summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/svg
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/svg')
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/including.sub.svg19
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/scripted.svg20
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html51
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html41
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html29
-rw-r--r--testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html30
9 files changed, 229 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
new file mode 100644
index 0000000000..51215d9044
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+ <desc>using SVG as a resource doc should apply this doc's CSP</desc>
+
+ <use xlink:href="scripted.svg#postmessagescript" />
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
new file mode 100644
index 0000000000..0f3f281d90
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
new file mode 100644
index 0000000000..aa4f156953
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Object inside SVG foreignobject respect csp</title>
+ <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script>
+ async_test(function(t) {
+ document.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+ if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/media/flash.swf")
+ return;
+
+ assert_equals(e.violatedDirective, "object-src");
+ t.done();
+ }));
+ }, "Should throw a securitypolicyviolation");
+ </script>
+</head>
+<body>
+ <svg>
+ <foreignObject>
+ <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf">
+ </foreignObject>
+ </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
new file mode 100644
index 0000000000..5482831fa8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+ <desc>Example script01 - redirect</desc>
+
+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+ location = "/content-security-policy/support/postmessage-fail.html";
+ ]]> </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
new file mode 100644
index 0000000000..0e90e147ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
new file mode 100644
index 0000000000..962cd88036
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-from-guid</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 1);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <!--
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+ <desc>Example script01 - redirect</desc>
+
+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+ location = "/content-security-policy/support/postmessage-fail.html";
+ ]]> </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+</svg>
+ -->
+ <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
new file mode 100644
index 0000000000..16d03407fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script>
+ var t_spv = async_test("Should fire violation event");
+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, "script-src-elem");
+ }));
+ </script>
+
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <div id="log"></div>
+ <?xml version="1.0" standalone="no"?>
+
+ <svg width="6cm" height="5cm" viewBox="0 0 600 500"
+ xmlns="http://www.w3.org/2000/svg" version="1.1">
+
+ <script type="application/ecmascript"
+ xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js">
+ </script>
+
+ <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+ <text x="300" y="250"
+ font-family="Verdana"
+ font-size="50"
+ text-anchor="middle">
+ PASS
+ </text>
+ </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
new file mode 100644
index 0000000000..3ca6262405
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+ <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
new file mode 100644
index 0000000000..88ba0b3e65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>svg-policy-with-resource</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+ <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+ <script>
+ window.addEventListener("message", function(event) {
+ alert_assert(event.data);
+ }, false);
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ log("TEST COMPLETE");
+ }, 0);
+ });
+ </script>
+</head>
+
+<body>
+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+ the policy enforced by this parent frame. The SVG should render and
+ not redirect to a different resource.</p>
+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+ <object type="image/svg+xml" data="scripted.svg"></object>
+ <div id="log"></div>
+</body>
+
+</html>