diff options
Diffstat (limited to '')
24 files changed, 322 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html new file mode 100644 index 0000000000..cd402bdba0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/iframe-inside-csp.sub.html @@ -0,0 +1,18 @@ +<html> +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS (1/2): Script can execute","PASS (2/2): Eval works"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> +<body> + <script> + window.onmessage = function(e) { + log(e.data); + } + </script> + <iframe src="support/sandboxed-eval.sub.html"></iframe> +</body> +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html new file mode 100644 index 0000000000..cd8da8f14c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/meta-element.sub.html @@ -0,0 +1,46 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy"> +<body> +<iframe id="iframe"></iframe> +<script> +// According to +// https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy +// `sandbox` directives must be ignored when delivered via `<meta>`. +test(() => { + assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}"); +}, "Document shouldn't be sandboxed by <meta>"); + +// Note: sandbox directive for workers are not yet specified. +// https://github.com/w3c/webappsec-csp/issues/279 +// Anyway workers shouldn't be affected by sandbox directives in `<meta>`. +async_test(t => { + const worker = new Worker("support/post-origin-on-load-worker.js"); + worker.onerror = t.unreached_func("Worker construction failed"); + worker.onmessage = t.step_func_done(e => { + assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}"); + }); +}, "Worker shouldn't be sandboxed by inheriting <meta>"); + +parent.async_test(t => { + // Although <iframe about:blank> should inherit parent's CSP, + // sandbox directives in <meta> should be ignored in the first place, + // so workers created from such <iframe>s shouldn't also be sandboxed. + const iframeDocument = document.querySelector("#iframe").contentDocument; + const script = iframeDocument.createElement("script"); + script.innerText = ` + const worker = new Worker("support/post-origin-on-load-worker.js"); + worker.onerror = () => parent.postMessage("onerror", "*"); + worker.onmessage = (e) => parent.postMessage(e.data, "*"); + `; + iframeDocument.body.appendChild(script); + + // Receive message from <iframe>. + onmessage = t.step_func_done(e => { + assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}"); + }); +}, "Worker shouldn't be sandboxed when created <iframe> inheriting parent's CSP with sandbox <meta>"); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html new file mode 100644 index 0000000000..1d6db3cde7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Message"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.onmessage = function(e) { + log(e.data); + } + </script> + + <iframe src="support/sandboxed-data-iframe.sub.html?sandbox=allow-scripts"></iframe> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html new file mode 100644 index 0000000000..e58402e4ba --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Message"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.onmessage = function(e) { + log(e.data); + } + </script> + + <iframe src="support/sandboxed-post-message-to-parent.html?sandbox=allow-scripts"></iframe> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html new file mode 100644 index 0000000000..3396e566b8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS2"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.onmessage = function(e) { + log(e.data); + } + </script> + + <iframe src="support/sandboxed-data-iframe.sub.html?sandbox=" + onload="log('PASS2')"></iframe> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html new file mode 100644 index 0000000000..4703471020 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/sandbox-empty.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS2"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <p>This test passes if it does alert pass.</p> + + <script> + window.onmessage = function(e) { + log(e.data); + } + </script> + + <iframe src="support/sandboxed-post-message-to-parent.sub.html?sandbox=" + onload="log('PASS2')"></iframe> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html new file mode 100644 index 0000000000..8b7d72e0ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html @@ -0,0 +1,67 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script> +<body> +<script> +let frame = null; +let worker = null; +const scope = 'support/empty.html'; +const script = 'support/sandboxed-service-worker.js'; + +// Currently, sandbox directives for workers are not specified +// https://github.com/w3c/webappsec-csp/issues/279 +// and thus this test asserts that the origin of ServiceWorker is not sandboxed. + +// Global setup: this must be the first promise_test. +promise_test(async (t) => { + const registration = + await service_worker_unregister_and_register(t, script, scope); + worker = registration.installing; + await wait_for_state(t, worker, 'activated'); + frame = await with_iframe(scope); + + // Global cleanup: the final promise_test. + promise_test(() => { + if (frame) + frame.remove(); + return registration.unregister(); + }, 'global cleanup'); +}, 'global setup'); + +promise_test(async (t) => { + const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'}); + const j = await r.json(); + assert_equals(j.origin, location.origin, 'Origin should not be sandboxed'); +}, 'Origin of service worker'); + +promise_test(async (t) => { + const r = await frame.contentWindow.fetch('/get-origin', + {mode: 'same-origin'}); + const j = await r.json(); + assert_equals(j.origin, location.origin, 'Origin should not be opaque'); +}, 'Response generated by service worker can be fetched as same-origin'); + +// Because the origin of service worker should be `location.origin`, +// fetches from service worker to `location.origin` should be successful. +for (const mode of ['same-origin', 'cors']) { + for (const hasACAOrigin of [true, false]) { + promise_test(async (t) => { + const final_url = new URL('/fetch/api/resources/', location); + final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt'; + final_url.searchParams.set('hash', Math.random()); + + const url = new URL('/fetch', location); + url.searchParams.set('url', final_url); + url.searchParams.set('hash', Math.random()); + const r = await frame.contentWindow.fetch(url, {mode}); + const text = await r.text(); + assert_equals(text, 'top'); + }, 'Origin used in fetch on service worker (mode: ' + + mode + + (hasACAOrigin ? ', with ACAOrigin' : '') + + ')'); + } +} +</script> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html b/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html new file mode 100644 index 0000000000..86b39b9ad4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/shared-worker-sandbox.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<body> +<script> +// Currently, sandbox directives for workers are not specified +// https://github.com/w3c/webappsec-csp/issues/279 +// and thus this test asserts that the origin of SharedWorker is not sandboxed. +async_test(t => { + const worker = new SharedWorker("support/sandboxed-shared-worker.js?" + Math.random()); + worker.onerror = t.unreached_func("SharedWorker construction failed"); + worker.port.onmessage = t.step_func_done(e => { + assert_equals(e.data, location.origin, "Origin should not be sandboxed"); + }); +}, "sandbox directive for SharedWorker"); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html b/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/empty.html diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js new file mode 100644 index 0000000000..21ce5748ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/post-origin-on-load-worker.js @@ -0,0 +1 @@ +postMessage(self.origin); diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html new file mode 100644 index 0000000000..fafd4dc770 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html @@ -0,0 +1 @@ +<iframe src="data:text/html,<script>window.top.postMessage('Message','*');</script>"></iframe> diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers new file mode 100644 index 0000000000..a7ea308208 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: sandbox {{GET[sandbox]}};
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html new file mode 100644 index 0000000000..9480e521de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html @@ -0,0 +1,4 @@ +<script> + window.parent.postMessage('PASS (1/2): Script can execute', '*'); + eval("window.parent.postMessage('PASS (2/2): Eval works', '*')"); +</script>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers new file mode 100644 index 0000000000..c7e4e7cc5b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: sandbox allow-scripts
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html new file mode 100644 index 0000000000..ef4b1a0b95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html @@ -0,0 +1,3 @@ +<script> + window.top.postMessage("Message", "*"); +</script>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html new file mode 100644 index 0000000000..ebbb54d36d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html @@ -0,0 +1,3 @@ +<script> + window.opener.postMessage(window.testProperty, "*"); +</script>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers new file mode 100644 index 0000000000..a7ea308208 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: sandbox {{GET[sandbox]}};
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js new file mode 100644 index 0000000000..d4971266f5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js @@ -0,0 +1,14 @@ +self.addEventListener('fetch', function(event) { + const url = new URL(event.request.url); + if (url.pathname.indexOf('get-origin') != -1) { + event.respondWith(new Promise(function(resolve) { + resolve(new Response(JSON.stringify({ + origin: self.origin + }))); + })); + } + else if (url.pathname.indexOf('fetch') != -1) { + event.respondWith(fetch(url.searchParams.get('url'), + {mode: event.request.mode})); + } + }); diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers new file mode 100644 index 0000000000..1efcf8c226 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-service-worker.js.headers @@ -0,0 +1 @@ +Content-Security-Policy: sandbox allow-scripts diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js new file mode 100644 index 0000000000..eb85eb41b4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js @@ -0,0 +1,3 @@ +self.onconnect = e => { + e.ports[0].postMessage(self.origin); +}; diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers new file mode 100644 index 0000000000..1efcf8c226 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/sandboxed-shared-worker.js.headers @@ -0,0 +1 @@ +Content-Security-Policy: sandbox allow-scripts diff --git a/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html b/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html new file mode 100644 index 0000000000..ebbb54d36d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html @@ -0,0 +1,3 @@ +<script> + window.opener.postMessage(window.testProperty, "*"); +</script>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html new file mode 100644 index 0000000000..a7a080daf7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-sandboxed.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> + <script> + var t = async_test("Window object should not be reused"); + + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data, undefined); + }); + + w = window.open("support/sandboxed-post-property-to-opener.html?sandbox=allow-scripts","","width=400,height=400"); + w.testProperty = "test"; + </script> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html new file mode 100644 index 0000000000..dd69c41354 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/window-reuse-unsandboxed.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> + <script> + var t = async_test("Window object should be reused"); + + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data, "test"); + }); + + w = window.open("support/unsandboxed-post-property-to-opener.html","","width=400,height=400"); + w.testProperty = "test"; + </script> +</body> + +</html>
\ No newline at end of file |