diff options
Diffstat (limited to '')
9 files changed, 434 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html new file mode 100644 index 0000000000..c546a7a27f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>child-src-about-blank-allowed-by-default</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <p>These frames should not be blocked by Content-Security-Policy. + It's pointless to block about:blank iframes because + blocking a frame just results in displaying about:blank anyway! + </p> + <script> + var t = async_test("Check that frames load without throwing any violation events"); + window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events")); + </script> + + <iframe src="about:blank"></iframe> + <object type="text/html" data="about:blank"></object> + + <div id="log"></div> + + <script> + t.done(); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html new file mode 100644 index 0000000000..2de5484c0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>child-src-about-blank-allowed-by-scheme</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <p>This frame should not be blocked by Content-Security-Policy. + </p> + <script> + var t = async_test("Check that frames load without throwing any violation events"); + window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events")); + </script> + + <iframe src="about:blank"></iframe> + <div id="log"></div> + + <script> + t.done(); + </script> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html new file mode 100644 index 0000000000..3d4964e24b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html @@ -0,0 +1,64 @@ +<!DOCTYPE html> +<html> + +<head> + <title>child-src-allowed</title> + <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + window.addEventListener("securitypolicyviolation", function(e) { + alert_assert("Fail"); + }); + + var t_alert = async_test('Expecting alerts: ["PASS"]'); + var expected_alerts = ["PASS"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_equals(expected_alerts[i], msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_alert.done(); + }); + } + + </script> + <p> + This iframe should be allowed. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html new file mode 100644 index 0000000000..9141aeba46 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html @@ -0,0 +1,62 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>child-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + window.addEventListener("securitypolicyviolation", function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + function alert_assert(msg) { + t_log.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_log.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_equals(expected_alerts[i], msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_log.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <p> + IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html new file mode 100644 index 0000000000..7f6f9294fa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html @@ -0,0 +1,65 @@ +<!DOCTYPE html> +<html> +<head> + <title>child-src-blocked</title> + <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + window.addEventListener("securitypolicyviolation", function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + function alert_assert(msg) { + t_log.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_log.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_equals(expected_alerts[i], msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_log.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p> + A more permissive child-src should not relax restrictions from a less- + permissive frame-src. Directives still combine for least privilege, even when + one obsoletes another. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html new file mode 100644 index 0000000000..192f69b854 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html @@ -0,0 +1,42 @@ +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head> +<body></body> + +<script> +async_test(test => { + let count = 0; + window.addEventListener("message", test.step_func((event) => { + assert_equals(event.data, "PASS"); + count++; + assert_less_than_equal(count, 2); + if (count == 2) { + // Use a timeout, to let some time for additional messages to show up + // before declaring this test as completed. + test.step_timeout(() => test.done(), 1000); + } + })); +}, "Two of the three iframe are expected to load."); + +// IFrames blocked by CSP should generate a 'load', not 'error' event, +// regardless of blocked state. This means they appear to be normal +// cross-origin loads, thereby not leaking URL information directly to JS. +const runTest = (description, src) => { + async_test(test => { + const iframe = document.createElement("iframe"); + iframe.src = src; + iframe.onload = () => test.done(); + iframe.onerror = () => test.assert_unreached('unexpected onerror') + document.body.appendChild(iframe); + }, description); +}; + +runTest("Navigation in iframe allowed by child-src 'self'", + "/content-security-policy/support/postmessage-pass.html"); + +runTest("Navigation in iframe allowed by child-src explicit CSP source", + "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html"); + +runTest("Navigation in iframe not allowed by child-src", + "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html new file mode 100644 index 0000000000..d73284e20a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html @@ -0,0 +1,65 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>child-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + window.addEventListener("securitypolicyviolation", function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + function alert_assert(msg) { + t_log.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_log.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_equals(expected_alerts[i], msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_log.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p> + IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html new file mode 100644 index 0000000000..d02abaef19 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html @@ -0,0 +1,38 @@ +<!DOCTYPE html> +<html> + +<head> + <title>child-src-worker-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'unsafe-inline'; connect-src 'self';"> +</head> + +<body> + <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported + until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' + does not affect the result in any way (for instance by allowing 'self'). + </p> + <script> + async_test(function(t) { + document.addEventListener("securitypolicyviolation", t.step_func(function(e) { + if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js") + return; + + assert_unreached("Should not throw a securitypolicyviolation"); + })); + + try { + var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js'); + foo.onmessage = function(event) { + t.done(); + }; + } catch (e) { + assert_unreached("Should not throw exception"); + } + }, "Worker is allowed because of deprecated 'child-src' directive"); + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html new file mode 100644 index 0000000000..675cd95ea4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html @@ -0,0 +1,44 @@ +<!DOCTYPE html> +<html> + +<head> + <title>child-src-worker-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'unsafe-inline'; connect-src 'self';"> +</head> + +<body> + <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported + until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' + does not affect the result in any way (for instance by allowing 'self'). + </p> + <script> + async_test(function(t) { + document.addEventListener("securitypolicyviolation", t.step_func(function(e) { + if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js") + return; + + assert_equals(e.violatedDirective, "worker-src"); + t.done(); + })); + }, "Should throw a securitypolicyviolation event"); + + async_test(function(t) { + try { + var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js'); + foo.onerror = function(event) { + event.preventDefault(); + t.done(); + } + foo.onmessage = function(event) { + assert_unreached("Should not be able to start worker"); + }; + } catch (e) { + t.done(); + } + }, "Should block worker because it does not match any directive including the deprecated 'child-src'"); + </script> + <div id="log"></div> +</body> +</html> |