diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/unsafe-hashes')
26 files changed, 581 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html new file mode 100644 index 0000000000..0c2a43a6e6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(true, '<a href>', ''); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html new file mode 100644 index 0000000000..f2b3e1ff72 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + // script-src-attr CSP should not have effects because navigation CSP + // checks are done against script-src-elem. + // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check + runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html new file mode 100644 index 0000000000..642d9768a5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(true, '<a href target=_blank>', ''); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html new file mode 100644 index 0000000000..a321521e04 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(true, '<a href target=_blank>', ''); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html new file mode 100644 index 0000000000..2fbda19924 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html @@ -0,0 +1,27 @@ +<!DOCTYPE HTML> +<html> + +<head> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is allowed to run"); + + window.onmessage = t1.step_func_done(function(e) { + assert_equals(e.data, "pass"); + }); + + window.open('support/child_window_location_navigate.sub.html' + + '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") + + '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html new file mode 100644 index 0000000000..970290e3f6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';"> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is allowed to run"); + + window.onmessage = t1.step_func_done(function(e) { + assert_equals(e.data, "pass"); + }); + + window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); + + window.open("javascript:opener.postMessage('pass', '*')"); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html new file mode 100644 index 0000000000..0f0dc67aa3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' + 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href>', ' due to missing unsafe-hashes'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html new file mode 100644 index 0000000000..6b863e7a99 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + // script-src-attr CSP should not have effects because navigation CSP + // checks are done against script-src-elem. + // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check + runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html new file mode 100644 index 0000000000..23e9bdc187 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html new file mode 100644 index 0000000000..81805a1f87 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' + 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html new file mode 100644 index 0000000000..d7a786078a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html @@ -0,0 +1,27 @@ +<!DOCTYPE HTML> +<html> + +<head> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is not allowed to run"); + + window.onmessage = t1.step_func_done(function(e) { + assert_equals(e.data, "fail"); + }); + + window.open('support/child_window_location_navigate.sub.html' + + '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") + + '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html new file mode 100644 index 0000000000..12c9b09985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html @@ -0,0 +1,30 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';"> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is not allowed to run"); + + window.onmessage = t1.unreached_func("Should have not received any message"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'script-src-elem'); + assert_equals(e.blockedURI, 'inline'); + })); + + window.open("javascript:opener.postMessage('pass', '*')"); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html new file mode 100644 index 0000000000..6558a03aed --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href>', ' due to wrong hash'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html new file mode 100644 index 0000000000..fa394b1d0a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc' + 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + // script-src-attr CSP should not have effects because navigation CSP + // checks are done against script-src-elem. + // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check + runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html new file mode 100644 index 0000000000..8ca49da775 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc' + 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href target=_blank>', ' due to wrong hash'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html new file mode 100644 index 0000000000..257899af29 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html @@ -0,0 +1,15 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> + <script src="/resources/testharness.js" nonce="abc"></script> + <script src="/resources/testharnessreport.js" nonce="abc"></script> + <script src="support/helper.js" nonce="abc"></script> +</head> +<body> + <script nonce="abc"> + runTest(false, '<a href target=_blank>', ' due to wrong hash'); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html new file mode 100644 index 0000000000..96ff062101 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html @@ -0,0 +1,27 @@ +<!DOCTYPE HTML> +<html> + +<head> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is not allowed to run"); + + window.onmessage = t1.step_func_done(function(e) { + assert_equals(e.data, "fail"); + }); + + window.open('support/child_window_location_navigate.sub.html' + + '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") + + '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html new file mode 100644 index 0000000000..c653d4f617 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html @@ -0,0 +1,30 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' + 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';"> + <!-- + 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' + --> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the javascript: src is not allowed to run"); + + window.onmessage = t1.unreached_func("Should have not received any message"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'script-src-elem'); + assert_equals(e.blockedURI, 'inline'); + })); + + window.open("javascript:opener.postMessage('pass', '*')"); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html new file mode 100644 index 0000000000..7d50941d36 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html @@ -0,0 +1,22 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;"> + <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the inline event handler is allowed to run"); + + window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); + </script> + <img src='../support/pass.png' + onload='t1.done();'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html new file mode 100644 index 0000000000..7ba9d30bcf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html @@ -0,0 +1,26 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;"> + <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> + +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the inline event handler is not allowed to run"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'script-src-attr'); + assert_equals(e.blockedURI, 'inline'); + })); + </script> + <img src='../support/pass.png' + onload='t1.unreached_func("Should not have executed handler");'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html new file mode 100644 index 0000000000..2de6a48eb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;"> + <title>Event handlers should be not allowed if a matching hash is not present</title> + <script src='/resources/testharness.js' nonce='abc'></script> + <script src='/resources/testharnessreport.js' nonce='abc'></script> +</head> + +<body> + <div id='log'></div> + <script nonce='abc'> + var t1 = async_test("Test that the inline event handler is not allowed to run"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'script-src-attr'); + assert_equals(e.blockedURI, 'inline'); + })); + </script> + <img src='../support/pass.png' + onload='t1.unreached_func("Should not have executed handler");'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html new file mode 100644 index 0000000000..568c469b06 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html @@ -0,0 +1,30 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="img-src *; + style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';"> + <!-- + 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' + --> + <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> + +<body> + <div id='log'></div> + <script> + var t1 = async_test("Test that the inline style attribute is loaded"); + + self.check_for_style = t1.step_func_done(function() { + assert_equals("green", document.getElementById('test').style.background); + }); + + window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); + </script> + <img src='../support/pass.png' id='test' style='background: green' + onload='check_for_style()'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html new file mode 100644 index 0000000000..e8070acba9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="img-src *; + style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';"> + <!-- + 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' + --> + <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> + +<body> + <div id='log'></div> + <script> + var t1 = async_test("Test that the inline style attribute is blocked"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'style-src-attr'); + assert_equals(e.blockedURI, 'inline'); + })); + + </script> + <img src='../support/pass.png' id='test' style='background: green'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html new file mode 100644 index 0000000000..be27637224 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html @@ -0,0 +1,29 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="img-src *; + style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';"> + <!-- + 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' + --> + <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> + +<body> + <div id='log'></div> + <script> + var t1 = async_test("Test that the inline style attribute is blocked"); + + window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'style-src-attr'); + assert_equals(e.blockedURI, 'inline'); + })); + + </script> + <img src='../support/pass.png' id='test' style='background: green'> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html new file mode 100644 index 0000000000..3068822f37 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html @@ -0,0 +1,21 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}"> +</head> + +<body> + + <span id="escape">{{GET[url]}}</span> + + <script nonce='abc'> + window.addEventListener('securitypolicyviolation', function(e) { + opener.postMessage('fail', '*'); + }); + + window.location.href = document.getElementById("escape").textContent; + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js new file mode 100644 index 0000000000..26db3289ea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js @@ -0,0 +1,40 @@ +// Typical CSP hashes are: +// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated(); +// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated(); + +function runTest(navigationShouldAllowed, navigationMethod, description) { + const t1 = async_test( + 'javascript: navigation using ' + navigationMethod + ' should be ' + + (navigationShouldAllowed ? 'allowed' : 'refused') + description); + + if (navigationShouldAllowed) { + window.navigated = () => t1.done(); + window.addEventListener('securitypolicyviolation', + t1.unreached_func('Should have not raised any event')); + } else { + window.navigated = + t1.unreached_func('Should not have run javascript: URL'); + window.addEventListener('securitypolicyviolation', + t1.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'script-src-elem'); + assert_equals(e.blockedURI, 'inline'); + })); + } + + if (navigationMethod === '<a href target=_blank>') { + const a = document.createElement('a'); + a.setAttribute('target', '_blank'); + a.setAttribute('rel', 'opener'); + a.setAttribute('href', 'javascript:opener.navigated();'); + document.body.appendChild(a); + a.click(); + } + else if (navigationMethod === '<a href>') { + const a = document.createElement('a'); + a.setAttribute('href', 'javascript:navigated();'); + document.body.appendChild(a); + a.click(); + } else { + t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)(); + } +} |