diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/object-src')
4 files changed, 139 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html new file mode 100644 index 000000000..db29fd394 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html @@ -0,0 +1,66 @@ +<!DOCTYPE HTML> +<html> + +<head> + <title>Objects loaded using data attribute of <object> tag are blocked unless their host is listed as an allowed source in the object-src directive</title> + <meta name=timeout content=long> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> + +<body onLoad="object_loaded()"> + <h1>Objects loaded using data attribute of <object> tag are blocked unless their host is listed as an allowed source in the object-src directive</h1> + <div id="log"></div> + + <script> + var relativeMediaURL = "/support/media/flash.swf"; + var pageURL = window.location.toString(); + var temp1 = pageURL.split("//"); + var temp2 = temp1[1].substring(0, temp1[1].lastIndexOf("/object-src/")); + var mediaURL = "http://www2." + temp2 + relativeMediaURL; + var htmlStr = "<object id='flashObject' type='application/x-shockwave-flash' data='" + mediaURL + "' width='200' height='200'></object>"; + document.write(htmlStr); + </script> + + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var flashMimeType = "application/x-shockwave-flash"; + for (var i = 0; i < len; i++) { + allTypes += navigator.mimeTypes[i].type; + } + + var hasMimeType = allTypes.indexOf(flashMimeType) != -1; + + <!-- The actual test. --> + var test1 = async_test("Async SWF load test") + + function object_loaded() { + var elem = document.getElementById("flashObject"); + var is_loaded = false; + try { + <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. --> + var pct_loaded = elem.PercentLoaded(); + is_loaded = true; + } catch (e) {} + + if (hasMimeType) { + test1.step(function () { + assert_false(is_loaded, "External object loaded.") + }); + var s = document.createElement('script'); + s.async = true; + s.defer = true; + s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27" + document.lastChild.appendChild(s); + } else { + test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test."); + test1.phase = test1.phases.HAS_RESULT; + } + test1.done(); + } + </script> + +</body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers new file mode 100644 index 000000000..83fe95d34 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-2_1={{$id:uuid()}}; Path=/content-security-policy/object-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html new file mode 100644 index 000000000..a868834ac --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html @@ -0,0 +1,61 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Objects loaded using src attribute of <embed> tag are blocked unless their host is listed as an allowed source in the object-src directive</title> + <meta name=timeout content=long> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body onLoad="object_loaded()"> + <h1>Objects loaded using src attribute of <embed> tag are blocked unless their host is listed as an allowed source in the object-src directive</h1> + <div id="log"></div> + + <script> + var relativeMediaURL = "/support/media/flash.swf"; + var pageURL = window.location.toString(); + var temp1 = pageURL.split("//"); + var temp2 = temp1[1].substring (0, temp1[1].lastIndexOf("/object-src/")); + var mediaURL = "http://www2." + temp2 + relativeMediaURL; + var htmlStr = "<embed id='flashObject' type='application/x-shockwave-flash' src='" + mediaURL + "' width='200' height='200'></object>"; + document.write (htmlStr); + </script> + + <script> + var len = navigator.mimeTypes.length; + var allTypes = ""; + var flashMimeType = "application/x-shockwave-flash"; + for ( var i=0;i<len;i++ ) { + allTypes+=navigator.mimeTypes[i].type; + } + + var hasMimeType = allTypes.indexOf(flashMimeType) != -1; + + <!-- The actual test. --> + var test1 = async_test("Async SWF load test") + + function object_loaded() { + var elem = document.getElementById("flashObject"); + var is_loaded = false; + try { + <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. --> + var pct_loaded = elem.PercentLoaded(); + is_loaded = true; + } catch (e) {} + + if (hasMimeType) { + test1.step(function() {assert_false(is_loaded, "External object loaded.")}); + var s = document.createElement('script'); + s.async = true; + s.defer = true; + s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27" + document.lastChild.appendChild(s); + } else { + //test1.step(function() {}); + test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test."); + test1.phase = test1.phases.HAS_RESULT; + } + test1.done(); + } + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers new file mode 100644 index 000000000..0ee665ea3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-2_2={{$id:uuid()}}; Path=/content-security-policy/object-src/ +Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} |