{ "test_description_template": "Content Security Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.", "test_page_title_template": "Content Security Policy: %(title)s", "specification": [ { "title": "content security policy", "description": "content security policy", "specification_url": "https://w3c.github.io/webappsec-csp/", "test_expansion": [ // Set "allowed" for all requests here, and set "block" for requests // to be blocked by CSP in subsequent sections. // (Requests blocked due to non-CSP reasons (e.g. cross-origin workers) // are excluded by `excluded_tests` sections) { "expansion": "default", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": "*", "origin": "*", "subresource": "*", "expectation": "allowed" }, // script-src { // "script-src" blocks script-ish requests, except for ... "expansion": "override", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": [ "script-src-none", "script-src-self", "script-src-wildcard" ], "redirection": "*", "origin": "*", "subresource": [ "script-tag", "sharedworker-classic", "sharedworker-import", "sharedworker-import-data", "sharedworker-module", "worker-classic", "worker-import", "worker-import-data", "worker-module", "worklet-animation", "worklet-animation-import-data", "worklet-audio", "worklet-audio-import-data", "worklet-layout", "worklet-layout-import-data", "worklet-paint", "worklet-paint-import-data" ], "expectation": "blocked" }, { // non-data: URLs for "script-src *", "expansion": "override", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "script-src-wildcard", "redirection": "*", "origin": "*", "subresource": [ "script-tag", "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module", "worklet-animation", "worklet-audio", "worklet-layout", "worklet-paint" ], "expectation": "allowed" }, { // same-origin requests (HTTP) for "script-src 'self'", or "expansion": "override", "source_scheme": "http", "source_context_list": "*", "delivery_type": "*", "delivery_value": "script-src-self", "redirection": ["no-redirect", "keep-origin"], "origin": "same-http", "subresource": [ "script-tag", "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module", "worklet-animation", "worklet-audio", "worklet-layout", "worklet-paint" ], "expectation": "allowed" }, { // same-origin requests (HTTPS) for "script-src 'self'". "expansion": "override", "source_scheme": "https", "source_context_list": "*", "delivery_type": "*", "delivery_value": "script-src-self", "redirection": ["no-redirect", "keep-origin"], "origin": "same-https", "subresource": [ "script-tag", "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module", "worklet-animation", "worklet-audio", "worklet-layout", "worklet-paint" ], "expectation": "allowed" }, // worker-src { // "worker-src" blocks worker requests, except for ... "expansion": "override", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": [ "worker-src-none", "worker-src-self", "worker-src-wildcard" ], "redirection": "*", "origin": "*", "subresource": [ "sharedworker-classic", "sharedworker-import", "sharedworker-import-data", "sharedworker-module", "worker-classic", "worker-import", "worker-import-data", "worker-module" ], "expectation": "blocked" }, { // non-data: URLs for "worker-src *", "expansion": "override", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "worker-src-wildcard", "redirection": "*", "origin": "*", "subresource": [ "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module" ], "expectation": "allowed" }, { // same-origin requests (HTTP) for "worker-src 'self'", or "expansion": "override", "source_scheme": "http", "source_context_list": "*", "delivery_type": "*", "delivery_value": "worker-src-self", "redirection": ["no-redirect", "keep-origin"], "origin": "same-http", "subresource": [ "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module" ], "expectation": "allowed" }, { // same-origin requests (HTTPS) for "worker-src 'self'". "expansion": "override", "source_scheme": "https", "source_context_list": "*", "delivery_type": "*", "delivery_value": "worker-src-self", "redirection": ["no-redirect", "keep-origin"], "origin": "same-https", "subresource": [ "sharedworker-classic", "sharedworker-import", "sharedworker-module", "worker-classic", "worker-import", "worker-module" ], "expectation": "allowed" }, ] } ], "delivery_key": "contentSecurityPolicy", "excluded_tests": [ { // upgraded-protocol-workers "expansion": "*", "source_scheme": "http", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": "*", "origin": [ "same-https", "cross-https" ], "subresource": [ "worker-classic", "worker-module", "sharedworker-classic", "sharedworker-module" ], "expectation": "*" }, { // mixed-content-insecure-subresources "expansion": "*", "source_scheme": "https", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": "*", "origin": [ "same-http", "same-http-downgrade", "cross-http", "cross-http-downgrade", "same-ws", "same-ws-downgrade", "cross-ws", "cross-ws-downgrade" ], "subresource": "*", "expectation": "*" }, { // redirections that content security policy tests don't care "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": [ "keep-scheme", "swap-scheme", "downgrade" ], "origin": "*", "subresource": "*", "expectation": "*" }, { // origins that content security policy tests don't care "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": "*", "origin": [ "same-http-downgrade", "cross-http-downgrade", "same-ws-downgrade", "cross-ws-downgrade" ], "subresource": "*", "expectation": "*" }, { // source_context_list values to be blocked by CSP (i.e. the source // context itself should be blocked by CSP before sending subresource // requests): // - data: URLs are blocked by "worker-src *", "worker-src 'self'" or // "worker-src 'none'". "expansion": "*", "source_scheme": "*", "source_context_list": [ "worker-classic-data", "worker-module-data", "sharedworker-classic-data", "sharedworker-module-data" ], "delivery_type": "*", "delivery_value": [ "worker-src-wildcard", "worker-src-self", "worker-src-none" ], "redirection": "*", "subresource": "*", "origin": "*", "expectation": "*" }, { // Currently only requests from top-level Documents are tested, because // `generic/test-case.sub.js` assumes that `securitypolicyviolation` // events are fired on top-level Documents. Once // `generic/test-case.sub.js` is fixed, we can enable non-top // source_context_list here. "expansion": "*", "source_scheme": "*", "source_context_list": [ "srcdoc-inherit", "srcdoc", "iframe", "iframe-blank-inherit", "worker-classic", "worker-classic-data", "worker-module", "worker-module-data", "sharedworker-classic", "sharedworker-classic-data", "sharedworker-module", "sharedworker-module-data" ], "delivery_type": "*", "delivery_value": "*", "redirection": "*", "subresource": "*", "origin": "*", "expectation": "*" }, { // Skip tests with no CSP directives. "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": null, "redirection": "*", "subresource": "*", "origin": "*", "expectation": "*" }, { // Skip script-src-none tests, as "script-src 'none'" would prevent // test scripts as well. See also comments in `get_csp_value()` in // `common/security-features/tools/generate.py`. "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": "script-src-none", "redirection": "*", "subresource": "*", "origin": "*", "expectation": "*" }, // Only test relevant subresources. // E.g. do not test tag for worker-src directives. { // script-src: workers (block), worklets (block), scripts (block) "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": [ "script-src-wildcard", "script-src-self", "script-src-none" ], "redirection": "*", "subresource": [ "a-tag", "area-tag", "audio-tag", "beacon", "fetch", "iframe-tag", "img-tag", "link-css-tag", "link-prefetch-tag", "object-tag", "picture-tag", "script-tag-dynamic-import", "video-tag", "websocket", "xhr" ], "origin": "*", "expectation": "*" }, { // worker-src: workers (block), worklets (allow), scripts (allow) "expansion": "*", "source_scheme": "*", "source_context_list": "*", "delivery_type": "*", "delivery_value": [ "worker-src-wildcard", "worker-src-self", "worker-src-none" ], "redirection": "*", "subresource": [ "a-tag", "area-tag", "audio-tag", "beacon", "fetch", "iframe-tag", "img-tag", "link-css-tag", "link-prefetch-tag", "object-tag", "picture-tag", "script-tag-dynamic-import", "video-tag", "websocket", "xhr" ], "origin": "*", "expectation": "*" }, { // HTTP->HTTPS requests are skipped to reduce the number of tests. "expansion": "*", "source_scheme": "http", "source_context_list": "*", "delivery_type": "*", "delivery_value": "*", "redirection": "*", "origin": [ "same-https", "cross-https" ], "subresource": "*", "expectation": "*" }, ], "source_context_schema": { "supported_delivery_type": { "top": [ "meta", "http-rp" ], // The following lines are commented out, because the // contentSecurityPolicy deliveries are not yet implemented in the // `common/security-features/scope/` scripts. "iframe": [ // "meta", // "http-rp" ], "iframe-blank": [ // "meta" ], "srcdoc": [ // "meta" ], "worker-classic": [ // "http-rp" ], "worker-module": [ // "http-rp" ], "worker-classic-data": [], "worker-module-data": [], "sharedworker-classic": [ // "http-rp" ], "sharedworker-module": [ // "http-rp" ], "sharedworker-classic-data": [], "sharedworker-module-data": [] } }, "subresource_schema": { "supported_delivery_type": { // No per-request CSP can be specified. "a-tag": [], "area-tag": [], "audio-tag": [], "beacon": [], "fetch": [], "iframe-tag": [], "img-tag": [], "link-css-tag": [], "link-prefetch-tag": [], "object-tag": [], "picture-tag": [], "script-tag": [], "script-tag-dynamic-import": [], "sharedworker-classic": [], "sharedworker-import": [], "sharedworker-import-data": [], "sharedworker-module": [], "video-tag": [], "websocket": [], "worker-classic": [], "worker-import": [], "worker-import-data": [], "worker-module": [], "worklet-animation": [], "worklet-animation-import-data": [], "worklet-audio": [], "worklet-audio-import-data": [], "worklet-layout": [], "worklet-layout-import-data": [], "worklet-paint": [], "worklet-paint-import-data": [], "xhr": [] } }, "test_expansion_schema": { "delivery_type": [ "http-rp", "meta" ], "delivery_value": [ null, "script-src-none", "script-src-self", "script-src-wildcard", "worker-src-none", "worker-src-self", "worker-src-wildcard" ], "expectation": [ "blocked", "allowed" ] } }