diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/svg')
9 files changed, 229 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg new file mode 100644 index 0000000000..51215d9044 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg @@ -0,0 +1,19 @@ +<?xml version="1.0" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg width="6cm" height="5cm" viewBox="0 0 600 500" + xmlns="http://www.w3.org/2000/svg" version="1.1" + xmlns:xlink="http://www.w3.org/1999/xlink"> + <desc>using SVG as a resource doc should apply this doc's CSP</desc> + + <use xlink:href="scripted.svg#postmessagescript" /> + + <circle cx="300" cy="225" r="100" fill="lawngreen"/> + + <text x="300" y="250" + font-family="Verdana" + font-size="50" + text-anchor="middle"> + PASS + </text> +</svg> diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers new file mode 100644 index 0000000000..0f3f281d90 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg +Content-Security-Policy: script-src 'none'; diff --git a/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html new file mode 100644 index 0000000000..aa4f156953 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> +<head> + <title>Object inside SVG foreignobject respect csp</title> + <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + async_test(function(t) { + document.addEventListener("securitypolicyviolation", t.step_func(function(e) { + if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/media/flash.swf") + return; + + assert_equals(e.violatedDirective, "object-src"); + t.done(); + })); + }, "Should throw a securitypolicyviolation"); + </script> +</head> +<body> + <svg> + <foreignObject> + <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf"> + </foreignObject> + </svg> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg b/testing/web-platform/tests/content-security-policy/svg/scripted.svg new file mode 100644 index 0000000000..5482831fa8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg @@ -0,0 +1,20 @@ +<?xml version="1.0" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg width="6cm" height="5cm" viewBox="0 0 600 500" + xmlns="http://www.w3.org/2000/svg" version="1.1"> + <desc>Example script01 - redirect</desc> + + <script id="postmessagescript" type="application/ecmascript"> <![CDATA[ + location = "/content-security-policy/support/postmessage-fail.html"; + ]]> </script> + + <circle cx="300" cy="225" r="100" fill="lawngreen"/> + + <text x="300" y="250" + font-family="Verdana" + font-size="50" + text-anchor="middle"> + PASS + </text> +</svg> diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers new file mode 100644 index 0000000000..0e90e147ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg +Content-Security-Policy: script-src 'none'; diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html new file mode 100644 index 0000000000..962cd88036 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html @@ -0,0 +1,51 @@ +<!DOCTYPE html> +<html> +<head> + <title>svg-from-guid</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + log("TEST COMPLETE"); + }, 1); + }); + </script> +</head> + +<body> + <p>Tests that an SVG loaded in an iframe with a policy enforces it, not + the policy enforced by this parent frame. The SVG should render and + not redirect to a different resource.</p> + <!-- +<?xml version="1.0" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" + "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg width="6cm" height="5cm" viewBox="0 0 600 500" + xmlns="http://www.w3.org/2000/svg" version="1.1"> + <desc>Example script01 - redirect</desc> + + <script id="postmessagescript" type="application/ecmascript"> <![CDATA[ + location = "/content-security-policy/support/postmessage-fail.html"; + ]]> </script> + + <circle cx="300" cy="225" r="100" fill="lawngreen"/> + + <text x="300" y="250" + font-family="Verdana" + font-size="50" + text-anchor="middle"> + PASS + </text> +</svg> + --> + <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html new file mode 100644 index 0000000000..16d03407fd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> +<head> + <title>svg-policy-with-resource</title> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script> + var t_spv = async_test("Should fire violation event"); + window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { + assert_equals(e.violatedDirective, "script-src-elem"); + })); + </script> + +</head> + +<body> + <p>Tests that an SVG loaded in an iframe with a policy enforces it, not + the policy enforced by this parent frame. The SVG should render and + not redirect to a different resource.</p> + <div id="log"></div> + <?xml version="1.0" standalone="no"?> + + <svg width="6cm" height="5cm" viewBox="0 0 600 500" + xmlns="http://www.w3.org/2000/svg" version="1.1"> + + <script type="application/ecmascript" + xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js"> + </script> + + <circle cx="300" cy="225" r="100" fill="lawngreen"/> + + <text x="300" y="250" + font-family="Verdana" + font-size="50" + text-anchor="middle"> + PASS + </text> + </svg> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html new file mode 100644 index 0000000000..3ca6262405 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> +<head> + <title>svg-policy-with-resource</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + log("TEST COMPLETE"); + }, 0); + }); + </script> +</head> + +<body> + <p>Tests that an SVG loaded in an iframe with a policy enforces it, not + the policy enforced by this parent frame. The SVG should render and + not redirect to a different resource.</p> + <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html new file mode 100644 index 0000000000..88ba0b3e65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> +<head> + <title>svg-policy-with-resource</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + log("TEST COMPLETE"); + }, 0); + }); + </script> +</head> + +<body> + <p>Tests that an SVG loaded in an iframe with a policy enforces it, not + the policy enforced by this parent frame. The SVG should render and + not redirect to a different resource.</p> + <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe> + <object type="image/svg+xml" data="scripted.svg"></object> + <div id="log"></div> +</body> + +</html> |