diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/script-src/support')
14 files changed, 87 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js b/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js new file mode 100644 index 0000000000..a04e8575b2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/change-scripthash-before-execute.js @@ -0,0 +1,10 @@ +// This script is executed after |scr1| and |scr2| are inserted into DOM +// before their execution (if not blocked by CSP). +if (document.getElementById("scr1")) { + document.getElementById("scr1").innerText = + "log1 += 'scr1 at #execute-the-script-block';"; +} +if (document.getElementById("scr2")) { + document.getElementById("scr2").innerText = + "log2 += 'scr2 at #execute-the-script-block';"; +} diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js b/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js new file mode 100644 index 0000000000..2676b34728 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js @@ -0,0 +1,8 @@ +// This script is executed after |scr1| and |scr2| are inserted into DOM +// before their execution (if not blocked by CSP). +if (document.getElementById('scr1')) { + document.getElementById('scr1').setAttribute('nonce', 'wrong'); +} +if (document.getElementById('scr2')) { + document.getElementById('scr2').setAttribute('nonce', 'abc'); +} diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/empty.css b/testing/web-platform/tests/content-security-policy/script-src/support/empty.css new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/empty.css diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js b/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js new file mode 100644 index 0000000000..c04033c46f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/inject-script.js @@ -0,0 +1,5 @@ +document.write("<script>log('Pass 1 of 2');</script>"); + +var s = document.createElement('script'); +s.textContent = "log('Pass 2 of 2');"; +document.body.appendChild(s); diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js b/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js new file mode 100644 index 0000000000..f32d25074b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js @@ -0,0 +1,14 @@ +var t; +async_test(t => { + self.t = t; + const s = document.createElement('script'); + s.onerror = t.step_func(function() { + assert_unreached('Script error event should not be fired.'); + }); + s.onload = t.step_func(function() { + assert_unreached('Script load event should not be fired.'); + }); + s.innerText = 'self.t.assert_unreached("Script should not run.");' + document.body.appendChild(s); + setTimeout(() => t.done(), 2000); +}); diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js b/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js new file mode 100644 index 0000000000..69daa31d2f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/post-message.js @@ -0,0 +1 @@ +postMessage("importScripts allowed"); diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js new file mode 100644 index 0000000000..9aa87129ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = eval("1 + 2 + 3"); +} catch (e) {} +postMessage(id === 0 ? "eval blocked" : "eval allowed"); diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers new file mode 100644 index 0000000000..afdcc7c011 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-eval.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js new file mode 100644 index 0000000000..03d9bf4cbb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js @@ -0,0 +1,7 @@ +var fn = function() { + postMessage('Function() function blocked'); +} +try { + fn = new Function("", "postMessage('Function() function allowed');"); +} catch (e) {} +fn(); diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers new file mode 100644 index 0000000000..afdcc7c011 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js new file mode 100644 index 0000000000..d2b6691b8a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js @@ -0,0 +1,17 @@ +var message = "importScripts allowed"; +try { + importScripts("/content-security-policy/support/post-message.js"); +} catch (e) { + message = "importScripts blocked"; +} + +if (typeof SharedWorkerGlobalScope === "function") { + onconnect = function (e) { + var port = e.ports[0]; + + port.onmessage = function () { port.postMessage(message); } + port.postMessage(message); + }; +} else if (typeof DedicatedWorkerGlobalScope === "function") { + self.postMessage(message); +} diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers new file mode 100644 index 0000000000..57616b1fc2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-importscripts.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js new file mode 100644 index 0000000000..c4241c97d0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js @@ -0,0 +1,16 @@ +var id = 0; +try { + id = setTimeout("postMessage('handler invoked')", 100); +} catch (e) {} +var message = id === 0 ? "setTimeout blocked" : "setTimeout allowed"; + +if (typeof SharedWorkerGlobalScope === "function") { + onconnect = function (e) { + var port = e.ports[0]; + + port.onmessage = function () { port.postMessage(message); } + port.postMessage(message); + }; +} else if (typeof DedicatedWorkerGlobalScope === "function") { + self.postMessage(message); +} diff --git a/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers new file mode 100644 index 0000000000..57616b1fc2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/support/worker-with-script-src-none-set-timeout.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' |