From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 19:32:43 +0200
Subject: Adding upstream version 1:115.7.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../unsafe-eval/eval-allowed.sub.html              | 27 ++++++++++
 .../eval-blocked-and-sends-report.sub.html         | 30 +++++++++++
 .../eval-blocked-in-about-blank-iframe.html        | 61 ++++++++++++++++++++++
 .../unsafe-eval/eval-blocked.sub.html              | 36 +++++++++++++
 .../unsafe-eval/eval-in-iframe.html                | 49 +++++++++++++++++
 .../eval-scripts-setInterval-allowed.sub.html      | 33 ++++++++++++
 .../eval-scripts-setInterval-blocked.sub.html      | 31 +++++++++++
 .../eval-scripts-setTimeout-allowed.sub.html       | 28 ++++++++++
 .../eval-scripts-setTimeout-blocked.sub.html       | 30 +++++++++++
 .../function-constructor-allowed.sub.html          | 26 +++++++++
 .../function-constructor-blocked.sub.html          | 30 +++++++++++
 .../unsafe-eval/support/echo-eval-with-policy.py   | 30 +++++++++++
 12 files changed, 411 insertions(+)
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
 create mode 100644 testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py

(limited to 'testing/web-platform/tests/content-security-policy/unsafe-eval')

diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
new file mode 100644
index 0000000000..186996311b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <title>eval-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="../support/logTest.sub.js?logs=[]"></script>
+    <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        eval("alert_assert('PASS (1 of 2)')");
+
+        window.eval("alert_assert('PASS (2 of 2)')");
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
new file mode 100644
index 0000000000..998a616652
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-blocked-and-sends-report</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked.","violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            eval("alert_assert('FAIL')");
+        } catch (e) {
+            log('PASS: eval() blocked.');
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
new file mode 100644
index 0000000000..054e75b527
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <meta http-equiv="Content-Security-Policy"
+        content="script-src 'self' 'unsafe-inline';">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+
+<p>
+  Eval should be blocked in the iframe, but inline script should be allowed.
+</p>
+
+<script>
+  promise_test(async t => {
+    const document_loaded = new Promise(resolve => window.onload = resolve);
+    await document_loaded;
+
+    const eval_error = new Promise(resolve => {
+      window.addEventListener('message', function(e) {
+        assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame');
+        if (e.data === 'PASS')
+          resolve();
+      });
+    });
+    const csp_violation_report = new Promise(resolve => {
+      window.addEventListener('message', function(e) {
+        if (e.data["violated-directive"]) {
+          assert_equals(e.data["violated-directive"], "script-src");
+          resolve();
+        }
+      });
+    });
+
+    frames[0].document.write(`
+      <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+          parent.postMessage({ 'violated-directive': e.violatedDirective });
+        });
+        try {
+          eval('parent.postMessage(\"FAIL\", \"*\");');
+        } catch (e) {
+          if (e instanceof EvalError)
+            parent.postMessage(\"PASS\", \"*\");
+        }
+      </sc` + `ript>`
+    );
+    frames[0].document.close();
+
+    await eval_error;
+    await csp_violation_report;
+  });
+</script>
+<iframe src="about:blank"></iframe>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
new file mode 100644
index 0000000000..7546082ee4
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError", "violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            eval("alert_assert('FAIL (1 of 2)')");
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+        try {
+            window.eval("alert_assert('FAIL (1 of 2)')");
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
new file mode 100644
index 0000000000..bca5decd25
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>eval-in-iframe</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/utils.js"></script>
+</head>
+
+<body>
+    <p>This test checks that the CSP of calleeRealm only (and not of
+    the callerRealm) is checked for allowing eval.</p>
+    <script>
+      let tests = [
+        { "directive": "script-src", "csp": "script-src 'unsafe-inline'" },
+        { "directive": "default-src", "csp": "default-src 'unsafe-inline'" },
+      ];
+
+      tests.forEach(test => {
+        let child = document.createElement('iframe');
+        child.src = '/content-security-policy/unsafe-eval/support' +
+          '/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
+        document.body.appendChild(child);
+        let msg = new Promise(resolve => {
+          window.addEventListener('message', e => {
+            if (e.source == child.contentWindow)
+              resolve(e.data);
+          });
+        });
+
+        promise_test(async t => {
+          assert_equals((await msg).evalInIframe, "blocked");
+        }, `(${test.directive}) Eval code should not execute ` +
+                     `from iframe in iframe`);
+        promise_test(async t => {
+          assert_equals((await msg).evalInParent, "allowed");
+        }, `(${test.directive}) Eval code should execute ` +
+                     `from iframe in parent`);
+        promise_test(async t => {
+          assert_throws_js(child.contentWindow.EvalError, _ =>
+            child.contentWindow.eval('1+1'));
+        }, `(${test.directive}) Eval code should not execute ` +
+                     `from parent in iframe`);
+      });
+    </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
new file mode 100644
index 0000000000..19eac79812
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>eval-scripts-setInterval-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<pre>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("Fail");
+  });
+
+  var id_string = setInterval("clearInterval(id_string); log('PASS 1 of 2')", 0);
+  if (id_string == 0)
+    log('FAIL: Return value for string (should not be 0): ' + id_string);
+
+  var id_function = setInterval(function() {
+    clearInterval(id_function);
+    log('PASS 2 of 2');
+  }, 0);
+
+  if (id_function == 0)
+    log('FAIL');
+</script>
+</pre>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
new file mode 100644
index 0000000000..2107ab8c33
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-scripts-setInterval-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("violated-directive=" + e.violatedDirective);
+  });
+
+  var id = setInterval("alert_assert('FAIL')", 0);
+  if (id != 0)
+    log('FAIL: Return value for string (should be 0): ' + id);
+
+  var id = setInterval(function() {
+    clearInterval(id);
+    log('PASS');
+  }, 0);
+
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
new file mode 100644
index 0000000000..ba89c4e2f3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>eval-scripts-setTimeout-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("Fail");
+  });
+
+  var id = setTimeout("log('PASS 1 of 2')", 0);
+  if (id == 0)
+    log('FAIL');
+  var id = setTimeout(function() {
+    log('PASS 2 of 2');
+  }, 0);
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
new file mode 100644
index 0000000000..2b6335e597
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>eval-scripts-setTimeout-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+<script>
+  window.addEventListener('securitypolicyviolation', function(e) {
+    log("violated-directive=" + e.violatedDirective);
+  });
+
+  var id = setTimeout("alert_assert('FAIL')", 0);
+  if (id != 0)
+    log('FAIL');
+
+  var id = setTimeout(function() {
+    log('PASS');
+  }, 0);
+
+  if (id == 0)
+    log('FAIL');
+</script>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
new file mode 100644
index 0000000000..8e6661b21c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';">
+    <title>function-constructor-allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("Fail");
+        });
+
+        (new Function("log('PASS')"))();
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
new file mode 100644
index 0000000000..1a7d320b68
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>function-constructor-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS EvalError","violated-directive=script-src"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            (new Function("log('FAIL')"))();
+        } catch (e) {
+            log("PASS EvalError");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
new file mode 100644
index 0000000000..b9b3cfe03a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py
@@ -0,0 +1,30 @@
+def main(request, response):
+    policy = request.GET.first(b"policy")
+    return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b"""
+<!DOCTYPE html>
+<html>
+<script>
+function check_eval(context) {
+  context.eval_check_variable = 0;
+  try {
+    id = context.eval("eval_check_variable + 1");
+  } catch (e) {
+    if (e instanceof EvalError) {
+      if (context.eval_check_variable === 0)
+        return "blocked";
+      else
+        return "EvalError exception, but eval was executed";
+    } else {
+      return "Unexpected exception: " + e.message;
+    }
+  }
+  return "allowed";
+}
+
+window.parent.postMessage({
+  evalInIframe: check_eval(window),
+  evalInParent: check_eval(parent),
+});
+</script>
+</html>
+"""
-- 
cgit v1.2.3