9 files changed, 229 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
new file mode 100644
index 0000000000..51215d9044
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1"
+     xmlns:xlink="http://www.w3.org/1999/xlink">
+  <desc>using SVG as a resource doc should apply this doc's CSP</desc>
+
+  <use xlink:href="scripted.svg#postmessagescript" />
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
new file mode 100644
index 0000000000..0f3f281d90
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
new file mode 100644
index 0000000000..aa4f156953
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Object inside SVG foreignobject respect csp</title>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+      async_test(function(t) {
+        document.addEventListener("securitypolicyviolation", t.step_func(function(e) {
+          if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/media/flash.swf")
+            return;
+
+          assert_equals(e.violatedDirective, "object-src");
+          t.done();
+        }));
+      }, "Should throw a securitypolicyviolation");
+    </script>
+</head>
+<body>
+    <svg>
+        <foreignObject>
+            <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf">
+        </foreignObject>
+    </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
new file mode 100644
index 0000000000..5482831fa8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1">
+  <desc>Example script01 - redirect</desc>
+
+  <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+    location = "/content-security-policy/support/postmessage-fail.html";
+  ]]> </script>
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
diff --git a/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
new file mode 100644
index 0000000000..0e90e147ad
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg
+Content-Security-Policy: script-src 'none';
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
new file mode 100644
index 0000000000..962cd88036
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-from-guid</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 1);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <!--
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="6cm" height="5cm" viewBox="0 0 600 500"
+     xmlns="http://www.w3.org/2000/svg" version="1.1">
+  <desc>Example script01 - redirect</desc>
+
+  <script id="postmessagescript" type="application/ecmascript"> <![CDATA[
+    location = "/content-security-policy/support/postmessage-fail.html";
+  ]]> </script>
+
+  <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+  <text x="300" y="250"
+        font-family="Verdana"
+        font-size="50"
+        text-anchor="middle">
+      PASS
+    </text>
+</svg>
+    -->
+    <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
new file mode 100644
index 0000000000..16d03407fd
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script>
+        var t_spv = async_test("Should fire violation event");
+        window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+            assert_equals(e.violatedDirective, "script-src-elem");
+        }));
+    </script>
+
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <div id="log"></div>
+    <?xml version="1.0" standalone="no"?>
+
+    <svg width="6cm" height="5cm" viewBox="0 0 600 500"
+        xmlns="http://www.w3.org/2000/svg" version="1.1">
+
+        <script type="application/ecmascript"
+            xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js">
+        </script>
+
+      <circle cx="300" cy="225" r="100" fill="lawngreen"/>
+
+      <text x="300" y="250"
+            font-family="Verdana"
+            font-size="50"
+            text-anchor="middle">
+          PASS
+      </text>
+    </svg>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
new file mode 100644
index 0000000000..3ca6262405
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
new file mode 100644
index 0000000000..88ba0b3e65
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>svg-policy-with-resource</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
+        window.addEventListener('load', function() {
+            setTimeout(function() {
+                log("TEST COMPLETE");
+            }, 0);
+        });
+    </script>
+</head>
+
+<body>
+    <p>Tests that an SVG loaded in an iframe with a policy enforces it, not
+    the policy enforced by this parent frame.  The SVG should render and
+    not redirect to a different resource.</p>
+    <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe>
+    <object type="image/svg+xml" data="scripted.svg"></object>
+    <div id="log"></div>
+</body>
+
+</html>