summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/media-src
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /testing/web-platform/tests/content-security-policy/media-src
parentInitial commit. (diff)
downloadfirefox-upstream.tar.xz
firefox-upstream.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/media-src')
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html48
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html57
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html48
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html57
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html53
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html72
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html101
-rw-r--r--testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html71
8 files changed, 507 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
new file mode 100644
index 0000000000..8fd094e955
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - positive test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self'">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("In-policy async video src");
+ var source_test = async_test("In-policy async video source element");
+ var t_spv = async_test("Should not fire policy violation events");
+ var test_count = 2;
+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+ function media_loaded(t) {
+ t.done();
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/ogg"
+ onerror="media_error_handler(source_test)"
+ src="/media/A4.ogv">
+ </video>
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="/media/A4.ogv">
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html
new file mode 100644
index 0000000000..8312defb2e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - negative test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("Disallowed async video src");
+ var source_test = async_test("Disallowed async video source element");
+ var t_spv = async_test("Test that securitypolicyviolation events are fired");
+ var test_count = 2;
+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+ assert_equals(e.violatedDirective, "media-src");
+ assert_equals(e.blockedURI, mediaURL);
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }));
+
+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+ var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv";
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/ogg"
+ onerror="media_error_handler(source_test)">
+ </video>
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)">
+
+ <script>
+ document.getElementById("videoSourceObject").src = mediaURL;
+ document.getElementById("videoObject2").src = mediaURL;
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
new file mode 100644
index 0000000000..0486c8738d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Audio element src attribute must match src list - positive test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Audio element src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("In-policy audio src");
+ var source_test = async_test("In-policy audio source element");
+ var t_spv = async_test("Should not fire policy violation events");
+ var test_count = 2;
+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+ function media_loaded(t) {
+ t.done();
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <audio id="audioObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="audioSourceObject"
+ type="audio/ogg"
+ onerror="media_error_handler(source_test)"
+ src="/media/sound_5.oga">
+ </audio>
+ <audio id="audioObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="/media/sound_5.oga">
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html
new file mode 100644
index 0000000000..e1626eec5a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Audio element src attribute must match src list - negative test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Audio element src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var src_test = async_test("Disallaowed audio src");
+ var source_test = async_test("Disallowed audio source element");
+ var t_spv = async_test("Test that securitypolicyviolation events are fired");
+ var test_count = 2;
+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+ assert_equals(e.violatedDirective, "media-src");
+ assert_equals(e.blockedURI, mediaURL);
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }));
+
+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias
+ var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/sound_5.oga";
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Media error handler should be triggered for non-allowed domain.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <audio id="audioObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="audioSourceObject"
+ type="audio/ogg"
+ onerror="media_error_handler(source_test)">
+ </audio>
+ <audio id="audioObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)">
+
+ <script>
+ document.getElementById("audioSourceObject").src = mediaURL;
+ document.getElementById("audioObject2").src = mediaURL;
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html
new file mode 100644
index 0000000000..46489e2668
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html
@@ -0,0 +1,53 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video track src attribute must match src list - positive test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{domains[www]}}:{{ports[http][0]}};">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video track src attribute must match src list - positive test</h1>
+ <div id='log'></div>
+
+ <script>
+ var source_test = async_test("In-policy track element");
+
+ var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
+
+ var t_spv = async_test("Should not fire policy violation events");
+ var test_count = 1;
+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+ function media_loaded(t) {
+ t.done();
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Error handler called for allowed track source.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)" crossorigin>
+ <source id="audioSourceObject"
+ type="audio/ogg"
+ src="/media/A4.ogv">
+ <track id="trackObject"
+ kind="subtitles"
+ srclang="en"
+ label="English"
+ onerror="media_error_handler(source_test)">
+ </video>
+ <script>
+ document.getElementById("trackObject").src = trackURL;
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html
new file mode 100644
index 0000000000..431a58608a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video track src attribute must match src list - negative test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video track src attribute must match src list - negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ var source_test =
+ async_test("Disallowed track element onerror handler fires.");
+
+ var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
+
+ var t_spv = async_test("Test that securitypolicyviolation events are fired");
+ var test_count = 1;
+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+ assert_equals(e.violatedDirective, "media-src");
+ assert_equals(e.blockedURI, trackURL);
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }));
+
+
+ function media_loaded(t) {
+ t.step( function () {
+ assert_unreached("Disllowed track source loaded.");
+ });
+ t.done();
+ }
+
+ function media_error_handler(t) {
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onerror="media_error_handler(source_test)"
+ crossorigin>
+ <source id="audioSourceObject"
+ type="audio/ogg"
+ src="/media/A4.ogv">
+ <track default
+ id="trackObject"
+ kind="subtitles"
+ srclang="en"
+ label="English"
+ onerror="media_error_handler(source_test)"
+ onload="media_loaded(source_test)"
+ onloadeddata="media_loaded(source_test)">
+ </video>
+ <script>
+ document.getElementById("trackObject").src = trackURL;
+ source_test.step(function() {
+ source_test.set_status(source_test.FAIL);
+ });
+
+ setTimeout(function() {
+ if(source_test.phase != source_test.phases.COMPLETE) {
+ source_test.step( function () { assert_unreached("Onerror event never fired for track element."); });
+ source_test.done();
+ }
+ }, 2 * 1000);
+ </script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html
new file mode 100644
index 0000000000..b2b57dec64
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html
@@ -0,0 +1,101 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Media element src attribute must match src list - 'none' negative test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'none'; connect-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='/common/get-host-info.sub.js'></script>
+</head>
+<body>
+ <h1>Media element src attribute must match src list - 'none' negative test</h1>
+ <div id='log'></div>
+
+ <script>
+ const otherOrigin = get_host_info().OTHER_ORIGIN;
+ const audioUrl = otherOrigin + "/media/sound_5.oga";
+ const videoUrl = otherOrigin + "/media/A4.ogv";
+
+ // Asynchronously returns the next `securitypolicyviolation` event.
+ async function nextViolation() {
+ return await new Promise((resolve) => {
+ window.addEventListener("securitypolicyviolation", resolve, {
+ once: true,
+ });
+ });
+ }
+
+ promise_test(t => new Promise((resolve, reject) => {
+ const violationPromise = nextViolation();
+
+ const video = document.createElement("video");
+ video.type = "video/ogg";
+ video.src = videoUrl;
+ video.onloadeddata = reject;
+ video.onerror = () => { resolve(violationPromise); };
+
+ document.body.appendChild(video);
+ }).then((violation) => {
+ assert_equals(violation.violatedDirective, "media-src", "directive");
+ assert_equals(violation.blockedURI, videoUrl, "blocked URI");
+ }), "Disallowed async video src");
+
+ promise_test(t => new Promise((resolve, reject) => {
+ const violationPromise = nextViolation();
+
+ const video = document.createElement("video");
+ video.oncanplay = reject;
+ video.onloadedmetadata = reject;
+ video.onloadeddata = reject;
+
+ const source = document.createElement("source");
+ source.type = "video/ogg";
+ source.src = videoUrl;
+ source.onerror = () => { resolve(violationPromise); };
+
+ video.appendChild(source);
+ document.body.appendChild(video);
+ }).then((violation) => {
+ assert_equals(violation.violatedDirective, "media-src", "directive");
+ assert_equals(violation.blockedURI, videoUrl, "blocked URI");
+ }), "Disallowed async video source element");
+
+ promise_test(t => new Promise((resolve, reject) => {
+ const violationPromise = nextViolation();
+
+ const audio = document.createElement("audio");
+ audio.type = "audio/ogg";
+ audio.src = audioUrl;
+ audio.oncanplay = reject;
+ audio.onloadedmetadata = reject;
+ audio.onloadeddata = reject;
+ audio.onerror = () => { resolve(violationPromise); };
+
+ document.body.appendChild(audio);
+ }).then((violation) => {
+ assert_equals(violation.violatedDirective, "media-src", "directive");
+ assert_equals(violation.blockedURI, audioUrl, "blocked URI");
+ }), "Disallowed audio src");
+
+ promise_test(t => new Promise((resolve, reject) => {
+ const violationPromise = nextViolation();
+
+ const audio = document.createElement("audio");
+ audio.oncanplay = reject;
+ audio.onloadedmetadata = reject;
+ audio.onloadeddata = reject;
+
+ const source = document.createElement("source");
+ source.type = "audio/ogg";
+ source.src = audioUrl;
+ source.onerror = () => { resolve(violationPromise); };
+
+ audio.appendChild(source);
+ document.body.appendChild(audio);
+ }).then((violation) => {
+ assert_equals(violation.violatedDirective, "media-src", "directive");
+ assert_equals(violation.blockedURI, audioUrl, "blocked URI");
+ }), "Disallowed audio source element");
+ </script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
new file mode 100644
index 0000000000..a0708bf5ed
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html
@@ -0,0 +1,71 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Video element src attribute must match src list - positive test</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src http://{{domains[www2]}}:{{ports[http][0]}}/ 'self'; connect-src 'self';">
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Video element in media-src list - redirect test</h1>
+ <div id='log'></div>
+
+ <p>This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed
+ as media-src, but only one (self) is allowed for connect-src. If a video src starts on
+ an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug
+ causes the redirect to be done in a fetch context to which connect-src is being applied instead, so
+ the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p>
+
+ <script>
+ var src_test = async_test("In-policy async video src");
+ var src_redir_test = async_test("in-policy async video src w/redir")
+ var source_test = async_test("In-policy async video source element");
+ var source_redir_test = async_test("In-policy async video source element w/redir");
+
+ var t_spv = async_test("Should not fire policy violation events");
+ var test_count = 4;
+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event"));
+
+ function media_loaded(t) {
+ t.done();
+ if (--test_count <= 0) {
+ t_spv.done();
+ }
+ }
+
+ function media_error_handler(t) {
+ t.step( function () {
+ assert_unreached("Media error handler shouldn't be triggered for allowed domain.");
+ });
+ t.done();
+ }
+ </script>
+
+ <video id="videoObject" width="320" height="240" controls
+ onloadeddata="media_loaded(source_test)">
+ <source id="videoSourceObject"
+ type="video/ogg"
+ onerror="media_error_handler(source_test)"
+ src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+ </video>
+
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_test)"
+ onloadeddata="media_loaded(src_test)"
+ src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+
+ <video id="videoObject3" width="320" height="240" controls
+ onloadeddata="media_loaded(source_redir_test)">
+ <source id="videoSourceObject"
+ type="video/ogg"
+ onerror="media_error_handler(source_test)"
+ src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+ </video>
+
+ <video id="videoObject2" width="320" height="240" controls
+ onerror="media_error_handler(src_redir_test)"
+ onloadeddata="media_loaded(src_redir_test)"
+ src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv">
+
+</body>
+</html>