diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/blink-contrib')
220 files changed, 3691 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html new file mode 100644 index 000000000..912a29e0b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html @@ -0,0 +1,36 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>blob-urls-do-not-match-self</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; +--> +</head> + +<body> + <p> + blob: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content. + </p> + <script> + function fail() { + alert_assert("FAIL!"); + } + var b = new Blob(['fail();'], { + type: 'application/javascript' + }); + var script = document.createElement('script'); + script.src = URL.createObjectURL(b); + document.body.appendChild(script); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20''"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers new file mode 100644 index 000000000..cbfc8d4e4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html new file mode 100644 index 000000000..819c1a699 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html @@ -0,0 +1,36 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>blob-urls-match-blob</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; +--> +</head> + +<body> + <p> + blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified. + </p> + <script> + function pass() { + log("PASS (1/1)"); + } + var b = new Blob(['pass();'], { + type: 'application/javascript' + }); + var script = document.createElement('script'); + script.src = URL.createObjectURL(b); + document.body.appendChild(script); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..be74e61a7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: blob-urls-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html new file mode 100644 index 000000000..66b86f195 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html @@ -0,0 +1,51 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> + <title>combine-header-and-meta-policies</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing multiple policies: +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self' +Content-Security-Policy: img-src 'none' +--> +</head> + +<body> +<p>Test passes if both style and image are blocked and a report is generated for the + style block from the header-supplied policy.</p> + + <script> + var img = document.createElement('img'); + img.src = '../support/fail.png'; + img.onerror = function() { + log("TEST COMPLETE"); + }; + img.onload = function() { + log("FAIL"); + }; + document.body.appendChild(img); + + </script> + <style> + body { + background-color: blue; + } + + </style> + <script> + var el = document.querySelector('body'); + test(function() { + assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)") + }); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers new file mode 100644 index 000000000..b1f0e7f01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis new file mode 100644 index 000000000..a14be5cd9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis @@ -0,0 +1,60 @@ +HTTP/1.1 200 OK +Content-Type: text/html +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a +Content-Security-Policy: img-src 'none' + +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> + <title>combine-multiple-policies</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing multiple policies: +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self' +Content-Security-Policy: img-src 'none' +--> +</head> + +<body> + This test checks that we enforce all the supplied policies. This test passe if it doesn't alert fail and if the style doesn't apply. + Check that a SecurityPolicyViolationEvent is fired upon blocking an image. + <script> + var img = document.createElement('img'); + img.src = '../support/fail.png'; + img.onerror = function() { + log("TEST COMPLETE"); + }; + img.onload = function() { + log("FAIL"); + }; + document.body.appendChild(img); + + </script> + <style> + body { + background-color: blue; + } + + </style> + <script> + var el = document.querySelector('body'); + test(function() { + assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)") + }); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html new file mode 100644 index 000000000..2beb00d02 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-beacon-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + if (typeof navigator.sendBeacon != 'function') { + t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + try { + var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py"); + log("Pass"); + } catch (e) { + log("Fail"); + } + var report = document.createElement("script"); + report.src = "../support/checkReport.sub.js?reportExists=false"; + report.async = true; + report.defer = true; + document.body.appendChild(report); + + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers new file mode 100644 index 000000000..bd3eda40a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html new file mode 100644 index 000000000..f68d3c384 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-beacon-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + if (typeof navigator.sendBeacon != 'function') { + t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + try { + var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php"); + log("Pass"); + } catch (e) { + log("Fail"); + } + var report = document.createElement("script"); + report.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"; + report.async = true; + report.defer = true; + document.body.appendChild(report); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers new file mode 100644 index 000000000..69ded8da7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html new file mode 100644 index 000000000..3d03100e3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-beacon-redirect-to-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; +--> + <script></script> +</head> + +<body> + <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p> + <p>Verify that a CSP connect-src directive blocks redirects.</p> + <script> + if (typeof navigator.sendBeacon != 'function') { + var t = async_test(); + t.set_status(t.NOTRUN, "No navigator.sendBeacon, cannot run test."); + t.phase = t.phases.HAS_RESULT; + t.done(); + } else { + navigator.sendBeacon( + "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", + "ping"); + var report = document.createElement("script"); + report.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"; + report.async = true; + report.defer = true; + document.body.appendChild(report); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..2c69d0dc8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html new file mode 100644 index 000000000..b3a65f1c1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-eventsource-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream"); + log("Pass"); + } catch (e) { + log("Fail"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers new file mode 100644 index 000000000..eff5c546a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html new file mode 100644 index 000000000..5be570c46 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-eventsource-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream"); + // Firefox doesn't throw an exception and takes some time to close async + if (es.readyState == EventSource.CONNECTING) { + setTimeout( function() { + es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass"); + }, 2); + } else if (es.readyState == EventSource.CLOSED) { + log("Pass"); + } else { + log("Fail"); + } + + } catch (e) { + log("Pass"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ac37816a4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html new file mode 100644 index 000000000..a3ba4bad0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html @@ -0,0 +1,39 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-eventsource-redirect-to-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; +--> + <script></script> +</head> + +<body> + <script> + var es; + try { + es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/simple-event-stream"); + } catch (e) { + log("FAIL " + "EventSource() should not throw an exception."); + } + es.onload = function() { + log("FAIL " + "EventSource() should fail to follow the disallowed redirect."); + log("TEST COMPLETE"); + }; + es.onerror = function() { + log("PASS " + "EventSource() did not follow the disallowed redirect."); + log("TEST COMPLETE"); + }; + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'/security/contentSecurityPolicy/resources/redir.php"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c63c8a9de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html new file mode 100644 index 000000000..4e8499bd4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-websocket-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var ws = new WebSocket("ws://127.0.0.1:8880/echo"); + log("Pass"); + } catch (e) { + log("Fail"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers new file mode 100644 index 000000000..707435174 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-websocket-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html new file mode 100644 index 000000000..68f86dec6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-websocket-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var ws = new WebSocket("ws://localhost:8880/echo"); + log("Fail"); + } catch (e) { + log("Pass"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20ws://127.0.0.1:8880"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers new file mode 100644 index 000000000..69036f5bd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-websocket-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html new file mode 100644 index 000000000..a2ad12186 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-xmlhttprequest-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var xhr = new XMLHttpRequest; + xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true); + log("Pass"); + } catch (e) { + log("Fail"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers new file mode 100644 index 000000000..dbabcad7a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html new file mode 100644 index 000000000..014bb21ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-xmlhttprequest-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["Pass"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; +--> +</head> + +<body> + <script> + try { + var xhr = new XMLHttpRequest; + xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true); + xhr.send(); + xhr.onload = function() { + log("Fail"); + } + xhr.onerror = function() { + log("Pass"); + } + } catch (e) { + log("Pass"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers new file mode 100644 index 000000000..d338034cf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html new file mode 100644 index 000000000..6fc0769b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html @@ -0,0 +1,45 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>connect-src-xmlhttprequest-redirect-to-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; +--> + <script id="inject_here"></script> +</head> + +<body> + <script> + var xhr = new XMLHttpRequest; + try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + } catch (e) { + log("FAIL " + "XMLHttpRequest.open() should not throw an exception."); + } + xhr.onload = function() { + //cons/**/ole.log(xhr.responseText); + if(xhr.responseText == "FAIL") { + log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect."); + } else { + log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect."); + } + log("TEST COMPLETE"); + }; + xhr.onerror = function() { + log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect."); + log("TEST COMPLETE"); + }; + xhr.send(); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'/security/contentSecurityPolicy/resources/redir.php"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..452104ecd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html new file mode 100644 index 000000000..f5859087a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>default-src-inline-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script> + <!-- enforcing policy: +default-src 'self' about: 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body onload="alert_assert('PASS 2 of 2')"> + <script> + alert_assert('PASS 1 of 2'); + + </script> + <!--iframe src="javascript:alert_assert('PASS 2 of 3')"></iframe--> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers new file mode 100644 index 000000000..f223f0661 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: default-src-inline-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src 'self' about: 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html new file mode 100644 index 000000000..ad66a9d1f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>default-src-inline-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <!-- enforcing policy: +default-src 'self'; connect-src 'self'; +--> +</head> + +<body> + This test passes if the inline scripts don't create failing tests and a CSP report is sent. + <script> + test(function() { + assert_unreached('FAIL inline script ran') + }); + + </script> + <script src="resources/document-write-alert-fail.js"></script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=default-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers new file mode 100644 index 000000000..63ea706f9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: default-src-inline-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html new file mode 100644 index 000000000..4336b729b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>duplicate-directive</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; +--> + + <script> + alert_assert('PASS (1/1)'); + + </script> +</head> + +<body> + <p> + This tests the effect of duplicated directives. It passes if the alert_assert() is executed. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers new file mode 100644 index 000000000..eefd7197f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: duplicate-directive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html new file mode 100644 index 000000000..88da806a8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; +--> +</head> + +<body> + <script> + eval("alert_assert('PASS (1 of 2)')"); + + </script> + <script> + window.eval("alert_assert('PASS (2 of 2)')"); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers new file mode 100644 index 000000000..6bf55a116 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html new file mode 100644 index 000000000..599b01c31 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-blocked-and-sends-report</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked."]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=eval-blocked-and-sends-report.html; connect-src 'self'; +--> +</head> + +<body> + <script> + try { + eval("alert_assert('FAIL')"); + } catch (e) { + log('PASS: eval() blocked.'); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers new file mode 100644 index 000000000..f197e41de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html new file mode 100644 index 000000000..449f9d192 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html @@ -0,0 +1,10 @@ + +<iframe src="about:blank"></iframe> +Eval should be blocked in the iframe, but inline script should be allowed. +<script> + window.onload = function() { + frames[0].log("<script>alert_assert(/PASS/); eval('alert_assert(/FAIL/);');<\/script>"); + frames[0].document.close(); + } + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers new file mode 100644 index 000000000..224f25ba7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked-in-about-blank-iframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html new file mode 100644 index 000000000..229667e7d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + try { + eval("alert_assert('FAIL (1 of 2)')"); + } catch (e) { + log("PASS EvalError"); + } + + </script> + <script> + try { + window.eval("alert_assert('FAIL (1 of 2)')"); + } catch (e) { + log("PASS EvalError"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'unsafe-inline'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..124f56bfa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html new file mode 100644 index 000000000..66fa95d31 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-scripts-setInterval-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; +--> +</head> +<pre> +<script> + { +} +var id_string = setInterval("clearInterval(id_string); alert_assert('PASS 1 of 2')", 0); +if (id_string == 0) + log('FAIL: Return value for string (should not be 0): ' + id_string); +var id_function = setInterval(function() { + clearInterval(id_function); + alert_assert('PASS 2 of 2'); +}, 0); +if (id_function == 0) + document.write('FAIL: Return value for function (should not be 0): ' + id_function); +</script> +</pre> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers new file mode 100644 index 000000000..f13ba4c64 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setInterval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html new file mode 100644 index 000000000..45d873c80 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-scripts-setInterval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> +<pre> +<script> + { +} +var id = setInterval("alert_assert('FAIL')", 0); +if (id != 0) + log('FAIL: Return value for string (should be 0): ' + id); +var id = setInterval(function() { + clearInterval(id); + alert_assert('PASS'); +}, 0); +if (id == 0) + document.write('FAIL: Return value for function (should not be 0): ' + id); +</script> +</pre> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..1bd6b636d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setInterval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html new file mode 100644 index 000000000..9b2e595e5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-scripts-setTimeout-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; +--> +</head> +<pre> +<script> + { +} +var id = setTimeout("alert_assert('PASS 1 of 2')", 0); +if (id == 0) + log('FAIL: Return value for string (should not be 0): ' + id); +var id = setTimeout(function() { + alert_assert('PASS 2 of 2'); +}, 0); +if (id == 0) + document.write('FAIL: Return value for function (should not be 0): ' + id); +</script> +</pre> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers new file mode 100644 index 000000000..4d664d600 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setTimeout-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html new file mode 100644 index 000000000..72ed2ce1a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-scripts-setTimeout-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> +<pre> +<script> + { +} +var id = setTimeout("alert_assert('FAIL')", 0); +if (id != 0) + log('FAIL: Return value for string (should be 0): ' + id); +var id = setTimeout(function() { + alert_assert('PASS'); +}, 0); +if (id == 0) + document.write('FAIL: Return value for function (should not be 0): ' + id); +</script> +</pre> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers new file mode 100644 index 000000000..81537fe3e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setTimeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html new file mode 100644 index 000000000..f9e814a1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html @@ -0,0 +1,62 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>filesystem-urls-do-not-match-self</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; +--> +</head> + +<body> + <p> + filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.. + </p> + <script> + if(!window.webkitRequestFileSystem) { + t_log = async_test(); + t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + function fail() { + alert_assert("FAIL!"); + } + window.webkitRequestFileSystem( + TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) { + fs.root.getFile('fail.js', { + create: true + }, function(fileEntry) { + fileEntry.createWriter(function(fileWriter) { + fileWriter.onwriteend = function(e) { + var script = document.createElement('script'); + script.src = fileEntry.toURL('application/javascript'); + document.body.appendChild(script); + }; + // Create a new Blob and write it to pass.js. + var b = new Blob(['fail();'], { + type: 'application/javascript' + }); + fileWriter.write(b); + }); + }); + }); + var s = document.createElement('script'); + s.async = true; + s.defer = true; + s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20'*'" + document.lastChild.appendChild(s); + } + + + </script> + <div id="log"></div> + +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers new file mode 100644 index 000000000..a68e2a3df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html new file mode 100644 index 000000000..99e8592e5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html @@ -0,0 +1,59 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>filesystem-urls-match-filesystem</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' 'self'; connect-src 'self'; +--> +</head> + +<body> + <p> + filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source. + </p> + <script> + if(!window.webkitRequestFileSystem) { + t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + function pass() { + log("PASS (1/1)"); + } + window.webkitRequestFileSystem( + TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) { + fs.root.getFile('pass.js', { + create: true + }, function(fileEntry) { + fileEntry.createWriter(function(fileWriter) { + fileWriter.onwriteend = function(e) { + var script = document.createElement('script'); + script.src = fileEntry.toURL('application/javascript'); + document.body.appendChild(script); + }; + // Create a new Blob and write it to pass.js. + var b = new Blob(['pass();'], { + type: 'application/javascript' + }); + fileWriter.write(b); + }); + }); + }); + var s = document.createElement('script'); + s.async = true; + s.defer = true; + s.src = "../support/checkReport.sub.js?reportExists=false" + document.lastChild.appendChild(s); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers new file mode 100644 index 000000000..f9956ede8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: filesystem-urls-match-filesystem={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html new file mode 100644 index 000000000..a363ce911 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>frame-src-about-blank-allowed-by-default</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <!-- enforcing policy: +frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p>These frames should not be blocked by Content-Security-Policy. + It's pointless to block about:blank iframes because + blocking a frame just results in displaying about:blank anyway! + </p> + <iframe src="about:blank"></iframe> + <object type="text/html" data="about:blank"></object> + + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers new file mode 100644 index 000000000..ba1169956 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html new file mode 100644 index 000000000..e4c47392c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>frame-src-about-blank-allowed-by-scheme</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <!-- enforcing policy: +frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p>This frame should not be blocked by Content-Security-Policy. + </p> + <iframe src="about:blank"></iframe> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers new file mode 100644 index 000000000..e23b82a93 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html new file mode 100644 index 000000000..1d34679c8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html @@ -0,0 +1,63 @@ +<!DOCTYPE html> +<html> + +<head> + <title>frame-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + var t_alert = async_test('Expecting alerts: ["PASS"]'); + var expected_alerts = ["PASS"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p> + This iframe should be allowed. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..05247b402 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html new file mode 100644 index 000000000..fe7555aeb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html @@ -0,0 +1,61 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>frame-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p> + IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..bd0e6d17f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html new file mode 100644 index 000000000..5238e7c0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html @@ -0,0 +1,66 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>frame-src-cross-origin-load</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event."]'></script> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + + var t_alert = async_test('Expecting alerts: ["PASS","PASS"]'); + var expected_alerts = ["PASS", "PASS"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_alert.done(); + }); + } + + </script> + <!-- enforcing policy: +frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <p> + IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. + </p> + <script> + window.wasPostTestScriptParsed = true; + var loads = 0; + + function loadEvent() { + loads++; + log("PASS " + "IFrame #" + loads + " generated a load event."); + } + + </script> +</head> + +<body> + <iframe src="resources/postmessage-pass.html" onload="loadEvent()"></iframe> + <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-pass.html" onload="loadEvent()"></iframe> + <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=frame-src%20'self'http://www1.{{host}}:{{ports[http][0]}}"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers new file mode 100644 index 000000000..0970bbebf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html new file mode 100644 index 000000000..92cd088c5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>function-constructor-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; +--> +</head> + +<body> + <script> + (new Function("alert_assert('PASS')"))(); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers new file mode 100644 index 000000000..dd80ebacc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: function-constructor-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html new file mode 100644 index 000000000..be0c57477 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>function-constructor-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS EvalError"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + try { + (new Function("alert_assert('FAIL')"))(); + } catch (e) { + log("PASS EvalError"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'unsafe-inline'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers new file mode 100644 index 000000000..eb7da39cb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: function-constructor-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html new file mode 100644 index 000000000..8bacdd305 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> +<html> +<script> + {} + + function createLink(rel, src) { + var link = document.createElement('link'); + link.rel = rel; + link.href = src; + document.head.appendChild(link); + } + window.addEventListener('DOMContentLoaded', function() { + createLink('icon', 'http://localhost/foo?q=from_icon'); {} + }); + +</script> +<p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers new file mode 100644 index 000000000..b7d557b52 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: icon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src http://localhost; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html new file mode 100644 index 000000000..978f25f63 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<html> +<script> + function createLink(rel, src) { + var link = document.createElement('link'); + link.rel = rel; + link.href = src; + document.head.appendChild(link); + } + window.addEventListener('DOMContentLoaded', function() { + createLink('icon', 'http://localhost/foo?q=from_icon'); {} + }); + +</script> +<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c4dc69985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: icon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html new file mode 100644 index 000000000..f3d1e1424 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html @@ -0,0 +1 @@ +<iframe src="resources/sandboxed-eval.php"></iframe> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers new file mode 100644 index 000000000..2cb1c7214 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: iframe-inside-csp={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html new file mode 100644 index 000000000..c087692db --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>image-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <img src="../support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')"> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3b85fc689 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html new file mode 100644 index 000000000..e572070ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>image-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if it doesn't alert FAIL and does alert PASS. + <img src="../support/pass.png" onload='alert_assert("FAIL")' onerror='alert_assert("PASS")'> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c58bb88bb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html new file mode 100644 index 000000000..6482654cd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>image-full-host-wildcard-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <img src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/pass.png" onload="alert_assert(this.width == 168 ? 'PASS' : 'FAIL')"> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers new file mode 100644 index 000000000..0f384f093 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-full-host-wildcard-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html new file mode 100644 index 000000000..8ec6fe433 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>injected-inline-script-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["Pass 1 of 2","Pass 2 of 2"]'></script> + <!-- enforcing policy: + script-src 'self' 'unsafe-inline'; connect-src 'self'; + --> +</head> + +<body> + <script src="resources/inject-script.js"></script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7f3453924 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-script-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html new file mode 100644 index 000000000..bee3f9abd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>injected-inline-script-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <!-- enforcing policy: +script-src 'self'; connect-src 'self'; +--> +</head> + +<body> + <script src="resources/inject-script.js"></script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e90dec673 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-script-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html new file mode 100644 index 000000000..f52289e49 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html @@ -0,0 +1,35 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>injected-inline-style-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <div id="test1"> + FAIL 1/2 + </div> + <div id="test2"> + FAIL 2/2 + </div> + <script src="resources/inject-style.js"></script> + <script> + if (document.styleSheets.length === 2) + log("PASS: 2 stylesheets on the page."); + else + document.write("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2)."); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..8a48dc248 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html new file mode 100644 index 000000000..1ed46cb65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html @@ -0,0 +1,32 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>injected-inline-style-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <div id="test1"> + PASS 1/2 + </div> + <div id="test2"> + PASS 2/2 + </div> + <script src="resources/inject-style.js"></script> + <script> + log(document.styleSheets.length == 0 ? "PASS" : "FAIL"); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..d3f0a5efb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html new file mode 100644 index 000000000..efb5043ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html @@ -0,0 +1,128 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>inline-style-allowed-while-cloning-objects</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.onload = function() { + window.nodes = document.getElementById('nodes'); + window.node1 = document.getElementById('node1'); + window.node1.style.background = "yellow"; + window.node1.style.color = "red"; + window.node2 = document.getElementById('node1').cloneNode(true); + window.node2.id = "node2"; + window.node3 = document.getElementById('node3'); + window.node3.style.background = "blue"; + window.node3.style.color = "green"; + window.node4 = document.getElementById('node3').cloneNode(false); + window.node4.id = "node4"; + window.node4.innerHTML = "Node #4"; + nodes.appendChild(node1); + nodes.appendChild(node2); + nodes.appendChild(node3); + nodes.appendChild(node4); + test(function() { + assert_equals(node1.style.background.match(/yellow/)[0], "yellow") + }); + test(function() { + assert_equals(node2.style.background.match(/yellow/)[0], "yellow") + }); + test(function() { + assert_equals(node3.style.background.match(/blue/)[0], "blue") + }); + test(function() { + assert_equals(node4.style.background.match(/blue/)[0], "blue") + }); + test(function() { + assert_equals(node1.style.color, "red") + }); + test(function() { + assert_equals(node2.style.color, "red") + }); + test(function() { + assert_equals(node3.style.color, "green") + }); + test(function() { + assert_equals(node4.style.color, "green") + }); + test(function() { + assert_equals(window.getComputedStyle(node1).background, window.getComputedStyle(node2).background) + }); + test(function() { + assert_equals(window.getComputedStyle(node3).background, window.getComputedStyle(node4).background) + }); + test(function() { + assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color) + }); + test(function() { + assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color) + }); + window.ops = document.getElementById('ops'); + ops.style.color = 'red'; + window.clonedOps = ops.cloneNode(true); + window.violetOps = document.getElementById('violetOps'); + violetOps.style.background = 'rgb(238, 130, 238)'; + document.getElementsByTagName('body')[0].appendChild(clonedOps); + test(function() { + assert_equals(ops.style.background, "") + }); + test(function() { + assert_equals(ops.style.color, "red") + }); + test(function() { + assert_equals(clonedOps.style.background, "") + }); + test(function() { + assert_equals(violetOps.style.background.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)") + }); + test(function() { + assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(ops).background) + }); + test(function() { + assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color) + }); + test(function() { + assert_equals(window.getComputedStyle(ops).background, window.getComputedStyle(violetOps).background) + }); + test(function() { + assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(violetOps).background) + }); + test(function() { + assert_equals(ops.id, "ops") + }); + test(function() { + assert_equals(ops.id, clonedOps.id) + }); + }; + + </script> +</head> + +<body> + <p> + This test ensures that styles can be set by object.cloneNode() + </p> + <div id="nodes"> + This is a div (nodes) + <div id="node1"> This is a div. (node 1 or 2)</div> + <div id="node3"> This is a div. (node 3 or 4)</div> + </div> + <div id="ops" style="background: rgb(238, 130, 238)"> + Yet another div. + </div> + <div id="violetOps"> + Yet another div. + </div> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers new file mode 100644 index 000000000..963fa1751 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-allowed-while-cloning-objects={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html new file mode 100644 index 000000000..bf5ac125d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>inline-style-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> + <style> + .target { + background-color: blue; + } + + </style> +</head> + +<body class="target"> + <script> + log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..8ff58f55f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html new file mode 100644 index 000000000..ab446040a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>inline-style-attribute-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body style="background-color: blue;"> + <script> + log(document.body.style.length > 0 ? 'PASS' : 'FAIL'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7d765e2b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html new file mode 100644 index 000000000..90efe9fe7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>inline-style-attribute-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body style="background-color: blue;"> + <script> + log(document.body.style.length > 0 ? 'FAIL' : 'PASS'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers new file mode 100644 index 000000000..0b1ec14c1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html new file mode 100644 index 000000000..b002af987 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html style="background-color: blue;"> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="style-src 'self'"> + <title>inline-style-attribute-on-html</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element. + </p> + <script> + log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers new file mode 100644 index 000000000..66bf93faa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-on-html={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html new file mode 100644 index 000000000..3f7756e44 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>inline-style-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> + <style> + .target { + background-color: blue; + } + + </style> +</head> + +<body class="target"> + <script> + log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..0b8306326 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html new file mode 100644 index 000000000..fe6d2b1c2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html @@ -0,0 +1,9 @@ +<link rel="manifest" href="manifest.test/manifest.json"> +<script> + { + testRunner.getManifestThen(function() { + alert_assert("Pass"); + }); + } + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3fbdc7337 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: manifest-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: manifest-src *; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html new file mode 100644 index 000000000..fe6d2b1c2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html @@ -0,0 +1,9 @@ +<link rel="manifest" href="manifest.test/manifest.json"> +<script> + { + testRunner.getManifestThen(function() { + alert_assert("Pass"); + }); + } + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..4d6e5e395 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: manifest-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: manifest-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html new file mode 100644 index 000000000..4cb4002d9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html @@ -0,0 +1,14 @@ +<video></video> +<script src="../../../media-resources/media-file.js"></script> +<script src="../../../media-resources/video-test.js"></script> +<script> + waitForEvent('loadedmetadata', function() { + alert_assert('PASS'); + endTestLater(); + }); + // Find a supported media file. + var mediaFile = findMediaFile("video", "content/test"); + var mimeType = mimeTypeForFile(mediaFile); + video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000"; + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..b0401f7c7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html new file mode 100644 index 000000000..57c8d5f65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html @@ -0,0 +1,15 @@ +<video></video> +<script src="../../../media-resources/media-file.js"></script> +<script src="../../../media-resources/video-test.js"></script> +<p>This test passes if it doesn't alert failure.</p> +<script> + waitForEvent('loadedmetadata', function() { + alert_assert('FAIL'); + }); + addEventListener('load', endTestLater, false); + // Find a supported media file. + var mediaFile = findMediaFile("video", "content/test"); + var mimeType = mimeTypeForFile(mediaFile); + video.src = "http://{{host}}:{{ports[http][0]}}/resources/load-and-stall.cgi?name=../../../media/" + mediaFile + "&mimeType=" + mimeType + "&stallAt=100000"; + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..86c56953d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html new file mode 100644 index 000000000..c8036ce17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html @@ -0,0 +1,39 @@ +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>media-src-track-block</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + function loaded() { + alert_assert("FAIL"); + } + + function errored() { + alert_assert("PASS"); + } + + function start() { + var track = document.querySelector('track'); + track.track.mode = "hidden"; + track.setAttribute('src', 'resources/track.vtt'); + } + + </script> +</head> + +<body onload="start()"> + <video> + <track kind="captions" onload="loaded()" onerror="errored()"> + </video> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=media-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers new file mode 100644 index 000000000..85c496e74 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-track-block={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html new file mode 100644 index 000000000..358b7af1a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-in-svg-foreignobject</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <p>This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there i a CSP violation saying the plugin was blocked.</p> + <svg> + <foreignobject> + <object xmlns="http://www.w3.org/1999/xhtml" data="/plugins/resources/mock-plugin.pl"> + </object> + </foreignobject> + </svg> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers new file mode 100644 index 000000000..a196a1558 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-in-svg-foreignobject={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html new file mode 100644 index 000000000..d77027840 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-applet-archive-codebase</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var appletMimeType = "application/x-java-applet"; + for (var i = 0; i < len; i++) { + allTypes += navigator.mimeTypes[i].type + ';'; + } + if (allTypes.indexOf(appletMimeType) == -1) { + t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + var s = document.createElement('script'); + s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"; + document.body.appendChild(s); + } + + </script> + This test passes if there is a CSP violation saying the plugin was blocked. + <applet code="TestThingie" archive="archive.jar" codebase="/plugins/codebase/" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers new file mode 100644 index 000000000..0b71a188b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html new file mode 100644 index 000000000..69c71986e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-applet-archive</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var appletMimeType = "application/x-java-applet"; + for (var i = 0; i < len; i++) { + allTypes += navigator.mimeTypes[i].type + ';'; + } + if (allTypes.indexOf(appletMimeType) == -1) { + t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + var s = document.createElement('script'); + s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"; + document.body.appendChild(s); + } + + </script> + This test passes if there is a CSP violation saying the plugin was blocked. + <applet code="TestThingie" archive="/plugins/archive.jar" id="appletObject" onload="log('FAIL')" onerror="log('PASS')"></applet> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers new file mode 100644 index 000000000..4bd5ec149 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html new file mode 100644 index 000000000..6121dad56 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-applet-archive-code-codebase</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var appletMimeType = "application/x-java-applet"; + for (var i = 0; i < len; i++) { + allTypes += navigator.mimeTypes[i].type + ';'; + } + if (allTypes.indexOf(appletMimeType) == -1) { + t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + var s = document.createElement('script'); + s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"; + document.body.appendChild(s); + } + + </script> + This test passes if there is a CSP violation saying the plugin was blocked. + <applet code="code.class" codebase="/plugins/codebase/"></applet> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers new file mode 100644 index 000000000..1ced1a8e2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html new file mode 100644 index 000000000..af598bfd1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-applet-code</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var appletMimeType = "application/x-java-applet"; + for (var i = 0; i < len; i++) { + allTypes += navigator.mimeTypes[i].type + ';'; + } + if (allTypes.indexOf(appletMimeType) == -1) { + t_log.set_status(t_log.NOTRUN, "No Java Plugin, cannot run test."); + t_log.phase = t_log.phases.HAS_RESULT; + t_log.done(); + } else { + var s = document.createElement('script'); + s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"; + document.body.appendChild(s); + } + + </script> + This test passes if there is a CSP violation saying the plugin was blocked. + <applet code="/plugins/code.class"></applet> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers new file mode 100644 index 000000000..44bd725f8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html new file mode 100644 index 000000000..2e2bef25d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-no-url-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there isn't a CSP violation saying the plugin was blocked. + <object type="application/x-webkit-test-netscape"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3746103fe --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html new file mode 100644 index 000000000..ad3eebcae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-no-url-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there is a CSP violation saying the plugin was blocked. + <object type="application/x-webkit-test-netscape"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers new file mode 100644 index 000000000..dba0ece70 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-no-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html new file mode 100644 index 000000000..dace2c417 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-url-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there is no CSP violation saying the plugin was blocked. + <object data="/content-security-policy/support/pass.png"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers new file mode 100644 index 000000000..bce19c1de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html new file mode 100644 index 000000000..4f12d747b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>object-src-url-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there is a CSP violation saying the plugin was blocked. + <object data="/plugins/resources/mock-plugin.pl"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=object-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers new file mode 100644 index 000000000..1447fd0fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html new file mode 100644 index 000000000..a43e4be27 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html @@ -0,0 +1 @@ +<iframe src="resources/alert-pass.html"></iframe> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers new file mode 100644 index 000000000..ff37e37ee --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: policy-does-not-affect-child={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html new file mode 100644 index 000000000..dea8a87a3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-blocked-data-uri</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; report-uri resources/save-report.php?test=report-blocked-data-uri.html; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers new file mode 100644 index 000000000..8530a1cc4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html new file mode 100644 index 000000000..ed2cd2a74 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-cross-origin-no-cookies</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; +--> + <script src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/set-cookie.js"></script> +</head> + +<body> + <!-- This image will generate a CSP violation report. --> + <img src="resources/abe.png"> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'&noCookies=true"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers new file mode 100644 index 000000000..5a7122975 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html new file mode 100644 index 000000000..cb001a220 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-disallowed-from-meta</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID=5ada7c32-1c46-4b79-a95f-af33fcf95f8e"> +</head> + +<body> + This image should be blocked, but should not show up in the violation report because meta policies MUST ignore report-uri. + <img src="../resources/abe.png" onerror="alert_assert('PASS')" onload="alert_assert('FAIL')"> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers new file mode 100644 index 000000000..4c620525a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-disallowed-from-meta=5ada7c32-1c46-4b79-a95f-af33fcf95f8e; Path=/content-security-policy/blink-contrib
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html new file mode 100644 index 000000000..e90cb066b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-cross-origin-no-cookies</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; +--> + <script src="/content-security-policy/blink-contrib/resources/set-cookie.js"></script> +</head> + +<body> + <!-- This image will generate a CSP violation report. --> + <img src="resources/abe.png"> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'&noCookies=true"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers new file mode 100644 index 000000000..4655de254 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html new file mode 100644 index 000000000..cf3f72f1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-uri-from-inline-javascript</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-inline-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + // This script block will trigger a violation report. + var i = document.createElement('img'); + i.src = 'resources/abe.png'; + document.body.appendChild(i); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers new file mode 100644 index 000000000..c37a9ff8d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html new file mode 100644 index 000000000..790a75bda --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>report-uri-from-javascript</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; report-uri resources/save-report.php?test=report-uri-from-javascript.html; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script src="resources/inject-image.js"></script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers new file mode 100644 index 000000000..ed6560118 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html new file mode 100644 index 000000000..9ffb835f2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html @@ -0,0 +1,6 @@ +<script src="resources/report-test.js"></script> +<script> + // This script block will trigger a violation report. + alert_assert('FAIL'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers new file mode 100644 index 000000000..1416ea7f1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=report-uri.html; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html new file mode 100644 index 000000000..c0fb8173d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html @@ -0,0 +1,4 @@ +<script> + alert('FAIL'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html new file mode 100644 index 000000000..50e753d0d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html @@ -0,0 +1,4 @@ +<script> + alert('PASS'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css new file mode 100644 index 000000000..54aeecc12 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css @@ -0,0 +1,3 @@ +.target { + background-color: blue; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js new file mode 100644 index 000000000..5e78ca0da --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js @@ -0,0 +1 @@ +document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html new file mode 100644 index 000000000..887f44f48 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html @@ -0,0 +1,7 @@ +<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=generate-csp-report.html"> +<script> + // This script block will trigger a violation report. + alert('FAIL'); + +</script> +<script src="go-to-echo-report.js"></script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js new file mode 100644 index 000000000..e220f2a47 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js @@ -0,0 +1,12 @@ +if (window.testRunner) { + testRunner.dumpAsText(); + testRunner.waitUntilDone(); +} + +window.onload = function() { + var test = window.location.pathname.replace(/^.+\//, ''); + var match = window.location.search.match(/^\?test=([^&]+)/); + if (match) + test = match[1]; + window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=" + test; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js new file mode 100644 index 000000000..1e1f93b39 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js @@ -0,0 +1,4 @@ +// This script block will trigger a violation report. +var i = document.createElement('img'); +i.src = '/security/resources/abe.png'; +document.body.appendChild(i); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js new file mode 100644 index 000000000..155371985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js @@ -0,0 +1,5 @@ +document.write("<script>alert_assert('Pass 1 of 2');</script>"); + +var s = document.createElement('script'); +s.textContent = "alert_assert('Pass 2 of 2');"; +document.body.appendChild(s); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js new file mode 100644 index 000000000..532645a45 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js @@ -0,0 +1,5 @@ +document.write("<style>#test1 { display: none; }</style>"); + +var s = document.createElement('style'); +s.textContent = "#test2 { display: none; }"; +document.body.appendChild(s); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js new file mode 100644 index 000000000..69daa31d2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js @@ -0,0 +1 @@ +postMessage("importScripts allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html new file mode 100644 index 000000000..a0308ad98 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html @@ -0,0 +1,4 @@ +<script> + window.parent.postMessage('FAIL', '*'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html new file mode 100644 index 000000000..700167b5d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html @@ -0,0 +1,4 @@ +<script> + window.parent.postMessage('PASS', '*'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js new file mode 100644 index 000000000..54eaf530c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js @@ -0,0 +1,2 @@ +var result = document.getElementById("result"); +result.firstChild.nodeValue = result.attributes.getNamedItem("text").value; diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers new file mode 100644 index 000000000..1d5fbba17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers @@ -0,0 +1 @@ +Set-Cookie: report-cookie=true
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js new file mode 100644 index 000000000..28937d05d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js @@ -0,0 +1,23 @@ +onconnect = function (event) { + var port = event.ports[0]; + var xhr = new XMLHttpRequest; + xhr.onerror = function () { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + }; + xhr.onload = function () { + if (xhr.responseText == "FAIL") { + port.postMessage("xhr allowed"); + } else { + port.postMessage("xhr blocked"); + } + port.postMessage("TEST COMPLETE"); + }; + try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); + } catch (e) { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + } +}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js new file mode 100644 index 000000000..28937d05d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js @@ -0,0 +1,23 @@ +onconnect = function (event) { + var port = event.ports[0]; + var xhr = new XMLHttpRequest; + xhr.onerror = function () { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + }; + xhr.onload = function () { + if (xhr.responseText == "FAIL") { + port.postMessage("xhr allowed"); + } else { + port.postMessage("xhr blocked"); + } + port.postMessage("TEST COMPLETE"); + }; + try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); + } catch (e) { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + } +}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers new file mode 100644 index 000000000..ac7368c32 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: connect-src 'none'
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream new file mode 100644 index 000000000..e467657bc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream @@ -0,0 +1 @@ +data: hello diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers new file mode 100644 index 000000000..9bb8badca --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers @@ -0,0 +1 @@ +Content-Type: text/event-stream diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt new file mode 100644 index 000000000..365e9ae15 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt @@ -0,0 +1 @@ +Subtitles! diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js new file mode 100644 index 000000000..9aa87129a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = eval("1 + 2 + 3"); +} catch (e) {} +postMessage(id === 0 ? "eval blocked" : "eval allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers new file mode 100644 index 000000000..afdcc7c01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js new file mode 100644 index 000000000..03d9bf4cb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js @@ -0,0 +1,7 @@ +var fn = function() { + postMessage('Function() function blocked'); +} +try { + fn = new Function("", "postMessage('Function() function allowed');"); +} catch (e) {} +fn(); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers new file mode 100644 index 000000000..afdcc7c01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js new file mode 100644 index 000000000..65ec6f446 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js @@ -0,0 +1,6 @@ +try { + importScripts("/content-security-policy/blink-contrib/resources/post-message.js"); + postMessage("importScripts allowed"); +} catch (e) { + postMessage("importScripts blocked"); +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers new file mode 100644 index 000000000..57616b1fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js new file mode 100644 index 000000000..22819d57a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js @@ -0,0 +1,21 @@ +var xhr = new XMLHttpRequest; +xhr.onerror = function () { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}; +xhr.onload = function () { + //cons/**/ole.log(xhr.responseText); + if (xhr.responseText == "FAIL") { + postMessage("xhr allowed"); + } else { + postMessage("xhr blocked"); + } + postMessage("TEST COMPLETE"); +}; +try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); +} catch (e) { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers new file mode 100644 index 000000000..ac7368c32 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: connect-src 'none'
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js new file mode 100644 index 000000000..73359a39e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js @@ -0,0 +1,21 @@ +var xhr = new XMLHttpRequest; +xhr.onerror = function () { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}; +xhr.onload = function () { + //cons/**/ole.log(xhr.responseText); + if (xhr.responseText == "FAIL") { + postMessage("xhr allowed"); + } else { + postMessage("xhr blocked"); + } + postMessage("TEST COMPLETE"); +}; +try { + xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); +} catch (e) { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js new file mode 100644 index 000000000..a16827edd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = setTimeout("postMessage('handler invoked')", 100); +} catch (e) {} +postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers new file mode 100644 index 000000000..57616b1fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html new file mode 100644 index 000000000..c755504b1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html @@ -0,0 +1,3 @@ + +This test passes if it does alert pass. +<iframe src="data:text/html,<script>alert_assert('PASS');</script>"></iframe> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers new file mode 100644 index 000000000..4c7945728 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-allow-scripts-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html new file mode 100644 index 000000000..3bdaa12ea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html @@ -0,0 +1,6 @@ + +This test passes if it does alert pass. +<script> + alert_assert('PASS'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers new file mode 100644 index 000000000..b6df57d17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-allow-scripts={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html new file mode 100644 index 000000000..5ddccfaa3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html @@ -0,0 +1,3 @@ + +This test passes if it doesn't alert fail. +<iframe src="data:text/html,<script>alert_assert('FAIL');</script>"></iframe> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers new file mode 100644 index 000000000..5287112d6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-empty-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html new file mode 100644 index 000000000..4e04e9875 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html @@ -0,0 +1,6 @@ + +This test passes if it doesn't alert fail. +<script> + alert_assert('FAIL'); + +</script> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers new file mode 100644 index 000000000..f7d31c959 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-empty={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html new file mode 100644 index 000000000..cf4aab201 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>script-src-overrides-default-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script> + <!-- enforcing policy: +default-src about:; script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body onload="alert_assert('PASS 2 of 2')"> + <script> + alert_assert('PASS 1 of 2'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers new file mode 100644 index 000000000..5d3456433 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-overrides-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html new file mode 100644 index 000000000..5f388622c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-connect-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; +--> + +</head> +<p>This test loads a worker, from a guid. + The worker should be blocked from loading with a child-src policy of 'self' + as the blob: scheme must be specified explicitly. + A report should be sent to the report-uri specified + with this resource.</p> +<body> + <script> + try { + var blob = new Blob([ + "postMessage('FAIL');" + + "postMessage('TEST COMPLETE');" + ], + {type : 'application/javascript'}); + var url = URL.createObjectURL(blob); + var worker = new Worker(url); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + worker.onerror = function(event) { + alert_assert('TEST COMPLETE'); + event.preventDefault(); + } + } catch (e) { + alert_assert('TEST COMPLETE'); + } + function timeout() { + alert_assert('TEST COMPLETE'); + } + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..05843484b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html new file mode 100644 index 000000000..17da111a8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>shared-worker-connect-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["xhr allowed","TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> + +</head> + +<body> + <script> + if(typeof SharedWorker != 'function') { + t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test."); + t_alert.phase = t_alert.phases.HAS_RESULT; + t_alert.done(); + } else { + try { + var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js'); + worker.port.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + var report = document.createElement("script"); + report.src = "../support/checkReport.sub.js?reportExists=false"; + report.async = true; + report.defer = true; + document.body.appendChild(report); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..eefff95c6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: shared-worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html new file mode 100644 index 000000000..63225bf27 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html @@ -0,0 +1,50 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>shared-worker-connect-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src *; script-src 'self' 'unsafe-inline'; +--> + +</head> + +<body> + <p>This test loads a shared worker, delivered with its own + policy. The worker should be blocked from making an XHR + as that policy specifies a connect-src 'none', though + this resource's policy is connect-src *. No report + should be sent since the worker's policy doesn't specify + a report-uri.</p> + <script> + if(typeof SharedWorker != 'function') { + t_alert.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test."); + t_alert.phase = t_alert.phases.HAS_RESULT; + t_alert.done(); + } else { + try { + var worker = new SharedWorker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js'); + worker.port.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + var report = document.createElement("script"); + report.src = "../support/checkReport.sub.js?reportExists=false"; + report.async = true; + report.defer = true; + document.body.appendChild(report); + } + + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..bb4fb4c90 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html new file mode 100644 index 000000000..b60eccb9b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>source-list-parsing-paths-03</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; +--> +</head> + +<body> + <p>This test passes if the source expression does not throw an "invalid source" error.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers new file mode 100644 index 000000000..58e7a22df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: source-list-parsing-paths-03={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html new file mode 100644 index 000000000..50b76688f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html @@ -0,0 +1,22 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>srcdoc-doesnt-bypass-script-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/alertAssert.sub.js?alerts=%5B%5D"></script> + <!-- enforcing policy: +script-src 'self'; connect-src 'self'; +--> +</head> + +<body> + This test passes if it doesn't alert fail. + <iframe srcdoc="<script>window.parent.alert_assert('FAIL')</script>"></iframe> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers new file mode 100644 index 000000000..e2ffd1185 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: srcdoc-doesnt-bypass-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html new file mode 100644 index 000000000..fac12b52a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-connect-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; +--> + +</head> +<p>This test loads a worker, from a guid. + The worker should be blocked from loading with a child-src policy of * + as the blob: scheme must be specified explicitly. + A report should be sent to the report-uri specified + with this resource.</p> +<body> + <script> + try { + var blob = new Blob([ + "postMessage('FAIL');" + + "postMessage('TEST COMPLETE');" + ], + {type : 'application/javascript'}); + var url = URL.createObjectURL(blob); + var worker = new Worker(url); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + worker.onerror = function(event) { + event.preventDefault(); + alert_assert('TEST COMPLETE'); + } + } catch (e) { + alert_assert('TEST COMPLETE'); + } + function timeout() { + alert_assert('TEST COMPLETE'); + } + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=child-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..9f7db5b0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html new file mode 100644 index 000000000..176a8e3ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>style-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> + <link rel="stylesheet" href="resources/blue.css"> +</head> + +<body> + <script> + log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..cdf394548 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html new file mode 100644 index 000000000..847e05b6a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>style-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; +--> + <link rel="stylesheet" href="resources/blue.css"> +</head> + +<body> + <script> + log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS'); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..54c3272a3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html new file mode 100644 index 000000000..923149199 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-connect-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["xhr allowed"]'></script> + <!-- enforcing policy: +connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; +--> + +</head> + +<body> + <script> + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..92ef91f0d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html new file mode 100644 index 000000000..054132290 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html @@ -0,0 +1,38 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-connect-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src *; script-src 'self' 'unsafe-inline'; +--> + +</head> +<p>This test loads a worker, which is delivered with its own + policy. The worker should be blocked from making an XHR + as that policy specifies a connect-src 'none', though + this resource's policy is connect-src *. No report + should be sent since the worker's policy doesn't specify + a report-uri.</p> +<body> + <script> + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e302aa84a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html new file mode 100644 index 000000000..ac96e0f4d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-eval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["eval blocked"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; +--> +</head> + +<body> + <p>This test loads a worker, delivered with its own policy. + The eval() call in the worker should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).</p> + <script> + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-eval.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..8964f80ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html new file mode 100644 index 000000000..b290b82f6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html @@ -0,0 +1,65 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-connect-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["xhr blocked","TEST COMPLETE"]'></script> + <!-- enforcing policy: +connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; +--> + +</head> +<p>This test loads a worker, from a guid. + The worker should be blocked from making an XHR + to www1 as this resource's policy is connect-src 'self + and a guid Worker should inherit is parent's policy. + A report should be sent to the report-uri specified + with this resource.</p> +<body> + <script> + try { + var blob = new Blob([ + "var xhr = new XMLHttpRequest;" + + "xhr.onerror = function () {" + + " postMessage('xhr blocked');" + + " postMessage('TEST COMPLETE');" + + "};" + + "xhr.onload = function () {" + + " if (xhr.responseText == 'FAIL') {" + + " postMessage('xhr allowed');" + + " } else {" + + " postMessage('xhr blocked');" + + " }" + + " postMessage('TEST COMPLETE');" + + "};" + + "try { " + + " xhr.open(" + + " 'GET'," + + " 'http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis'," + + " true" + + " );" + + " xhr.send();" + + "} catch (e) {" + + " postMessage('xhr blocked');" + + " postMessage('TEST COMPLETE');" + + "}"], + {type : 'application/javascript'}); + var url = URL.createObjectURL(blob); + var worker = new Worker(url); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=connect-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers new file mode 100644 index 000000000..d94d31ace --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html new file mode 100644 index 000000000..1db574780 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html @@ -0,0 +1,38 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-function-function-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["Function() function blocked"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <p>This test loads a worker, delivered with its own policy. + The Function constructor should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).</p> + <script> + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-function-function.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers new file mode 100644 index 000000000..b012518ec --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-function-function-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html new file mode 100644 index 000000000..9ec49c030 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-importscripts-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000; connect-src 'self'; +--> + <script></script> +</head> + +<body> + <script> + window.wasPostTestScriptParsed = true; + var result = ''; + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-importscripts.js'); + worker.onmessage = function(event) { + result = event.data; + test(function() { + assert_equals(result, 'importScripts blocked') + }); + log("TEST COMPLETE"); + }; + } catch (e) { + result = e; + test(function() { + assert_equals(result, 'importScripts blocked') + }); + log("TEST COMPLETE"); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers new file mode 100644 index 000000000..04de51d14 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-importscripts-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html new file mode 100644 index 000000000..9caf77224 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-script-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + try { + var foo = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/post-message.js'); + foo.onmessage = function(event) { + alert_assert("PASS"); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers new file mode 100644 index 000000000..76e5a3ba2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html new file mode 100644 index 000000000..119121ca5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>worker-set-timeout-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + <script> + try { + var worker = new Worker('http://{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/worker-set-timeout.js'); + worker.onmessage = function(event) { + alert_assert(event.data); + }; + } catch (e) { + alert_assert(e); + } + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers new file mode 100644 index 000000000..fb6b3d0a2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-set-timeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png Binary files differnew file mode 100644 index 000000000..b5daa8555 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png Binary files differnew file mode 100644 index 000000000..b5daa8555 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png |