diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/media-src')
8 files changed, 507 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html new file mode 100644 index 0000000000..8fd094e955 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html @@ -0,0 +1,48 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - positive test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self'"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("In-policy async video src"); + var source_test = async_test("In-policy async video source element"); + var t_spv = async_test("Should not fire policy violation events"); + var test_count = 2; + window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); + + function media_loaded(t) { + t.done(); + if (--test_count <= 0) { + t_spv.done(); + } + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/ogg" + onerror="media_error_handler(source_test)" + src="/media/A4.ogv"> + </video> + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="/media/A4.ogv"> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html new file mode 100644 index 0000000000..8312defb2e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.sub.html @@ -0,0 +1,57 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - negative test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("Disallowed async video src"); + var source_test = async_test("Disallowed async video source element"); + var t_spv = async_test("Test that securitypolicyviolation events are fired"); + var test_count = 2; + window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { + assert_equals(e.violatedDirective, "media-src"); + assert_equals(e.blockedURI, mediaURL); + if (--test_count <= 0) { + t_spv.done(); + } + })); + + // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias + var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"; + + function media_loaded(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/ogg" + onerror="media_error_handler(source_test)"> + </video> + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)"> + + <script> + document.getElementById("videoSourceObject").src = mediaURL; + document.getElementById("videoObject2").src = mediaURL; + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html new file mode 100644 index 0000000000..0486c8738d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html @@ -0,0 +1,48 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Audio element src attribute must match src list - positive test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Audio element src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("In-policy audio src"); + var source_test = async_test("In-policy audio source element"); + var t_spv = async_test("Should not fire policy violation events"); + var test_count = 2; + window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); + + function media_loaded(t) { + t.done(); + if (--test_count <= 0) { + t_spv.done(); + } + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + </script> + + <audio id="audioObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="audioSourceObject" + type="audio/ogg" + onerror="media_error_handler(source_test)" + src="/media/sound_5.oga"> + </audio> + <audio id="audioObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="/media/sound_5.oga"> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html new file mode 100644 index 0000000000..e1626eec5a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.sub.html @@ -0,0 +1,57 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Audio element src attribute must match src list - negative test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Audio element src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("Disallaowed audio src"); + var source_test = async_test("Disallowed audio source element"); + var t_spv = async_test("Test that securitypolicyviolation events are fired"); + var test_count = 2; + window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { + assert_equals(e.violatedDirective, "media-src"); + assert_equals(e.blockedURI, mediaURL); + if (--test_count <= 0) { + t_spv.done(); + } + })); + + // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias + var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/sound_5.oga"; + + function media_loaded(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <audio id="audioObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="audioSourceObject" + type="audio/ogg" + onerror="media_error_handler(source_test)"> + </audio> + <audio id="audioObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)"> + + <script> + document.getElementById("audioSourceObject").src = mediaURL; + document.getElementById("audioObject2").src = mediaURL; + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html new file mode 100644 index 0000000000..46489e2668 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.sub.html @@ -0,0 +1,53 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video track src attribute must match src list - positive test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{domains[www]}}:{{ports[http][0]}};"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video track src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var source_test = async_test("In-policy track element"); + + var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt"; + + var t_spv = async_test("Should not fire policy violation events"); + var test_count = 1; + window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); + + function media_loaded(t) { + t.done(); + if (--test_count <= 0) { + t_spv.done(); + } + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Error handler called for allowed track source."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)" crossorigin> + <source id="audioSourceObject" + type="audio/ogg" + src="/media/A4.ogv"> + <track id="trackObject" + kind="subtitles" + srclang="en" + label="English" + onerror="media_error_handler(source_test)"> + </video> + <script> + document.getElementById("trackObject").src = trackURL; + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html new file mode 100644 index 0000000000..431a58608a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.sub.html @@ -0,0 +1,72 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video track src attribute must match src list - negative test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video track src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var source_test = + async_test("Disallowed track element onerror handler fires."); + + var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt"; + + var t_spv = async_test("Test that securitypolicyviolation events are fired"); + var test_count = 1; + window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { + assert_equals(e.violatedDirective, "media-src"); + assert_equals(e.blockedURI, trackURL); + if (--test_count <= 0) { + t_spv.done(); + } + })); + + + function media_loaded(t) { + t.step( function () { + assert_unreached("Disllowed track source loaded."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onerror="media_error_handler(source_test)" + crossorigin> + <source id="audioSourceObject" + type="audio/ogg" + src="/media/A4.ogv"> + <track default + id="trackObject" + kind="subtitles" + srclang="en" + label="English" + onerror="media_error_handler(source_test)" + onload="media_loaded(source_test)" + onloadeddata="media_loaded(source_test)"> + </video> + <script> + document.getElementById("trackObject").src = trackURL; + source_test.step(function() { + source_test.set_status(source_test.FAIL); + }); + + setTimeout(function() { + if(source_test.phase != source_test.phases.COMPLETE) { + source_test.step( function () { assert_unreached("Onerror event never fired for track element."); }); + source_test.done(); + } + }, 2 * 1000); + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html new file mode 100644 index 0000000000..b2b57dec64 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-blocked.sub.html @@ -0,0 +1,101 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Media element src attribute must match src list - 'none' negative test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'none'; connect-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/common/get-host-info.sub.js'></script> +</head> +<body> + <h1>Media element src attribute must match src list - 'none' negative test</h1> + <div id='log'></div> + + <script> + const otherOrigin = get_host_info().OTHER_ORIGIN; + const audioUrl = otherOrigin + "/media/sound_5.oga"; + const videoUrl = otherOrigin + "/media/A4.ogv"; + + // Asynchronously returns the next `securitypolicyviolation` event. + async function nextViolation() { + return await new Promise((resolve) => { + window.addEventListener("securitypolicyviolation", resolve, { + once: true, + }); + }); + } + + promise_test(t => new Promise((resolve, reject) => { + const violationPromise = nextViolation(); + + const video = document.createElement("video"); + video.type = "video/ogg"; + video.src = videoUrl; + video.onloadeddata = reject; + video.onerror = () => { resolve(violationPromise); }; + + document.body.appendChild(video); + }).then((violation) => { + assert_equals(violation.violatedDirective, "media-src", "directive"); + assert_equals(violation.blockedURI, videoUrl, "blocked URI"); + }), "Disallowed async video src"); + + promise_test(t => new Promise((resolve, reject) => { + const violationPromise = nextViolation(); + + const video = document.createElement("video"); + video.oncanplay = reject; + video.onloadedmetadata = reject; + video.onloadeddata = reject; + + const source = document.createElement("source"); + source.type = "video/ogg"; + source.src = videoUrl; + source.onerror = () => { resolve(violationPromise); }; + + video.appendChild(source); + document.body.appendChild(video); + }).then((violation) => { + assert_equals(violation.violatedDirective, "media-src", "directive"); + assert_equals(violation.blockedURI, videoUrl, "blocked URI"); + }), "Disallowed async video source element"); + + promise_test(t => new Promise((resolve, reject) => { + const violationPromise = nextViolation(); + + const audio = document.createElement("audio"); + audio.type = "audio/ogg"; + audio.src = audioUrl; + audio.oncanplay = reject; + audio.onloadedmetadata = reject; + audio.onloadeddata = reject; + audio.onerror = () => { resolve(violationPromise); }; + + document.body.appendChild(audio); + }).then((violation) => { + assert_equals(violation.violatedDirective, "media-src", "directive"); + assert_equals(violation.blockedURI, audioUrl, "blocked URI"); + }), "Disallowed audio src"); + + promise_test(t => new Promise((resolve, reject) => { + const violationPromise = nextViolation(); + + const audio = document.createElement("audio"); + audio.oncanplay = reject; + audio.onloadedmetadata = reject; + audio.onloadeddata = reject; + + const source = document.createElement("source"); + source.type = "audio/ogg"; + source.src = audioUrl; + source.onerror = () => { resolve(violationPromise); }; + + audio.appendChild(source); + document.body.appendChild(audio); + }).then((violation) => { + assert_equals(violation.violatedDirective, "media-src", "directive"); + assert_equals(violation.blockedURI, audioUrl, "blocked URI"); + }), "Disallowed audio source element"); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html new file mode 100644 index 0000000000..a0708bf5ed --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html @@ -0,0 +1,71 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - positive test</title> + <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src http://{{domains[www2]}}:{{ports[http][0]}}/ 'self'; connect-src 'self';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element in media-src list - redirect test</h1> + <div id='log'></div> + + <p>This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed + as media-src, but only one (self) is allowed for connect-src. If a video src starts on + an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug + causes the redirect to be done in a fetch context to which connect-src is being applied instead, so + the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p> + + <script> + var src_test = async_test("In-policy async video src"); + var src_redir_test = async_test("in-policy async video src w/redir") + var source_test = async_test("In-policy async video source element"); + var source_redir_test = async_test("In-policy async video source element w/redir"); + + var t_spv = async_test("Should not fire policy violation events"); + var test_count = 4; + window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); + + function media_loaded(t) { + t.done(); + if (--test_count <= 0) { + t_spv.done(); + } + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler shouldn't be triggered for allowed domain."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/ogg" + onerror="media_error_handler(source_test)" + src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> + </video> + + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> + + <video id="videoObject3" width="320" height="240" controls + onloadeddata="media_loaded(source_redir_test)"> + <source id="videoSourceObject" + type="video/ogg" + onerror="media_error_handler(source_test)" + src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> + </video> + + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_redir_test)" + onloadeddata="media_loaded(src_redir_test)" + src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> + +</body> +</html> |