diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/media-src')
14 files changed, 427 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html new file mode 100644 index 000000000..d912b86bb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html @@ -0,0 +1,44 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - positive test</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("In-policy async video src"); + var source_test = async_test("In-policy async video source element"); + + function media_loaded(t) { + t.done(); + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/mp4" + onerror="media_error_handler(source_test)" + src="/media/white.mp4"> + </video> + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="/media/white.mp4"> + + <script async defer src="../support/checkReport.sub.js?reportExists=false"> + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers new file mode 100644 index 000000000..9361207e8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_1={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html new file mode 100644 index 000000000..61d4b1425 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html @@ -0,0 +1,55 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - negative test</title> + <meta name=timeout content=long> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("Disallowed async video src"); + var source_test = async_test("Disallowed async video source element"); + + // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias + var mediaURL = location.protocol + + "//www2." + + location.hostname + + ":" + + location.port + + "/media/white.mp4"; + + function media_loaded(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/mp4" + onerror="media_error_handler(source_test)"> + </video> + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)"> + + <script> + document.getElementById("videoSourceObject").src = mediaURL; + document.getElementById("videoObject2").src = mediaURL; + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers new file mode 100644 index 000000000..036da8673 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_1_2={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html new file mode 100644 index 000000000..7509d7b05 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html @@ -0,0 +1,44 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Audio element src attribute must match src list - positive test</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Audio element src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("In-policy audio src"); + var source_test = async_test("In-policy audio source element"); + + function media_loaded(t) { + t.done(); + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + </script> + + <audio id="audioObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="audioSourceObject" + type="audio/mpeg" + onerror="media_error_handler(source_test)" + src="/media/sound_5.mp3"> + </audio> + <audio id="audioObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="/media/sound_5.mp3"> + + <script async defer src="../support/checkReport.sub.js?reportExists=false"> + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers new file mode 100644 index 000000000..0f59cd9ff --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_2={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html new file mode 100644 index 000000000..9b6134296 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html @@ -0,0 +1,55 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Audio element src attribute must match src list - negative test</title> + <meta name=timeout content=long> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Audio element src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var src_test = async_test("Disallaowed audio src"); + var source_test = async_test("Disallowed audio source element"); + + // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias + var mediaURL = location.protocol + + "//www2." + + location.hostname + + ":" + + location.port + + "/media/sound_5.mp3"; + + function media_loaded(t) { + t.step( function () { + assert_unreached("Media error handler should be triggered for non-allowed domain."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <audio id="audioObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="audioSourceObject" + type="audio/mpeg" + onerror="media_error_handler(source_test)"> + </audio> + <audio id="audioObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)"> + + <script> + document.getElementById("audioSourceObject").src = mediaURL; + document.getElementById("audioObject2").src = mediaURL; + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers new file mode 100644 index 000000000..685978de3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_2_2={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html new file mode 100644 index 000000000..321877082 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html @@ -0,0 +1,53 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video track src attribute must match src list - positive test</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video track src attribute must match src list - positive test</h1> + <div id='log'></div> + + <script> + var source_test = async_test("In-policy track element"); + + var trackURL = location.protocol + + "//www." + + location.hostname + + ":" + + location.port + + "/media/foo.vtt"; + + function media_loaded(t) { + t.done(); + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Error handler called for allowed track source."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)" crossorigin> + <source id="audioSourceObject" + type="audio/mpeg" + src="/media/white.mp4"> + <track id="trackObject" + kind="subtitles" + srclang="en" + label="English" + onerror="media_error_handler(source_test)"> + </video> + <script> + document.getElementById("trackObject").src = trackURL; + </script> + + <script async defer src="../support/checkReport.sub.js?reportExists=false"> + </script> + +</body> +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers new file mode 100644 index 000000000..b764189ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_3={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self' www.{{host}}:{{ports[http][0]}}; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html new file mode 100644 index 000000000..597ac7f8f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html @@ -0,0 +1,68 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video track src attribute must match src list - negative test</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video track src attribute must match src list - negative test</h1> + <div id='log'></div> + + <script> + var source_test = + async_test("Disallowed track element onerror handler fires."); + + var trackURL = location.protocol + + "//www." + + location.hostname + + ":" + + location.port + + "/media/foo.vtt"; + + function media_loaded(t) { + t.step( function () { + assert_unreached("Disllowed track source loaded."); + }); + t.done(); + } + + function media_error_handler(t) { + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onerror="media_error_handler(source_test)" + crossorigin> + <source id="audioSourceObject" + type="audio/mpeg" + src="/media/white.mp4"> + <track default + id="trackObject" + kind="subtitles" + srclang="en" + label="English" + onerror="media_error_handler(source_test)" + onload="media_loaded(source_test)" + onloadeddata="media_loaded(source_test)"> + </video> + <script> + document.getElementById("trackObject").src = trackURL; + source_test.step(function() { + source_test.set_status(source_test.FAIL); + }); + + setTimeout(function() { + if(source_test.phase != source_test.phases.COMPLETE) { + source_test.step( function () { assert_unreached("Onerror event never fired for track element."); }); + source_test.done(); + } + }, 2 * 1000); + </script> + + <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=media-src%20%27self%27"> + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers new file mode 100644 index 000000000..2cfe51fe8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-7_3_2={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html new file mode 100644 index 000000000..b83511930 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html @@ -0,0 +1,66 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Video element src attribute must match src list - positive test</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Video element in media-src list - redirect test</h1> + <div id='log'></div> + + <p>This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed + as media-src, but only one (self) is allowed for connect-src. If a video src starts on + an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug + causes the redirect to be done in a fetch context to which connect-src is being applied instead, so + the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p> + + <script> + var src_test = async_test("In-policy async video src"); + var src_redir_test = async_test("in-policy async video src w/redir") + var source_test = async_test("In-policy async video source element"); + var source_redir_test = async_test("In-policy async video source element w/redir"); + + function media_loaded(t) { + t.done(); + } + + function media_error_handler(t) { + t.step( function () { + assert_unreached("Media error handler shouldn't be triggered for allowed domain."); + }); + t.done(); + } + </script> + + <video id="videoObject" width="320" height="240" controls + onloadeddata="media_loaded(source_test)"> + <source id="videoSourceObject" + type="video/mp4" + onerror="media_error_handler(source_test)" + src="http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4"> + </video> + + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_test)" + onloadeddata="media_loaded(src_test)" + src="http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4"> + + <video id="videoObject3" width="320" height="240" controls + onloadeddata="media_loaded(source_redir_test)"> + <source id="videoSourceObject" + type="video/mp4" + onerror="media_error_handler(source_test)" + src="/common/redirect.py?location=http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4"> + </video> + + <video id="videoObject2" width="320" height="240" controls + onerror="media_error_handler(src_redir_test)" + onloadeddata="media_loaded(src_redir_test)" + src="/common/redirect.py?location=http://www2.{{host}}:{{ports[http][0]}}/media/white.mp4"> + + <script async defer src="../support/checkReport.sub.js?reportExists=false"> + </script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers new file mode 100644 index 000000000..4ce3e428a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-redir-bug={{$id:uuid()}}; Path=/content-security-policy/media-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; media-src http://www2.{{host}}:{{ports[http][0]}}/ 'self'; connect-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} |