if undefined.] + expected: FAIL + + [<iframe>'s csp attribute is always a string.] + expected: FAIL + + [<iframe>'s 'csp content attribute reflects the IDL attribute.] + expected: FAIL + + [<iframe>'s IDL attribute reflects the DOM attribute.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini new file mode 100644 index 0000000000..e13604688a --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required-csp-header-cascade.html.ini @@ -0,0 +1,28 @@ +[required-csp-header-cascade.html] + [Test same origin: Test same policy for both iframes] + expected: FAIL + + [Test same origin: Test more restrictive policy on second iframe] + expected: FAIL + + [Test same origin: Test less restrictive policy on second iframe] + expected: FAIL + + [Test same origin: Test no policy on second iframe] + expected: FAIL + + [Test same origin: Test no policy on first iframe] + expected: FAIL + + [Test same origin: Test invalid policy on first iframe (bad directive)] + expected: FAIL + + [Test same origin: Test invalid policy on first iframe (report directive)] + expected: FAIL + + [Test same origin: Test invalid policy on second iframe (bad directive)] + expected: FAIL + + [Test same origin: Test invalid policy on second iframe (report directive)] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini new file mode 100644 index 0000000000..b15f274358 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/required_csp-header.html.ini @@ -0,0 +1,67 @@ +[required_csp-header.html] + [Test Required-CSP value on `csp` change: Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.] + expected: FAIL + + [Test same origin: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] + expected: FAIL + + [Test same origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] + expected: FAIL + + [Test cross origin redirect: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] + expected: FAIL + + [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] + expected: FAIL + + [Test Required-CSP value on `csp` change: Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.] + expected: FAIL + + [Test same origin: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] + expected: FAIL + + [Test same origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] + expected: FAIL + + [Test cross origin redirect: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] + expected: FAIL + + [Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] + expected: FAIL + + [Test Required-CSP value on `csp` change: Send Sec-Required-CSP Header on change of `src` attribute on iframe.] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present] + expected: FAIL + + [Test Required-CSP value on `csp` change: Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini new file mode 100644 index 0000000000..652e50be05 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html.ini @@ -0,0 +1,6 @@ +[subsumption_algorithm-general.html] + [Iframe with empty returned CSP should be blocked.] + expected: FAIL + + [Iframe with a different CSP should be blocked.] + expected: FAIL diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini new file mode 100644 index 0000000000..52a0659941 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html.ini @@ -0,0 +1,18 @@ +[subsumption_algorithm-hashes.html] + [Returned should not include hashes not present in required csp.] + expected: FAIL + + [Hashes do not have to be present in returned csp but must not allow all inline behavior.] + expected: FAIL + + [Other expressions have to be subsumed.] + expected: FAIL + + [Required csp must allow 'sha256-abc123'.] + expected: FAIL + + [Effective policy is properly found where 'sha256-abc123' is not subsumed.] + expected: FAIL + + ['sha256-abc123' is not subsumed by 'sha256-abc456'.] + expected: FAIL diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini new file mode 100644 index 0000000000..ab926be2b7 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html.ini @@ -0,0 +1,13 @@ +[subsumption_algorithm-host_sources-hosts.html] + [Host must match.] + expected: FAIL + + [Hosts without wildcards must match.] + expected: FAIL + + [More specific subdomain should not match.] + expected: FAIL + + [Specified host should not match a wildcard host.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini new file mode 100644 index 0000000000..9cccb2793a --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html.ini @@ -0,0 +1,10 @@ +[subsumption_algorithm-host_sources-paths.html] + [Returned CSP must specify a path.] + expected: FAIL + + [Empty path is not subsumed by specified paths.] + expected: FAIL + + [That should not be true when required csp specifies a specific page.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini new file mode 100644 index 0000000000..2e93544905 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html.ini @@ -0,0 +1,15 @@ +[subsumption_algorithm-host_sources-ports.html] + [Specified ports must match.] + expected: + if debug and (os == "linux"): ["FAIL", "PASS"] + FAIL + + [Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.] + expected: FAIL + + [Wildcard port should not be subsumed by a default port.] + expected: FAIL + + [Wildcard port should not be subsumed by a spcified port.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini new file mode 100644 index 0000000000..ec4dcc0177 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html.ini @@ -0,0 +1,13 @@ +[subsumption_algorithm-host_sources-protocols.html] + [`https` is more restrictive than `http`.] + expected: FAIL + + [`http:` does not subsume other protocols.] + expected: FAIL + + [If scheme source is present in returned csp, it must be specified in required csp too.] + expected: FAIL + + [All scheme sources must be subsumed.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini new file mode 100644 index 0000000000..1a05c2d95b --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html.ini @@ -0,0 +1,26 @@ +[subsumption_algorithm-none.html] + [Required policy that allows `none` does not subsume empty list of policies.] + expected: + if (os == "linux") and debug: ["FAIL", "PASS"] + FAIL + + [Required csp with effective `none` does not subsume a host source expression.] + expected: + if debug: ["FAIL", "PASS"] + FAIL + + [Required csp with `none` does not subsume a host source expression.] + expected: FAIL + + [Required csp with effective `none` does not subsume `none` of another directive.] + expected: FAIL + + [Required csp with `none` does not subsume `none` of another directive.] + expected: FAIL + + [Required csp with `none` does not subsume `none` of different directives.] + expected: FAIL + + [Both required and returned csp are `none` for only one directive.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini new file mode 100644 index 0000000000..1fce751c20 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html.ini @@ -0,0 +1,7 @@ +[subsumption_algorithm-self.html] + [Returned CSP must not allow 'self' if required CSP does not.] + expected: FAIL + + [Returned 'self' should not be subsumed by a more secure version of origin's url.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini new file mode 100644 index 0000000000..acf6b7f871 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html.ini @@ -0,0 +1,4 @@ +[subsumption_algorithm-strict_dynamic.html] + ['strict-dynamic' has to be allowed by required csp if it is present in returned csp.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini new file mode 100644 index 0000000000..4332f29925 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html.ini @@ -0,0 +1,15 @@ +[subsumption_algorithm-unsafe_eval.html] + [No other keyword has the same effect as 'unsafe-eval'.] + expected: FAIL + + [Other expressions have to be subsumed.] + expected: + if (os == "linux") and debug and not fission: ["FAIL", "PASS"] + FAIL + + [Required csp must allow 'unsafe-eval'.] + expected: FAIL + + [Effective policy is properly found where 'unsafe-eval' is not subsumed.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini new file mode 100644 index 0000000000..11d72acb84 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html.ini @@ -0,0 +1,13 @@ +[subsumption_algorithm-unsafe_hashes.html] + [No other keyword has the same effect as 'unsafe-hashes'.] + expected: FAIL + + [Other expressions have to be subsumed.] + expected: FAIL + + [Required csp must allow 'unsafe-hashes'.] + expected: FAIL + + [Effective policy is properly found where 'unsafe-hashes' is not subsumed.] + expected: FAIL + diff --git a/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini new file mode 100644 index 0000000000..e99202a430 --- /dev/null +++ b/testing/web-platform/meta/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html.ini @@ -0,0 +1,16 @@ +[subsumption_algorithm-unsafe_inline.html] + [Required csp allows `strict-dynamic`, but retuned csp does.] + expected: FAIL + + [Required csp does not allow `unsafe-inline`, but retuned csp does.] + expected: FAIL + + [Effective returned csp allows 'unsafe-inline'] + expected: FAIL + + [Returned csp allows a nonce.] + expected: FAIL + + [Returned csp allows a hash.] + expected: FAIL + |