summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/unsafe-eval
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/content-security-policy/unsafe-eval
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/unsafe-eval')
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html61
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html36
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html49
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html33
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html31
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html28
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html30
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py30
12 files changed, 411 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
new file mode 100644
index 0000000000..186996311b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <title>eval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="../support/logTest.sub.js?logs=[]"></script>
+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+
+ eval("alert_assert('PASS (1 of 2)')");
+
+ window.eval("alert_assert('PASS (2 of 2)')");
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 0000000000..998a616652
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>eval-blocked-and-sends-report</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked.","violated-directive=script-src"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ try {
+ eval("alert_assert('FAIL')");
+ } catch (e) {
+ log('PASS: eval() blocked.');
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
new file mode 100644
index 0000000000..054e75b527
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy"
+ content="script-src 'self' 'unsafe-inline';">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+
+<p>
+ Eval should be blocked in the iframe, but inline script should be allowed.
+</p>
+
+<script>
+ promise_test(async t => {
+ const document_loaded = new Promise(resolve => window.onload = resolve);
+ await document_loaded;
+
+ const eval_error = new Promise(resolve => {
+ window.addEventListener('message', function(e) {
+ assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame');
+ if (e.data === 'PASS')
+ resolve();
+ });
+ });
+ const csp_violation_report = new Promise(resolve => {
+ window.addEventListener('message', function(e) {
+ if (e.data["violated-directive"]) {
+ assert_equals(e.data["violated-directive"], "script-src");
+ resolve();
+ }
+ });
+ });
+
+ frames[0].document.write(`
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ parent.postMessage({ 'violated-directive': e.violatedDirective });
+ });
+ try {
+ eval('parent.postMessage(\"FAIL\", \"*\");');
+ } catch (e) {
+ if (e instanceof EvalError)
+ parent.postMessage(\"PASS\", \"*\");
+ }
+ </sc` + `ript>`
+ );
+ frames[0].document.close();
+
+ await eval_error;
+ await csp_violation_report;
+ });
+</script>
+<iframe src="about:blank"></iframe>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
new file mode 100644
index 0000000000..7546082ee4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>eval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError", "violated-directive=script-src"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ try {
+ eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ try {
+ window.eval("alert_assert('FAIL (1 of 2)')");
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
new file mode 100644
index 0000000000..bca5decd25
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>eval-in-iframe</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/common/utils.js"></script>
+</head>
+
+<body>
+ <p>This test checks that the CSP of calleeRealm only (and not of
+ the callerRealm) is checked for allowing eval.</p>
+ <script>
+ let tests = [
+ { "directive": "script-src", "csp": "script-src 'unsafe-inline'" },
+ { "directive": "default-src", "csp": "default-src 'unsafe-inline'" },
+ ];
+
+ tests.forEach(test => {
+ let child = document.createElement('iframe');
+ child.src = '/content-security-policy/unsafe-eval/support' +
+ '/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
+ document.body.appendChild(child);
+ let msg = new Promise(resolve => {
+ window.addEventListener('message', e => {
+ if (e.source == child.contentWindow)
+ resolve(e.data);
+ });
+ });
+
+ promise_test(async t => {
+ assert_equals((await msg).evalInIframe, "blocked");
+ }, `(${test.directive}) Eval code should not execute ` +
+ `from iframe in iframe`);
+ promise_test(async t => {
+ assert_equals((await msg).evalInParent, "allowed");
+ }, `(${test.directive}) Eval code should execute ` +
+ `from iframe in parent`);
+ promise_test(async t => {
+ assert_throws_js(child.contentWindow.EvalError, _ =>
+ child.contentWindow.eval('1+1'));
+ }, `(${test.directive}) Eval code should not execute ` +
+ `from parent in iframe`);
+ });
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 0000000000..19eac79812
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+ <title>eval-scripts-setInterval-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<pre>
+<script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+
+ var id_string = setInterval("clearInterval(id_string); log('PASS 1 of 2')", 0);
+ if (id_string == 0)
+ log('FAIL: Return value for string (should not be 0): ' + id_string);
+
+ var id_function = setInterval(function() {
+ clearInterval(id_function);
+ log('PASS 2 of 2');
+ }, 0);
+
+ if (id_function == 0)
+ log('FAIL');
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 0000000000..2107ab8c33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>eval-scripts-setInterval-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ var id = setInterval("alert_assert('FAIL')", 0);
+ if (id != 0)
+ log('FAIL: Return value for string (should be 0): ' + id);
+
+ var id = setInterval(function() {
+ clearInterval(id);
+ log('PASS');
+ }, 0);
+
+ if (id == 0)
+ log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 0000000000..ba89c4e2f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+ <title>eval-scripts-setTimeout-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+
+ var id = setTimeout("log('PASS 1 of 2')", 0);
+ if (id == 0)
+ log('FAIL');
+ var id = setTimeout(function() {
+ log('PASS 2 of 2');
+ }, 0);
+ if (id == 0)
+ log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 0000000000..2b6335e597
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>eval-scripts-setTimeout-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ var id = setTimeout("alert_assert('FAIL')", 0);
+ if (id != 0)
+ log('FAIL');
+
+ var id = setTimeout(function() {
+ log('PASS');
+ }, 0);
+
+ if (id == 0)
+ log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
new file mode 100644
index 0000000000..8e6661b21c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+ <title>function-constructor-allowed</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+ <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("Fail");
+ });
+
+ (new Function("log('PASS')"))();
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
new file mode 100644
index 0000000000..1a7d320b68
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+ <title>function-constructor-blocked</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","violated-directive=script-src"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ log("violated-directive=" + e.violatedDirective);
+ });
+
+ try {
+ (new Function("log('FAIL')"))();
+ } catch (e) {
+ log("PASS EvalError");
+ }
+
+ </script>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
new file mode 100644
index 0000000000..b9b3cfe03a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
@@ -0,0 +1,30 @@
+def main(request, response):
+ policy = request.GET.first(b"policy")
+ return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b"""
+<!DOCTYPE html>
+<html>
+<script>
+function check_eval(context) {
+ context.eval_check_variable = 0;
+ try {
+ id = context.eval("eval_check_variable + 1");
+ } catch (e) {
+ if (e instanceof EvalError) {
+ if (context.eval_check_variable === 0)
+ return "blocked";
+ else
+ return "EvalError exception, but eval was executed";
+ } else {
+ return "Unexpected exception: " + e.message;
+ }
+ }
+ return "allowed";
+}
+
+window.parent.postMessage({
+ evalInIframe: check_eval(window),
+ evalInParent: check_eval(parent),
+});
+</script>
+</html>
+"""