diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/script-src')
24 files changed, 321 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js new file mode 100644 index 000000000..7b6e85210 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js @@ -0,0 +1 @@ +var dataScriptRan = false;
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js new file mode 100644 index 000000000..ba586810f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js @@ -0,0 +1,3 @@ +test(function () { + assert_true(dataScriptRan, "data script ran"); + }, "Verify that data: as script src runs with this policy");
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js new file mode 100644 index 000000000..cd093ac94 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js @@ -0,0 +1,18 @@ +(function () { + + var dmTest = async_test("DOM manipulation inline tests"); + var attachPoint = document.getElementById('attachHere'); + var inlineScript = document.createElement('script'); + var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});'); + + inlineScript.appendChild(scriptText); + attachPoint.appendChild(inlineScript); + + document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});'; + document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>'; + + document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>'); + document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>'); + + dmTest.done(); +})();
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js new file mode 100644 index 000000000..8cd092147 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js @@ -0,0 +1,21 @@ +(function () +{ + var workerSource = document.getElementById('inlineWorker'); + var blob = new Blob([workerSource.textContent]); + + // can I create a new script tag like this? ack... + var url = window.URL.createObjectURL(blob); + + try { + var worker = new Worker(url); + } + catch (e) { + done(); + } + + worker.addEventListener('message', function(e) { + assert_unreached("script ran"); + }, false); + + worker.postMessage(''); +})(); diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js new file mode 100644 index 000000000..ea2be272a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js @@ -0,0 +1,8 @@ +var inlineRan = false; + +onload = function() { + test(function() { + assert_true(inlineRan, 'Unsafe inline script ran.')}, + 'Inline script in a script tag should run with an unsafe-inline directive' + ); +}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js new file mode 100644 index 000000000..6e76b0a17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js @@ -0,0 +1,4 @@ +var t1 = async_test("Inline script block"); +var t2 = async_test("Inline event handler"); + +onload = function() {t1.done(); t2.done()}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html new file mode 100644 index 000000000..c83f512bf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html @@ -0,0 +1,22 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='inlineTests.js'></script> +</head> +<body> + <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1> + <div id='log'></div> + + <script> + t1.step(function() {assert_unreached('Unsafe inline script ran.');}); + </script> + + <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers new file mode 100644 index 000000000..d91fe1c87 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html new file mode 100644 index 000000000..137a16421 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html @@ -0,0 +1,27 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1> + <div id='log'></div> + + <script> + var dataScriptRan = false; + </script> + + <!-- This is our test case, but we don't expect it to actually execute if CSP is working. --> + <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script> + + <script> + test(function () { + assert_false(dataScriptRan, "data script ran"); + }, "Verify that data: as script src doesn't run with this policy"); + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers new file mode 100644 index 000000000..6c0c0fd0a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html new file mode 100644 index 000000000..f1bfee200 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html @@ -0,0 +1,20 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1> + <div id='log'></div> + + <script src="10_1_support_1.js"></script> + + <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script> + + <script src="10_1_support_2.js"></script> + + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> +</body> +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers new file mode 100644 index 000000000..dfb6f345f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html new file mode 100644 index 000000000..a41310da9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html @@ -0,0 +1,22 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='inlineTests.js'></script> +</head> +<body> + <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1> + <div id='log'></div> + + <script> + t1.step(function() {assert_unreached('Unsafe inline script ran.');}); + </script> + + <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers new file mode 100644 index 000000000..4cf9c6950 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html new file mode 100644 index 000000000..255f5df9c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html @@ -0,0 +1,23 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1> + <div id="log"></div> + + <div id=attachHere></div> + + <script id=emptyScript></script> + + <div id=emptyDiv></div> + + <script src="addInlineTestsWithDOMManipulation.js"></script> + + <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script> + +</body> +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers new file mode 100644 index 000000000..9c58f0efc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html new file mode 100644 index 000000000..30e6f6870 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html @@ -0,0 +1,20 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='inlineSuccessTest.js'></script> +</head> +<body> + <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1> + <div id='log'></div> + + <script> + inlineRan = true; + </script> + + <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers new file mode 100644 index 000000000..8227c6272 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html new file mode 100644 index 000000000..5293183d3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>eval() should not run without 'unsafe-eval' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1> + <div id='log'></div> + + <script> + + var evalRan = false; + + test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive."); + + test(function() {assert_false(evalRan);}) + + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers new file mode 100644 index 000000000..28ad14b60 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html new file mode 100644 index 000000000..31664a169 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html @@ -0,0 +1,26 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1> + <div id='log'></div> + + <script> + var t1 = async_test("window.setTimeout()"); + var t2 = async_test("window.setInterval()"); + + onload = function() {t1.done(); t2.done()} + + window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0); + window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0); + + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers new file mode 100644 index 000000000..6bd48d1de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html new file mode 100644 index 000000000..31382936f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html @@ -0,0 +1,27 @@ +<!DOCTYPE HTML> +<html> +<head> + <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> +</head> +<body> + <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1> + <div id='log'></div> + + <script> + + test(function() { + assert_throws( + new EvalError(), + function() { + var funq = new Function(''); + funq(); + })}, "Unsafe eval ran in Function() constructor."); + + </script> + + <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script> + +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers new file mode 100644 index 000000000..314849bb9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file |