summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/spec.src.json
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--testing/web-platform/tests/content-security-policy/spec.src.json552
1 files changed, 552 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/spec.src.json b/testing/web-platform/tests/content-security-policy/spec.src.json
new file mode 100644
index 0000000000..b3b4d3c1f4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/spec.src.json
@@ -0,0 +1,552 @@
+{
+ "test_description_template": "Content Security Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.",
+ "test_page_title_template": "Content Security Policy: %(title)s",
+ "specification": [
+ {
+ "title": "content security policy",
+ "description": "content security policy",
+ "specification_url": "https://w3c.github.io/webappsec-csp/",
+ "test_expansion": [
+ // Set "allowed" for all requests here, and set "block" for requests
+ // to be blocked by CSP in subsequent sections.
+ // (Requests blocked due to non-CSP reasons (e.g. cross-origin workers)
+ // are excluded by `excluded_tests` sections)
+ {
+ "expansion": "default",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "origin": "*",
+ "subresource": "*",
+ "expectation": "allowed"
+ },
+
+ // script-src
+ {
+ // "script-src" blocks script-ish requests, except for ...
+ "expansion": "override",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": [
+ "script-src-none",
+ "script-src-self",
+ "script-src-wildcard"
+ ],
+ "redirection": "*",
+ "origin": "*",
+ "subresource": [
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-import-data",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-import-data",
+ "worker-module",
+ "worklet-animation",
+ "worklet-animation-import-data",
+ "worklet-audio",
+ "worklet-audio-import-data",
+ "worklet-layout",
+ "worklet-layout-import-data",
+ "worklet-paint",
+ "worklet-paint-import-data"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // non-data: URLs for "script-src *",
+ "expansion": "override",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "script-src-wildcard",
+ "redirection": "*",
+ "origin": "*",
+ "subresource": [
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module",
+ "worklet-animation",
+ "worklet-audio",
+ "worklet-layout",
+ "worklet-paint"
+ ],
+ "expectation": "allowed"
+ },
+ {
+ // same-origin requests (HTTP) for "script-src 'self'", or
+ "expansion": "override",
+ "source_scheme": "http",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "script-src-self",
+ "redirection": ["no-redirect", "keep-origin"],
+ "origin": "same-http",
+ "subresource": [
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module",
+ "worklet-animation",
+ "worklet-audio",
+ "worklet-layout",
+ "worklet-paint"
+ ],
+ "expectation": "allowed"
+ },
+ {
+ // same-origin requests (HTTPS) for "script-src 'self'".
+ "expansion": "override",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "script-src-self",
+ "redirection": ["no-redirect", "keep-origin"],
+ "origin": "same-https",
+ "subresource": [
+ "script-tag",
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module",
+ "worklet-animation",
+ "worklet-audio",
+ "worklet-layout",
+ "worklet-paint"
+ ],
+ "expectation": "allowed"
+ },
+
+ // worker-src
+ {
+ // "worker-src" blocks worker requests, except for ...
+ "expansion": "override",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": [
+ "worker-src-none",
+ "worker-src-self",
+ "worker-src-wildcard"
+ ],
+ "redirection": "*",
+ "origin": "*",
+ "subresource": [
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-import-data",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-import-data",
+ "worker-module"
+ ],
+ "expectation": "blocked"
+ },
+ {
+ // non-data: URLs for "worker-src *",
+ "expansion": "override",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "worker-src-wildcard",
+ "redirection": "*",
+ "origin": "*",
+ "subresource": [
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module"
+ ],
+ "expectation": "allowed"
+ },
+ {
+ // same-origin requests (HTTP) for "worker-src 'self'", or
+ "expansion": "override",
+ "source_scheme": "http",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "worker-src-self",
+ "redirection": ["no-redirect", "keep-origin"],
+ "origin": "same-http",
+ "subresource": [
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module"
+ ],
+ "expectation": "allowed"
+ },
+ {
+ // same-origin requests (HTTPS) for "worker-src 'self'".
+ "expansion": "override",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "worker-src-self",
+ "redirection": ["no-redirect", "keep-origin"],
+ "origin": "same-https",
+ "subresource": [
+ "sharedworker-classic",
+ "sharedworker-import",
+ "sharedworker-module",
+ "worker-classic",
+ "worker-import",
+ "worker-module"
+ ],
+ "expectation": "allowed"
+ },
+
+ ]
+ }
+ ],
+ "delivery_key": "contentSecurityPolicy",
+ "excluded_tests": [
+ {
+ // upgraded-protocol-workers
+ "expansion": "*",
+ "source_scheme": "http",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "origin": [
+ "same-https",
+ "cross-https"
+ ],
+ "subresource": [
+ "worker-classic",
+ "worker-module",
+ "sharedworker-classic",
+ "sharedworker-module"
+ ],
+ "expectation": "*"
+ },
+ {
+ // mixed-content-insecure-subresources
+ "expansion": "*",
+ "source_scheme": "https",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "origin": [
+ "same-http",
+ "same-http-downgrade",
+ "cross-http",
+ "cross-http-downgrade",
+ "same-ws",
+ "same-ws-downgrade",
+ "cross-ws",
+ "cross-ws-downgrade"
+ ],
+ "subresource": "*",
+ "expectation": "*"
+ },
+ {
+ // redirections that content security policy tests don't care
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": [
+ "keep-scheme",
+ "swap-scheme",
+ "downgrade"
+ ],
+ "origin": "*",
+ "subresource": "*",
+ "expectation": "*"
+ },
+ {
+ // origins that content security policy tests don't care
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "origin": [
+ "same-http-downgrade",
+ "cross-http-downgrade",
+ "same-ws-downgrade",
+ "cross-ws-downgrade"
+ ],
+ "subresource": "*",
+ "expectation": "*"
+ },
+ {
+ // source_context_list values to be blocked by CSP (i.e. the source
+ // context itself should be blocked by CSP before sending subresource
+ // requests):
+ // - data: URLs are blocked by "worker-src *", "worker-src 'self'" or
+ // "worker-src 'none'".
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": [
+ "worker-classic-data",
+ "worker-module-data",
+ "sharedworker-classic-data",
+ "sharedworker-module-data"
+ ],
+ "delivery_type": "*",
+ "delivery_value": [
+ "worker-src-wildcard",
+ "worker-src-self",
+ "worker-src-none"
+ ],
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // Currently only requests from top-level Documents are tested, because
+ // `generic/test-case.sub.js` assumes that `securitypolicyviolation`
+ // events are fired on top-level Documents. Once
+ // `generic/test-case.sub.js` is fixed, we can enable non-top
+ // source_context_list here.
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": [
+ "srcdoc-inherit",
+ "srcdoc",
+ "iframe",
+ "iframe-blank-inherit",
+ "worker-classic",
+ "worker-classic-data",
+ "worker-module",
+ "worker-module-data",
+ "sharedworker-classic",
+ "sharedworker-classic-data",
+ "sharedworker-module",
+ "sharedworker-module-data"
+ ],
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // Skip tests with no CSP directives.
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": null,
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // Skip script-src-none tests, as "script-src 'none'" would prevent
+ // test scripts as well. See also comments in `get_csp_value()` in
+ // `common/security-features/tools/generate.py`.
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "script-src-none",
+ "redirection": "*",
+ "subresource": "*",
+ "origin": "*",
+ "expectation": "*"
+ },
+ // Only test relevant subresources.
+ // E.g. do not test <a> tag for worker-src directives.
+ {
+ // script-src: workers (block), worklets (block), scripts (block)
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": [
+ "script-src-wildcard",
+ "script-src-self",
+ "script-src-none"
+ ],
+ "redirection": "*",
+ "subresource": [
+ "a-tag",
+ "area-tag",
+ "audio-tag",
+ "beacon",
+ "fetch",
+ "iframe-tag",
+ "img-tag",
+ "link-css-tag",
+ "link-prefetch-tag",
+ "object-tag",
+ "picture-tag",
+ "script-tag-dynamic-import",
+ "video-tag",
+ "websocket",
+ "xhr"
+ ],
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // worker-src: workers (block), worklets (allow), scripts (allow)
+ "expansion": "*",
+ "source_scheme": "*",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": [
+ "worker-src-wildcard",
+ "worker-src-self",
+ "worker-src-none"
+ ],
+ "redirection": "*",
+ "subresource": [
+ "a-tag",
+ "area-tag",
+ "audio-tag",
+ "beacon",
+ "fetch",
+ "iframe-tag",
+ "img-tag",
+ "link-css-tag",
+ "link-prefetch-tag",
+ "object-tag",
+ "picture-tag",
+ "script-tag-dynamic-import",
+ "video-tag",
+ "websocket",
+ "xhr"
+ ],
+ "origin": "*",
+ "expectation": "*"
+ },
+ {
+ // HTTP->HTTPS requests are skipped to reduce the number of tests.
+ "expansion": "*",
+ "source_scheme": "http",
+ "source_context_list": "*",
+ "delivery_type": "*",
+ "delivery_value": "*",
+ "redirection": "*",
+ "origin": [
+ "same-https",
+ "cross-https"
+ ],
+ "subresource": "*",
+ "expectation": "*"
+ },
+ ],
+ "source_context_schema": {
+ "supported_delivery_type": {
+ "top": [
+ "meta",
+ "http-rp"
+ ],
+ // The following lines are commented out, because the
+ // contentSecurityPolicy deliveries are not yet implemented in the
+ // `common/security-features/scope/` scripts.
+ "iframe": [
+ // "meta",
+ // "http-rp"
+ ],
+ "iframe-blank": [
+ // "meta"
+ ],
+ "srcdoc": [
+ // "meta"
+ ],
+ "worker-classic": [
+ // "http-rp"
+ ],
+ "worker-module": [
+ // "http-rp"
+ ],
+ "worker-classic-data": [],
+ "worker-module-data": [],
+ "sharedworker-classic": [
+ // "http-rp"
+ ],
+ "sharedworker-module": [
+ // "http-rp"
+ ],
+ "sharedworker-classic-data": [],
+ "sharedworker-module-data": []
+ }
+ },
+ "subresource_schema": {
+ "supported_delivery_type": {
+ // No per-request CSP can be specified.
+ "a-tag": [],
+ "area-tag": [],
+ "audio-tag": [],
+ "beacon": [],
+ "fetch": [],
+ "iframe-tag": [],
+ "img-tag": [],
+ "link-css-tag": [],
+ "link-prefetch-tag": [],
+ "object-tag": [],
+ "picture-tag": [],
+ "script-tag": [],
+ "script-tag-dynamic-import": [],
+ "sharedworker-classic": [],
+ "sharedworker-import": [],
+ "sharedworker-import-data": [],
+ "sharedworker-module": [],
+ "video-tag": [],
+ "websocket": [],
+ "worker-classic": [],
+ "worker-import": [],
+ "worker-import-data": [],
+ "worker-module": [],
+ "worklet-animation": [],
+ "worklet-animation-import-data": [],
+ "worklet-audio": [],
+ "worklet-audio-import-data": [],
+ "worklet-layout": [],
+ "worklet-layout-import-data": [],
+ "worklet-paint": [],
+ "worklet-paint-import-data": [],
+ "xhr": []
+ }
+ },
+ "test_expansion_schema": {
+ "delivery_type": [
+ "http-rp",
+ "meta"
+ ],
+ "delivery_value": [
+ null,
+ "script-src-none",
+ "script-src-self",
+ "script-src-wildcard",
+ "worker-src-none",
+ "worker-src-self",
+ "worker-src-wildcard"
+ ],
+ "expectation": [
+ "blocked",
+ "allowed"
+ ]
+ }
+}