diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/content-security-policy/resource-hints | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/resource-hints')
9 files changed, 268 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html new file mode 100644 index 0000000000..c1954641b1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-any-directive.sub.html @@ -0,0 +1,35 @@ +<!DOCTYPE html> +<html> +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/utils.js"></script> +<script src="/common/get-host-info.sub.js"></script> +<script src="/content-security-policy/support/testharness-helper.js"></script> +<script src="/content-security-policy/support/prefetch-helper.js"></script> +<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'unsafe-inline'; img-src http://{{domains[www2]}}:{{ports[http][0]}}"/> + +<script> + const { OTHER_ORIGIN, REMOTE_ORIGIN } = get_host_info(); + + promise_test(async (t) => { + const url = new URL("/common/dummy.xml", location.href); + assert_true(await try_to_prefetch(url, t)); + }, "Prefetch should succeed when restricted by default-src but allowed by " + + "other directive"); + + promise_test(async (t) => { + const url = new URL("/common/dummy.xml", REMOTE_ORIGIN); + assert_false(await try_to_prefetch(url, t)); + }, "Prefetch should fail when restricted by default-src and different " + + "origin allowed by other directive"); + + promise_test(async (t) => { + const url = new URL("/common/dummy.xml", OTHER_ORIGIN); + assert_true(await try_to_prefetch(url, t)); + }, "Prefetch should succeed when restricted by default-src but origin " + + "allowed by other directive"); +</script> +</head> +<body></body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html new file mode 100644 index 0000000000..fa31e941eb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-by-default.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + + <head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + + <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'"> + <script> + promise_test(async t => { + assert_true(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch should succeed when allowed by default-src'); + </script> + </head> + + <body> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html new file mode 100644 index 0000000000..195c927a8d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-no-default.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + + <head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; font-src 'self'; child-src 'self';"> + <script> + promise_test(async t => { + assert_true(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch should succeed when there is no default-src'); + </script> + </head> + + <body> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html new file mode 100644 index 0000000000..fe7cce0efb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-allowed-with-conflicting-permissive-policies.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <!-- These policies are for test-harness itself--> + <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src *; connect-src 'none'"> + <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'; img-src 'none'; connect-src *"> + <script> + promise_test(async t => { + assert_true(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch should succeed when a directive in a policy is permissive, ' + + 'even if a subsequent policy overrides that.'); + </script> + </head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html new file mode 100644 index 0000000000..b53b021e6d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default-multiple-policies.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + + <head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'"> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'"> + <script> + promise_test(async t => { + assert_false(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch should fail when restricted by default-src'); + </script> + </head> + + <body> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html new file mode 100644 index 0000000000..6780c80e8a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-blocked-by-default.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> +<html> +<head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'"> + <script> + promise_test(async t => { + assert_false(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch should fail when restricted by default-src'); + </script> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html new file mode 100644 index 0000000000..b08d885c1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html @@ -0,0 +1,90 @@ +<!DOCTYPE html> +<html> +<head> +<script src='/resources/testharness.js'></script> +<script src='/resources/testharnessreport.js'></script> +<script src='/common/utils.js'></script> +<script src='/content-security-policy/support/testharness-helper.js'></script> +<script> + +const directives = { + 'script-src': true, + 'img-src': true, + 'connect-src': true, + 'object-src': true, + 'font-src': true, + 'manifest-src': true, + 'media-src': true, + 'style-src': true, + 'child-src': true, + 'frame-src': true, + 'worker-src': true, + 'base-uri': false, +}; + +function prefetch_with_csp_in_a_popup(byDirective, t) { + // Allow inline scripts so that we can run the postMessage script... + if (byDirective["script-src"] === "*") + byDirective["script-src"] = "* 'unsafe-inline'"; + else + byDirective["script-src"] = "'unsafe-inline'"; + + const url = new URL('/content-security-policy/support/prefetch-with-csp.html', location.href); + const csp = Object.entries(byDirective).map(([key, value]) => `${key} ${value}`).join(";"); + url.searchParams.set("pipe", `header(Content-Security-Policy, ${csp})`); + const uid = token(); + url.searchParams.set("uid", uid); + const bc = new BroadcastChannel(uid); + const popup = window.open(url.href); + t.add_cleanup(() => popup.close()); + return new Promise(resolve => { + bc.addEventListener("message", ({data}) => { + resolve(data); + }); + }); +} + +for (const directive in directives) { + promise_test(async t => { + const byDirective = Object.fromEntries(Object.keys(directives).map(d => [d, "'none'"])); + byDirective[directive] = "*"; + byDirective["default-src"] = "'none'"; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_equals(prefetch_ok, directives[directive], directive); + }, `Test that ${directive} enabled with everything else disabled allows prefetching`); + + promise_test(async t => { + const byDirective = { + "default-src": "'none'", + [directive]: "*", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_equals(prefetch_ok, directives[directive], directive); + }, `Test that ${directive} enabled with default-src disabled allows prefetching`); +} + +promise_test(async t => { + const byDirective = { + "default-src": "'none'", + "script-src-elem": "* 'unsafe-inline'", + "script-src": "'none'", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_true(prefetch_ok); + }, `Test that permissive script-src-elem supersedes script-src`); + +promise_test(async t => { + const byDirective = { + "default-src": "'none'", + "script-src-elem": "'unsafe-inline'", + "script-src": "*", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_true(prefetch_ok); +}, `Test that permissive script-src supersedes script-src-elem`); + +</script> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html new file mode 100644 index 0000000000..f9350bd657 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-ignores-prefetch-src.sub.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src='/common/utils.js'></script> +<script src='/content-security-policy/support/testharness-helper.js'></script> +<script src="/content-security-policy/support/prefetch-helper.js"></script> +<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; prefetch-src http://{{domains[www2]}}:{{ports[http][0]}}"/> + +<script> + promise_test(async (t) => { + assert_false(await + try_to_prefetch('http://{{domains[www2]}}:{{ports[http][0]}}/common/dummy.xml', + t)); + }, "Prefetch should fail when restricted by default-src and allowed by " + + "unsupported prefetch-src directive (prefetch-src should be ignored)"); +</script> +</head> +<body></body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html new file mode 100644 index 0000000000..87f2937b84 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-no-csp.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<html> +<head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/utils.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + promise_test(async t => { + assert_true(await try_to_prefetch("/common/dummy.xml", t)); + }, 'Prefetch succeeds when no CSP'); + </script> +</head> +<body> +</body> +</html> |