summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/base-uri
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /testing/web-platform/tests/content-security-policy/base-uri
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/base-uri')
-rw-r--r--testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html79
-rw-r--r--testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers5
5 files changed, 160 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html
new file mode 100644
index 0000000000..cda0c2db44
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-allow.sub.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+
+ <script>
+ var t = async_test("Check that base URIs can be set if they do not violate the page's policy.");
+ window.addEventListener('securitypolicyviolation', t.step_func(function(t) {
+ assert_unreached('No CSP violation report should have been fired.');
+ }));
+ </script>
+
+ <base href="{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+ <script>
+ t.step(function() {
+ assert_equals(document.baseURI, "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/");
+ t.done();
+ });
+ </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html
new file mode 100644
index 0000000000..a5a78ae1a3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri-deny.sub.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+
+ <script>
+ var t = async_test("Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive");
+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/")
+ assert_equals(e.violatedDirective, "base-uri");
+ }));
+ </script>
+
+ <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/">
+ <script>
+ test(function() {
+ assert_equals(document.baseURI, window.location.href);
+ t.done();
+ }, "Check that the baseURI is not set when it does not match the csp directive");
+ </script>
+</head>
+<body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html
new file mode 100644
index 0000000000..299383c469
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+
+ <title>base-uri works correctly inside a sandboxed iframe.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+ <h1>base-uri works correctly inside a sandboxed iframe.</h1>
+ <div id='log'></div>
+
+ <script>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ assert_unreached('No CSP violation report should have been fired.');
+ });
+
+ async_test(function(t) {
+ var i = document.createElement('iframe');
+ i.sandbox = 'allow-scripts';
+ i.style.display = 'none';
+ i.srcdoc = `
+ <script>
+ window.addEventListener('securitypolicyviolation', function() {
+ top.postMessage('FAIL', '*');
+ });
+ </sc` + `ript>
+ <base href="{{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+ <script>
+ top.postMessage(document.baseURI, '*');
+ </sc` + `ript>`;
+
+ window.addEventListener('message', t.step_func(function(e) {
+ if (e.source === i.contentWindow) {
+ assert_equals(e.data, location.origin + '/base/');
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(i);
+ }, 'base-uri \'self\' works with same-origin sandboxed iframes.');
+
+ async_test(function(t) {
+ var i = document.createElement('iframe');
+ i.sandbox = 'allow-scripts';
+ i.style.display = 'none';
+ i.srcdoc = `
+ <script>
+ window.addEventListener('securitypolicyviolation',
+ function(violation) {
+ if (violation.blockedURI !== '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/' || violation.effectiveDirective !== 'base-uri') {
+ top.postMessage('FAIL');
+ return;
+ }
+ top.postMessage(document.baseURI, '*');
+ });
+ </sc` + `ript>
+ <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/">
+ <script>
+ top.postMessage(document.baseURI, '*');
+ </sc` + `ript>`;
+
+ window.addEventListener('message', t.step_func(function(e) {
+ if (e.source === i.contentWindow) {
+ assert_equals(e.data, location.href);
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(i);
+ }, 'base-uri \'self\' blocks foreign-origin sandboxed iframes.');
+ </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html
new file mode 100644
index 0000000000..408c0116eb
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test that base does not affect report-uri</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <!-- if base is used for resolving the URL to report to then we will not get a report -->
+ <base href="http://nonexistent.{{domains[]}}">
+</head>
+<body>
+ <script>
+ var t1 = async_test("Test that image does not load");
+ async_test(function(t2) {
+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+ assert_equals(e.violatedDirective, "img-src");
+ t2.done();
+ }));
+ }, "Event is fired");
+ </script>
+ <img src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png'
+ onload='t1.unreached_func("The image should not have loaded");'
+ onerror='t1.done();'>
+
+ <script async defer src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers
new file mode 100644
index 0000000000..811125d83a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: report-uri-does-not-respect-base-uri={{$id:uuid()}}; Path=/content-security-policy/base-uri
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}