From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- .../tests/content-security-policy/OWNERS | 2 + .../tests/content-security-policy/README.css | 27 +++++ .../tests/content-security-policy/README.html | 118 +++++++++++++++++++ .../blink-contrib-2/allowed.css | 3 + .../blink-contrib-2/base-uri-allow.sub.html | 36 ++++++ .../base-uri-allow.sub.html.sub.headers | 6 + .../blink-contrib-2/base-uri-deny.sub.html | 33 ++++++ .../base-uri-deny.sub.html.sub.headers | 6 + .../form-action-src-allowed.sub.html | 40 +++++++ .../form-action-src-allowed.sub.html.sub.headers | 6 + .../form-action-src-blocked.sub.html | 40 +++++++ .../form-action-src-blocked.sub.html.sub.headers | 6 + .../form-action-src-default-ignored.sub.html | 40 +++++++ ...action-src-default-ignored.sub.html.sub.headers | 6 + .../form-action-src-get-allowed.sub.html | 42 +++++++ ...orm-action-src-get-allowed.sub.html.sub.headers | 6 + .../form-action-src-get-blocked.sub.html | 43 +++++++ ...orm-action-src-get-blocked.sub.html.sub.headers | 6 + .../form-action-src-javascript-blocked.sub.html | 34 ++++++ ...ion-src-javascript-blocked.sub.html.sub.headers | 6 + .../form-action-src-redirect-blocked.sub.html | 41 +++++++ ...ction-src-redirect-blocked.sub.html.sub.headers | 6 + .../blink-contrib-2/meta-outside-head.sub.html | 27 +++++ .../meta-outside-head.sub.html.sub.headers | 6 + .../blink-contrib-2/metaHelper.js | 5 + .../plugintypes-mismatched-data.sub.html | 24 ++++ ...lugintypes-mismatched-data.sub.html.sub.headers | 6 + .../plugintypes-mismatched-url.sub.html | 24 ++++ ...plugintypes-mismatched-url.sub.html.sub.headers | 6 + .../plugintypes-notype-data.sub.html | 23 ++++ .../plugintypes-notype-data.sub.html.sub.headers | 6 + .../plugintypes-notype-url.sub.html | 24 ++++ .../plugintypes-notype-url.sub.html.sub.headers | 6 + .../plugintypes-nourl-allowed.sub.html | 23 ++++ .../plugintypes-nourl-allowed.sub.html.sub.headers | 6 + .../plugintypes-nourl-blocked.sub.html | 23 ++++ .../plugintypes-nourl-blocked.sub.html.sub.headers | 6 + .../script-src-wildcards-disallowed.html | 65 +++++++++++ ...cript-src-wildcards-disallowed.html.sub.headers | 6 + .../blink-contrib-2/scripthash-allowed.sub.html | 42 +++++++ .../scripthash-allowed.sub.html.sub.headers | 6 + .../scripthash-basic-blocked.sub.html | 69 +++++++++++ .../scripthash-basic-blocked.sub.html.sub.headers | 6 + .../scripthash-default-src.sub.html | 15 +++ .../scripthash-default-src.sub.html.sub.headers | 6 + .../scripthash-ignore-unsafeinline.sub.html | 57 +++++++++ ...pthash-ignore-unsafeinline.sub.html.sub.headers | 6 + .../scripthash-unicode-normalization.sub.html | 71 ++++++++++++ ...hash-unicode-normalization.sub.html.sub.headers | 6 + .../blink-contrib-2/scriptnonce-allowed.sub.html | 64 +++++++++++ .../scriptnonce-allowed.sub.html.sub.headers | 6 + .../scriptnonce-and-scripthash.sub.html | 76 ++++++++++++ ...scriptnonce-and-scripthash.sub.html.sub.headers | 6 + .../scriptnonce-basic-blocked.sub.html | 43 +++++++ .../scriptnonce-basic-blocked.sub.html.sub.headers | 6 + .../scriptnonce-ignore-unsafeinline.sub.html | 72 ++++++++++++ ...tnonce-ignore-unsafeinline.sub.html.sub.headers | 6 + .../blink-contrib-2/scriptnonce-redirect.sub.html | 59 ++++++++++ .../scriptnonce-redirect.sub.html.sub.headers | 6 + ...n-block-cross-origin-image-from-script.sub.html | 27 +++++ ...s-origin-image-from-script.sub.html.sub.headers | 6 + ...licyviolation-block-cross-origin-image.sub.html | 29 +++++ ...n-block-cross-origin-image.sub.html.sub.headers | 6 + ...olicyviolation-block-image-from-script.sub.html | 29 +++++ ...on-block-image-from-script.sub.html.sub.headers | 6 + .../securitypolicyviolation-block-image.sub.html | 34 ++++++ ...olicyviolation-block-image.sub.html.sub.headers | 6 + .../blink-contrib-2/stylehash-allowed.sub.html | 77 +++++++++++++ .../stylehash-allowed.sub.html.sub.headers | 6 + .../stylehash-basic-blocked.sub.html | 61 ++++++++++ .../stylehash-basic-blocked.sub.html.sub.headers | 6 + .../blink-contrib-2/stylehash-default-src.sub.html | 21 ++++ .../stylehash-default-src.sub.html.sub.headers | 6 + .../blink-contrib-2/stylenonce-allowed.sub.html | 54 +++++++++ .../stylenonce-allowed.sub.html.sub.headers | 6 + .../blink-contrib-2/stylenonce-blocked.sub.html | 38 ++++++ .../stylenonce-blocked.sub.html.sub.headers | 6 + .../blob-urls-do-not-match-self.sub.html | 36 ++++++ ...lob-urls-do-not-match-self.sub.html.sub.headers | 6 + .../blink-contrib/blob-urls-match-blob.sub.html | 36 ++++++ .../blob-urls-match-blob.sub.html.sub.headers | 6 + .../combine-header-and-meta-policies.sub.html | 51 ++++++++ ...e-header-and-meta-policies.sub.html.sub.headers | 6 + .../combine-multiple-header-policies.html.asis | 60 ++++++++++ .../connect-src-beacon-allowed.sub.html | 41 +++++++ ...connect-src-beacon-allowed.sub.html.sub.headers | 6 + .../connect-src-beacon-blocked.sub.html | 40 +++++++ ...connect-src-beacon-blocked.sub.html.sub.headers | 6 + ...connect-src-beacon-redirect-to-blocked.sub.html | 41 +++++++ ...beacon-redirect-to-blocked.sub.html.sub.headers | 6 + .../connect-src-eventsource-allowed.sub.html | 30 +++++ ...ct-src-eventsource-allowed.sub.html.sub.headers | 6 + .../connect-src-eventsource-blocked.sub.html | 40 +++++++ ...ct-src-eventsource-blocked.sub.html.sub.headers | 6 + ...ct-src-eventsource-redirect-to-blocked.sub.html | 39 +++++++ ...source-redirect-to-blocked.sub.html.sub.headers | 6 + .../connect-src-websocket-allowed.sub.html | 30 +++++ ...nect-src-websocket-allowed.sub.html.sub.headers | 6 + .../connect-src-websocket-blocked.sub.html | 30 +++++ ...nect-src-websocket-blocked.sub.html.sub.headers | 6 + .../connect-src-xmlhttprequest-allowed.sub.html | 31 +++++ ...src-xmlhttprequest-allowed.sub.html.sub.headers | 6 + .../connect-src-xmlhttprequest-blocked.sub.html | 37 ++++++ ...src-xmlhttprequest-blocked.sub.html.sub.headers | 6 + ...src-xmlhttprequest-redirect-to-blocked.sub.html | 45 ++++++++ ...equest-redirect-to-blocked.sub.html.sub.headers | 6 + .../default-src-inline-allowed.sub.html | 26 +++++ ...default-src-inline-allowed.sub.html.sub.headers | 6 + .../default-src-inline-blocked.sub.html | 27 +++++ ...default-src-inline-blocked.sub.html.sub.headers | 6 + .../blink-contrib/duplicate-directive.sub.html | 29 +++++ .../duplicate-directive.sub.html.sub.headers | 6 + .../blink-contrib/eval-allowed.sub.html | 29 +++++ .../eval-allowed.sub.html.sub.headers | 6 + .../eval-blocked-and-sends-report.sub.html | 29 +++++ ...l-blocked-and-sends-report.sub.html.sub.headers | 6 + .../eval-blocked-in-about-blank-iframe.sub.html | 10 ++ ...cked-in-about-blank-iframe.sub.html.sub.headers | 6 + .../blink-contrib/eval-blocked.sub.html | 37 ++++++ .../eval-blocked.sub.html.sub.headers | 6 + .../eval-scripts-setInterval-allowed.sub.html | 31 +++++ ...cripts-setInterval-allowed.sub.html.sub.headers | 6 + .../eval-scripts-setInterval-blocked.sub.html | 31 +++++ ...cripts-setInterval-blocked.sub.html.sub.headers | 6 + .../eval-scripts-setTimeout-allowed.sub.html | 30 +++++ ...scripts-setTimeout-allowed.sub.html.sub.headers | 6 + .../eval-scripts-setTimeout-blocked.sub.html | 30 +++++ ...scripts-setTimeout-blocked.sub.html.sub.headers | 6 + .../filesystem-urls-do-not-match-self.sub.html | 62 ++++++++++ ...tem-urls-do-not-match-self.sub.html.sub.headers | 6 + .../filesystem-urls-match-filesystem.sub.html | 59 ++++++++++ ...stem-urls-match-filesystem.sub.html.sub.headers | 6 + ...ame-src-about-blank-allowed-by-default.sub.html | 24 ++++ ...t-blank-allowed-by-default.sub.html.sub.headers | 6 + ...rame-src-about-blank-allowed-by-scheme.sub.html | 20 ++++ ...ut-blank-allowed-by-scheme.sub.html.sub.headers | 6 + .../blink-contrib/frame-src-allowed.sub.html | 63 ++++++++++ .../frame-src-allowed.sub.html.sub.headers | 6 + .../blink-contrib/frame-src-blocked.sub.html | 61 ++++++++++ .../frame-src-blocked.sub.html.sub.headers | 6 + .../frame-src-cross-origin-load.sub.html | 66 +++++++++++ ...rame-src-cross-origin-load.sub.html.sub.headers | 6 + .../function-constructor-allowed.sub.html | 25 ++++ ...nction-constructor-allowed.sub.html.sub.headers | 6 + .../function-constructor-blocked.sub.html | 29 +++++ ...nction-constructor-blocked.sub.html.sub.headers | 6 + .../blink-contrib/icon-allowed.sub.html | 19 +++ .../icon-allowed.sub.html.sub.headers | 6 + .../blink-contrib/icon-blocked.sub.html | 17 +++ .../icon-blocked.sub.html.sub.headers | 6 + .../blink-contrib/iframe-inside-csp.sub.html | 1 + .../iframe-inside-csp.sub.html.sub.headers | 6 + .../blink-contrib/image-allowed.sub.html | 22 ++++ .../image-allowed.sub.html.sub.headers | 6 + .../blink-contrib/image-blocked.sub.html | 23 ++++ .../image-blocked.sub.html.sub.headers | 6 + .../image-full-host-wildcard-allowed.sub.html | 22 ++++ ...full-host-wildcard-allowed.sub.html.sub.headers | 6 + .../injected-inline-script-allowed.sub.html | 22 ++++ ...cted-inline-script-allowed.sub.html.sub.headers | 6 + .../injected-inline-script-blocked.sub.html | 20 ++++ ...cted-inline-script-blocked.sub.html.sub.headers | 6 + .../injected-inline-style-allowed.sub.html | 35 ++++++ ...ected-inline-style-allowed.sub.html.sub.headers | 6 + .../injected-inline-style-blocked.sub.html | 32 ++++++ ...ected-inline-style-blocked.sub.html.sub.headers | 6 + ...ne-style-allowed-while-cloning-objects.sub.html | 128 +++++++++++++++++++++ ...owed-while-cloning-objects.sub.html.sub.headers | 6 + .../blink-contrib/inline-style-allowed.sub.html | 31 +++++ .../inline-style-allowed.sub.html.sub.headers | 6 + .../inline-style-attribute-allowed.sub.html | 25 ++++ ...ne-style-attribute-allowed.sub.html.sub.headers | 6 + .../inline-style-attribute-blocked.sub.html | 25 ++++ ...ne-style-attribute-blocked.sub.html.sub.headers | 6 + .../inline-style-attribute-on-html.sub.html | 28 +++++ ...ne-style-attribute-on-html.sub.html.sub.headers | 6 + .../blink-contrib/inline-style-blocked.sub.html | 31 +++++ .../inline-style-blocked.sub.html.sub.headers | 6 + .../blink-contrib/manifest-src-allowed.sub.html | 9 ++ .../manifest-src-allowed.sub.html.sub.headers | 6 + .../blink-contrib/manifest-src-blocked.sub.html | 9 ++ .../manifest-src-blocked.sub.html.sub.headers | 6 + .../blink-contrib/media-src-allowed.sub.html | 14 +++ .../media-src-allowed.sub.html.sub.headers | 6 + .../blink-contrib/media-src-blocked.sub.html | 15 +++ .../media-src-blocked.sub.html.sub.headers | 6 + .../blink-contrib/media-src-track-block.sub.html | 39 +++++++ .../media-src-track-block.sub.html.sub.headers | 6 + .../object-in-svg-foreignobject.sub.html | 28 +++++ ...bject-in-svg-foreignobject.sub.html.sub.headers | 6 + .../object-src-applet-archive-codebase.sub.html | 41 +++++++ ...rc-applet-archive-codebase.sub.html.sub.headers | 6 + .../object-src-applet-archive.sub.html | 41 +++++++ .../object-src-applet-archive.sub.html.sub.headers | 6 + .../object-src-applet-code-codebase.sub.html | 41 +++++++ ...t-src-applet-code-codebase.sub.html.sub.headers | 6 + .../blink-contrib/object-src-applet-code.sub.html | 41 +++++++ .../object-src-applet-code.sub.html.sub.headers | 6 + .../object-src-no-url-allowed.sub.html | 23 ++++ .../object-src-no-url-allowed.sub.html.sub.headers | 6 + .../object-src-no-url-blocked.sub.html | 23 ++++ .../object-src-no-url-blocked.sub.html.sub.headers | 6 + .../blink-contrib/object-src-url-allowed.sub.html | 23 ++++ .../object-src-url-allowed.sub.html.sub.headers | 6 + .../blink-contrib/object-src-url-blocked.sub.html | 23 ++++ .../object-src-url-blocked.sub.html.sub.headers | 6 + .../policy-does-not-affect-child.sub.html | 1 + ...licy-does-not-affect-child.sub.html.sub.headers | 6 + .../blink-contrib/report-blocked-data-uri.sub.html | 22 ++++ .../report-blocked-data-uri.sub.html.sub.headers | 6 + .../report-cross-origin-no-cookies.sub.html | 24 ++++ ...rt-cross-origin-no-cookies.sub.html.sub.headers | 6 + .../report-disallowed-from-meta.sub.html | 24 ++++ ...eport-disallowed-from-meta.sub.html.sub.headers | 5 + .../report-same-origin-with-cookies.sub.html | 24 ++++ ...t-same-origin-with-cookies.sub.html.sub.headers | 6 + .../report-uri-from-inline-javascript.sub.html | 28 +++++ ...uri-from-inline-javascript.sub.html.sub.headers | 6 + .../report-uri-from-javascript.sub.html | 22 ++++ ...report-uri-from-javascript.sub.html.sub.headers | 6 + .../blink-contrib/report-uri.sub.html | 6 + .../blink-contrib/report-uri.sub.html.sub.headers | 6 + .../blink-contrib/resources/alert-fail.html | 4 + .../blink-contrib/resources/alert-pass.html | 4 + .../blink-contrib/resources/blue.css | 3 + .../resources/document-write-alert-fail.js | 1 + .../resources/generate-csp-report.html | 7 ++ .../blink-contrib/resources/go-to-echo-report.js | 12 ++ .../blink-contrib/resources/inject-image.js | 4 + .../blink-contrib/resources/inject-script.js | 5 + .../blink-contrib/resources/inject-style.js | 5 + .../blink-contrib/resources/post-message.js | 1 + .../blink-contrib/resources/postmessage-fail.html | 4 + .../blink-contrib/resources/postmessage-pass.html | 4 + .../blink-contrib/resources/script.js | 2 + .../resources/set-cookie.js.sub.headers | 1 + .../shared-worker-make-xhr-allowed.sub.js | 23 ++++ .../shared-worker-make-xhr-blocked.sub.js | 23 ++++ ...ared-worker-make-xhr-blocked.sub.js.sub.headers | 1 + .../blink-contrib/resources/simple-event-stream | 1 + .../resources/simple-event-stream.headers | 1 + .../blink-contrib/resources/track.vtt | 1 + .../blink-contrib/resources/worker-eval.js | 5 + .../resources/worker-eval.js.sub.headers | 1 + .../resources/worker-function-function.js | 7 ++ .../worker-function-function.js.sub.headers | 1 + .../resources/worker-importscripts.js | 6 + .../resources/worker-importscripts.js.sub.headers | 1 + .../resources/worker-make-xhr-blocked.sub.js | 21 ++++ .../worker-make-xhr-blocked.sub.js.sub.headers | 1 + .../blink-contrib/resources/worker-make-xhr.sub.js | 21 ++++ .../blink-contrib/resources/worker-set-timeout.js | 5 + .../resources/worker-set-timeout.js.sub.headers | 1 + .../sandbox-allow-scripts-subframe.sub.html | 3 + ...box-allow-scripts-subframe.sub.html.sub.headers | 6 + .../blink-contrib/sandbox-allow-scripts.sub.html | 6 + .../sandbox-allow-scripts.sub.html.sub.headers | 6 + .../blink-contrib/sandbox-empty-subframe.sub.html | 3 + .../sandbox-empty-subframe.sub.html.sub.headers | 6 + .../blink-contrib/sandbox-empty.sub.html | 6 + .../sandbox-empty.sub.html.sub.headers | 6 + .../script-src-overrides-default-src.sub.html | 25 ++++ ...-src-overrides-default-src.sub.html.sub.headers | 6 + .../blink-contrib/self-doesnt-match-blob.sub.html | 49 ++++++++ .../self-doesnt-match-blob.sub.html.sub.headers | 6 + .../shared-worker-connect-src-allowed.sub.html | 43 +++++++ ...worker-connect-src-allowed.sub.html.sub.headers | 6 + .../shared-worker-connect-src-blocked.sub.html | 50 ++++++++ ...worker-connect-src-blocked.sub.html.sub.headers | 6 + .../source-list-parsing-paths-03.sub.html | 22 ++++ ...urce-list-parsing-paths-03.sub.html.sub.headers | 6 + .../srcdoc-doesnt-bypass-script-src.sub.html | 22 ++++ ...c-doesnt-bypass-script-src.sub.html.sub.headers | 6 + .../blink-contrib/star-doesnt-match-blob.sub.html | 49 ++++++++ .../star-doesnt-match-blob.sub.html.sub.headers | 6 + .../blink-contrib/style-allowed.sub.html | 26 +++++ .../style-allowed.sub.html.sub.headers | 6 + .../blink-contrib/style-blocked.sub.html | 26 +++++ .../style-blocked.sub.html.sub.headers | 6 + .../worker-connect-src-allowed.sub.html | 33 ++++++ ...worker-connect-src-allowed.sub.html.sub.headers | 6 + .../worker-connect-src-blocked.sub.html | 38 ++++++ ...worker-connect-src-blocked.sub.html.sub.headers | 6 + .../blink-contrib/worker-eval-blocked.sub.html | 37 ++++++ .../worker-eval-blocked.sub.html.sub.headers | 6 + .../blink-contrib/worker-from-guid.sub.html | 65 +++++++++++ .../worker-from-guid.sub.html.sub.headers | 6 + .../worker-function-function-blocked.sub.html | 38 ++++++ ...-function-function-blocked.sub.html.sub.headers | 6 + .../worker-importscripts-blocked.sub.html | 43 +++++++ ...rker-importscripts-blocked.sub.html.sub.headers | 6 + .../blink-contrib/worker-script-src.sub.html | 33 ++++++ .../worker-script-src.sub.html.sub.headers | 6 + .../worker-set-timeout-blocked.sub.html | 33 ++++++ ...worker-set-timeout-blocked.sub.html.sub.headers | 6 + .../blink-contrib/xsl-blocked-expected.png | Bin 0 -> 2840 bytes .../xsl-unaffected-by-style-src-1-expected.png | Bin 0 -> 2840 bytes ...ild-src-about-blank-allowed-by-default.sub.html | 24 ++++ ...t-blank-allowed-by-default.sub.html.sub.headers | 6 + ...hild-src-about-blank-allowed-by-scheme.sub.html | 20 ++++ ...ut-blank-allowed-by-scheme.sub.html.sub.headers | 6 + .../child-src/child-src-allowed.sub.html | 63 ++++++++++ .../child-src-allowed.sub.html.sub.headers | 6 + .../child-src/child-src-blocked.sub.html | 61 ++++++++++ .../child-src-blocked.sub.html.sub.headers | 6 + .../child-src-conflicting-frame-src.sub.html | 61 ++++++++++ ...-src-conflicting-frame-src.sub.html.sub.headers | 6 + .../child-src/child-src-cross-origin-load.sub.html | 68 +++++++++++ ...hild-src-cross-origin-load.sub.html.sub.headers | 6 + .../child-src/child-src-worker-allowed.sub.html | 32 ++++++ .../child-src-worker-allowed.sub.html.sub.headers | 6 + .../child-src/child-src-worker-blocked.sub.html | 35 ++++++ .../child-src-worker-blocked.sub.html.sub.headers | 6 + .../font-src/font-blacklisted-ref.html | 6 + .../font-src/font-blacklisted.html | 9 ++ .../font-src/font-whitelisted-ref.html | 6 + .../font-src/font-whitelisted.html | 9 ++ .../content-security-policy/font-src/fonts.css | 8 ++ .../frame-ancestors/deep-allows-none.sub.html | 37 ++++++ ...termediate-reporting-frame-allows-self.sub.html | 21 ++++ ...te-reporting-frame-allows-self.sub.html.headers | 5 + ...termediate-reporting-frame-allows-star.sub.html | 20 ++++ ...te-reporting-frame-allows-star.sub.html.headers | 5 + .../multiple-frames-meta-ignored.sub.html | 41 +++++++ .../multiple-frames-one-blocked.sub.html | 37 ++++++ .../multiple-frames-self-allowed.sub.html | 39 +++++++ .../nested-traversing-allowed.sub.html | 33 ++++++ .../nested-traversing-banned-top-is-self.sub.html | 35 ++++++ .../nested-traversing-banned.sub.html | 37 ++++++ .../reporting-frame-allows-none-meta.html | 23 ++++ .../reporting-frame-allows-none.html | 22 ++++ .../reporting-frame-allows-none.html.headers | 5 + .../reporting-frame-allows-self.html | 22 ++++ .../reporting-frame-allows-self.html.headers | 5 + .../single-frame-self-allowed.sub.html | 35 ++++++ .../content-security-policy/generic/fail-0_1.js | 3 + .../generic/generic-0_1-img-src.html | 35 ++++++ .../generic/generic-0_1-img-src.html.sub.headers | 6 + .../generic/generic-0_1-script-src.html | 35 ++++++ .../generic-0_1-script-src.html.sub.headers | 6 + .../generic/generic-0_10.html | 21 ++++ .../generic/generic-0_10.html.sub.headers | 6 + .../generic/generic-0_10_1.sub.html | 22 ++++ .../generic/generic-0_10_1.sub.html.sub.headers | 6 + .../generic/generic-0_2.html | 15 +++ .../generic/generic-0_2.html.sub.headers | 6 + .../generic/generic-0_2_2.sub.html | 22 ++++ .../generic/generic-0_2_2.sub.html.sub.headers | 6 + .../generic/generic-0_2_3.html | 22 ++++ .../generic/generic-0_2_3.html.sub.headers | 6 + .../generic/generic-0_8.html | 22 ++++ .../generic/generic-0_8.html.sub.headers | 6 + .../generic/generic-0_8_1.sub.html | 21 ++++ .../generic/generic-0_8_1.sub.html.sub.headers | 6 + .../generic/generic-0_9.sub.html | 22 ++++ .../generic/generic-0_9.sub.html.sub.headers | 6 + .../generic/negativeTests.js | 3 + .../generic/no-default-src.sub.html | 27 +++++ .../generic/no-default-src.sub.html.sub.headers | 6 + .../content-security-policy/generic/pass-0_1.js | 3 + .../generic/positiveTest.js | 6 + .../content-security-policy/generic/unreached.js | 3 + .../generic/wildcardHostTest.js | 8 ++ .../generic/wildcardHostTestFailure.js | 8 ++ .../generic/wildcardHostTestSuceeds.js | 1 + .../generic/wildcardPortTest.js | 8 ++ .../generic/wildcardPortTestSuceeds.js | 1 + .../img-src/img-src-4_1.html | 46 ++++++++ .../img-src/img-src-4_1.html.sub.headers | 6 + .../media-src/media-src-7_1.html | 44 +++++++ .../media-src/media-src-7_1.html.sub.headers | 6 + .../media-src/media-src-7_1_2.html | 55 +++++++++ .../media-src/media-src-7_1_2.html.sub.headers | 6 + .../media-src/media-src-7_2.html | 44 +++++++ .../media-src/media-src-7_2.html.sub.headers | 6 + .../media-src/media-src-7_2_2.html | 55 +++++++++ .../media-src/media-src-7_2_2.html.sub.headers | 6 + .../media-src/media-src-7_3.html | 53 +++++++++ .../media-src/media-src-7_3.html.sub.headers | 6 + .../media-src/media-src-7_3_2.html | 68 +++++++++++ .../media-src/media-src-7_3_2.html.sub.headers | 6 + .../media-src/media-src-redir-bug.sub.html | 66 +++++++++++ .../media-src-redir-bug.sub.html.sub.headers | 6 + .../content-security-policy/meta/meta-img-src.html | 33 ++++++ .../meta/meta-modified.html | 35 ++++++ .../object-src/object-src-2_1.html | 66 +++++++++++ .../object-src/object-src-2_1.html.sub.headers | 6 + .../object-src/object-src-2_2.html | 61 ++++++++++ .../object-src/object-src-2_2.html.sub.headers | 6 + .../reporting/securitypolicyviolation-idl.html | 55 +++++++++ .../script-src/10_1_support_1.js | 1 + .../script-src/10_1_support_2.js | 3 + .../addInlineTestsWithDOMManipulation.js | 18 +++ .../script-src/buildInlineWorker.js | 21 ++++ .../script-src/inlineSuccessTest.js | 8 ++ .../script-src/inlineTests.js | 4 + .../script-src/script-src-1_1.html | 22 ++++ .../script-src/script-src-1_1.html.sub.headers | 6 + .../script-src/script-src-1_10.html | 27 +++++ .../script-src/script-src-1_10.html.sub.headers | 6 + .../script-src/script-src-1_10_1.html | 20 ++++ .../script-src/script-src-1_10_1.html.sub.headers | 6 + .../script-src/script-src-1_2.html | 22 ++++ .../script-src/script-src-1_2.html.sub.headers | 6 + .../script-src/script-src-1_2_1.html | 23 ++++ .../script-src/script-src-1_2_1.html.sub.headers | 6 + .../script-src/script-src-1_3.html | 20 ++++ .../script-src/script-src-1_3.html.sub.headers | 6 + .../script-src/script-src-1_4.html | 25 ++++ .../script-src/script-src-1_4.html.sub.headers | 6 + .../script-src/script-src-1_4_1.html | 26 +++++ .../script-src/script-src-1_4_1.html.sub.headers | 6 + .../script-src/script-src-1_4_2.html | 27 +++++ .../script-src/script-src-1_4_2.html.sub.headers | 6 + .../content-security-policy/style-src/3_3.css | 1 + .../style-src/style-src-3_1.html | 33 ++++++ .../style-src/style-src-3_1.html.sub.headers | 6 + .../style-src/style-src-3_2.html | 25 ++++ .../style-src/style-src-3_2.html.sub.headers | 6 + .../style-src/style-src-3_3.html | 37 ++++++ .../style-src/style-src-3_3.html.sub.headers | 6 + .../style-src/style-src-3_4-import.css | 3 + .../style-src/style-src-3_4.css | 1 + .../style-src/style-src-3_4.html | 27 +++++ .../style-src/style-src-3_4.html.sub.headers | 6 + .../content-security-policy/support/alert-pass.js | 1 + .../support/alertAssert.sub.js | 43 +++++++ .../support/checkReport.sub.js | 84 ++++++++++++++ .../content-security-policy/support/fail.asis | 5 + .../tests/content-security-policy/support/fail.js | 1 + .../tests/content-security-policy/support/fail.png | Bin 0 -> 759 bytes .../support/inject-image.js | 5 + .../content-security-policy/support/logTest.sub.js | 41 +++++++ .../support/media/flash.swf | Bin 0 -> 638 bytes .../tests/content-security-policy/support/pass.png | Bin 0 -> 1689 bytes .../content-security-policy/support/report.py | 34 ++++++ .../content-security-policy/support/siblingPath.js | 5 + .../content-security-policy/svg/including.sub.svg | 18 +++ .../svg/including.sub.svg.sub.headers | 6 + .../tests/content-security-policy/svg/scripted.svg | 20 ++++ .../svg/scripted.svg.sub.headers | 6 + .../content-security-policy/svg/svg-from-guid.html | 51 ++++++++ .../svg/svg-inline.sub.html | 34 ++++++ .../svg/svg-inline.sub.html.sub.headers | 6 + .../svg/svg-policy-resource-doc-includes.html | 29 +++++ .../svg/svg-policy-with-resource.html | 30 +++++ 446 files changed, 8460 insertions(+) create mode 100644 testing/web-platform/tests/content-security-policy/OWNERS create mode 100644 testing/web-platform/tests/content-security-policy/README.css create mode 100644 testing/web-platform/tests/content-security-policy/README.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png create mode 100644 testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html create mode 100644 testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html create mode 100644 testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html create mode 100644 testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html create mode 100644 testing/web-platform/tests/content-security-policy/font-src/fonts.css create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers create mode 100644 testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/fail-0_1.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/negativeTests.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/generic/pass-0_1.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/positiveTest.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/unreached.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js create mode 100644 testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js create mode 100644 testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html create mode 100644 testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_1_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_2_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_3.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-7_3_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/media-src/media-src-redir-bug.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/meta/meta-img-src.html create mode 100644 testing/web-platform/tests/content-security-policy/meta/meta-modified.html create mode 100644 testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html create mode 100644 testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html create mode 100644 testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/reporting/securitypolicyviolation-idl.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/inlineTests.js create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html create mode 100644 testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/style-src/3_3.css create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_1.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_2.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_3.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_4-import.css create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.css create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html create mode 100644 testing/web-platform/tests/content-security-policy/style-src/style-src-3_4.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/support/alert-pass.js create mode 100644 testing/web-platform/tests/content-security-policy/support/alertAssert.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/checkReport.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.asis create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.js create mode 100644 testing/web-platform/tests/content-security-policy/support/fail.png create mode 100644 testing/web-platform/tests/content-security-policy/support/inject-image.js create mode 100644 testing/web-platform/tests/content-security-policy/support/logTest.sub.js create mode 100644 testing/web-platform/tests/content-security-policy/support/media/flash.swf create mode 100644 testing/web-platform/tests/content-security-policy/support/pass.png create mode 100644 testing/web-platform/tests/content-security-policy/support/report.py create mode 100644 testing/web-platform/tests/content-security-policy/support/siblingPath.js create mode 100644 testing/web-platform/tests/content-security-policy/svg/including.sub.svg create mode 100644 testing/web-platform/tests/content-security-policy/svg/including.sub.svg.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/svg/scripted.svg create mode 100644 testing/web-platform/tests/content-security-policy/svg/scripted.svg.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/svg/svg-from-guid.html create mode 100644 testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html create mode 100644 testing/web-platform/tests/content-security-policy/svg/svg-inline.sub.html.sub.headers create mode 100644 testing/web-platform/tests/content-security-policy/svg/svg-policy-resource-doc-includes.html create mode 100644 testing/web-platform/tests/content-security-policy/svg/svg-policy-with-resource.html (limited to 'testing/web-platform/tests/content-security-policy') diff --git a/testing/web-platform/tests/content-security-policy/OWNERS b/testing/web-platform/tests/content-security-policy/OWNERS new file mode 100644 index 000000000..273486074 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/OWNERS @@ -0,0 +1,2 @@ +@sideshowbarker +@hillbrad diff --git a/testing/web-platform/tests/content-security-policy/README.css b/testing/web-platform/tests/content-security-policy/README.css new file mode 100644 index 000000000..d47a5034b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/README.css @@ -0,0 +1,27 @@ + +.code { + font-family: monospace; + color: darkorange; +} + +.codeTitle { + font-family: sans-serif; + padding: .3em; + margin-bottom: -1em; + background: #ffe; + border-color: #ccc; + border-width: 1px; + border-style: groove; +} + +.highlight1 { + background: yellow; +} + +.highlight2 { + background: pink; +} + +body { + font-family: sans-serif; +} diff --git a/testing/web-platform/tests/content-security-policy/README.html b/testing/web-platform/tests/content-security-policy/README.html new file mode 100644 index 000000000..e2c3e38c6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/README.html @@ -0,0 +1,118 @@ + + + + + Introduction to Writing Content Security Policy Tests + + + + + + + +

Introduction to Writing Content Security Policy Tests

+

The CSP test suite uses the standard W3C testharness.js framework, but there are a few additional things you'll need to do because of the unique way CSP works, even if you're already an expert at writing W3C tests. These tests require the use of the + wptserve server (included in the web-platform-tests repository) to operate correctly.

+ +

What's different about writing CSP tests?

+ +

Headers

+

Content Security Policy is preferentially set through an HTTP header. This means we can't do our tests just as a simple set of HTML+CSS+JS files. Luckily the wptserver framework provides an easy method to add headers to a file.

+

If my file is named example.html then I can create a file + example.html.headers to define the headers that will be served with it. If I need to do template substitutions in the headers, I can instead create a file named example.html.sub.headers.

+ +

Negative Test Cases and Blocked Script Execution

+

Another interesting feature of CSP is that it prevents things from happening. It even can and prevent script from running. How do we write tests that detect something didn't happen?

+ +

Checking Reports

+

CSP also has a feature to send a report. We ideally want to check that whenever a policy is enforced, a report is sent. This also helps us with the previous problem - if it is difficult to observe something not happening, we can still check that a report fired.

+ +

Putting it Together

+

Here's an example of a simple test. (ignore the highlights for now...) This file lives in the + /content-security-policy/script-src/ directory.

+ +

script-src-1_1.html

+ 
<!DOCTYPE HTML>
+<html>
+<head>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive.</h1>
+    <div id='log'></div>
+
+    <script>
+    test(function() {
+        asset_unreached('Unsafe inline script ran.')},
+        'Inline script in a script tag should not run without an unsafe-inline directive'
+    );
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='test(function() { assert_false(true, "Unsafe inline event handler ran.") }, "Inline event handlers should not run without an unsafe-inline directive");'>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
+
+ + +

This code includes three tests. The first one in the script block will generate a failure if it runs. The second one, in the onerror handler for the img which does not exist should also generate a failure if it runs. But for a successful CSP implementation, neither of these tests does run. The final test is run by the link to ../support/checkReport.sub.js. It will load some script in the page (make sure its not blocked by your policy!) which contacts the server asynchronously and sees if the expected report was sent. This should always run an generate a positive or negative result even if the inline tests are blocked as we expect.

+ +

Now, to acutally exercise these tests against a policy, we'll need to set headers. In the same directory we'll place this file:

+ +

script-src-1_1.html.sub.headers

+ 

+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
+
+

This sets some headers to prevent caching (just so we are more likely to see our latest changes if we're actively developing this test) sets a cookie (more on that later) and sets the relevant Content-Security-Policy header for our test case.

+ +

What about those highlights?

+

In production code we don't like to repeat ourselves. For this test suite, we'll relax that rule a little bit. Why? It's easier to have many people contributing "safe" files using some template substitutions than require every file to be executable content like Python or PHP which would require much more careful code review. The highlights show where you have to be careful as you repeat yourself in more limited static files. +

+ +

The YELLOW highlighted text is information that must be the same between both files for report checking to work correctly. In the html file, we're telling + checkReport.sub.js to check the value of the + violated-directive key in the report JSON. So it needs to match (after URL encoding) the directive we set in the header.

+ +

The PINK highlighted text is information that must be repeated from the path and filename of your test file into the headers file. The name of the cookie must match the name of the test file without its extension, the path for the cookie must be correct, and the relative path component to the report-uri must also be corrected if you nest your tests more than one directory deep.

+ +

Check Your Effects!

+

A good test case should also verify the state of the DOM in addition to checking the report - after all, a browser might send a report without actually blocking the banned content. Note that in a browser without CSP support there will be three failures on the example page as the inline script executes.

+

How exactly you check your effects will depend on the directive, but don't hesitate to use script for testing to see if computed styles are as expected, if layouts changed or if certain elements were added to the DOM. Checking that the report also fired is just the final step of verifing correct behavior.

+ +

Note that avoiding inline script is good style and good habits, but not 100% necessary for every test case. Go ahead and specify 'unsafe-inline' if it makes your life easier.

+ +

Report Existence Only and Double-Negative Tests

+

If you want to check that a report exists, or verify that a report wasn't sent for a double-negative test case, + you can pass ?reportExists=[true|false] to checkReport.sub.js instead of reportField and reportValue.

+ +

How does the magic happen?

+

Behind the scenes, a few things are going on in the framework.

+
    +
  1. The {{$id:uuid}} templating marker in the headers file tells the wptserve HTTP server to create a new unique id and assign it to a variable, which we can re-use as {{$id}}.
    2. +
  2. We'll use this UUID in two places: +
      +
    1. As a GET parameter to our reporting script, to uniquely identify this instance of the test case so our report can be stored and retrieved. +
      2. +
    2. As a cookie value associated with the filename, so script in the page context can learn what UUID the report was sent under.
      3. +
    +
    3. +
  3. The report listener is a simple python file that stashes the report value under its UUID and allows it to be retrieved again, exactly once.
    4. +
  4. checkReport.sub.js then grabs the current path information and uses that to find the cookie holding the report UUID. It deletes that cookie (otherwise the test suite would overrun the maximum size of a cookie header allowed) then makes an XMLHttpRequest to the report listener to retrieve the report, parse it and verify the contents as per the parameters it was loaded with.
    5. +
+ +

Why all these gymnastics? CSP reports are delivered by an anonymous fetch. This means that the browser does not process the response headers, body, or allow any state changes as a result. So we can't pull a trick like just echoing the report contents back in a Set-Cookie header or writing them to local storage.

+ +

Luckily, you shouldn't have to worry about this magic much, as long as you get the incantation correct.

+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css new file mode 100644 index 000000000..ace543489 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css @@ -0,0 +1,3 @@ +#test { + color: green; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html new file mode 100644 index 000000000..143777407 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html @@ -0,0 +1,36 @@ + + + + + + base-uri-allow + + + + + + + + + + +

Check that base URIs can be set if they do not violate the page's policy.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers new file mode 100644 index 000000000..e749d7238 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: base-uri-allow={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html new file mode 100644 index 000000000..f2b7c591e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html @@ -0,0 +1,33 @@ + + + + + + base-uri-deny + + + + + + + + + + +

Check that base URIs cannot be set if they violate the page's policy.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers new file mode 100644 index 000000000..0312c46d0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: base-uri-deny={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html new file mode 100644 index 000000000..19cf6811c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html @@ -0,0 +1,40 @@ + + + + + + form-action-src-allowed + + + + + + + + + + + +
+ + +
+

Tests that allowed form actions work correctly.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..88cbfda0e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html new file mode 100644 index 000000000..0960a8a02 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html @@ -0,0 +1,40 @@ + + + + + + form-action-src-blocked + + + + + + + + + + +
+ + +
+

Tests that blocking form actions works correctly.

+
+ + + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..29351c008 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html new file mode 100644 index 000000000..32823d680 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html @@ -0,0 +1,40 @@ + + + + + + form-action-src-default-ignored + + + + + + + + + + + +
+ + +
+

Tests that default-src does not cascade to form-action.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers new file mode 100644 index 000000000..1abbcf50c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html new file mode 100644 index 000000000..a7d3e584b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html @@ -0,0 +1,42 @@ + + + + + + form-action-src-allowed + + + + + + + + + + + +
+ + + +
+

Tests that allowed form actions work correctly + with GET and a redirect.

+
+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers new file mode 100644 index 000000000..ac8761518 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-get-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html new file mode 100644 index 000000000..0910eb419 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html @@ -0,0 +1,43 @@ + + + + + + form-action-src-allowed + + + + + + + + + + + +
+ + + +
+

Tests that disallowed form actions are blocked + with GET and redirects.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e7a044dbc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-get-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html new file mode 100644 index 000000000..c362ea6fd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html @@ -0,0 +1,34 @@ + + + + + + form-action-src-javascript-blocked + + + + + + + + + +
+ + +
+

Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ffa2288c0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html new file mode 100644 index 000000000..e311817eb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html @@ -0,0 +1,41 @@ + + + + + + form-action-src-redirect-blocked + + + + + + + + + + + +
+ + +
+

Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ee767f4a7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html new file mode 100644 index 000000000..41618d4ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html @@ -0,0 +1,27 @@ + + + + + + meta-outside-head + + + + + + + + + +

This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document's head.

+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers new file mode 100644 index 000000000..3cd335192 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: meta-outside-head={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js new file mode 100644 index 000000000..9191a39c7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js @@ -0,0 +1,5 @@ +if (typeof aa != 'undefined') { + alert_assert(aa); +} else { + alert_assert("Failed - allowed inline script blocked by meta policy outside head."); +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html new file mode 100644 index 000000000..fe3f95878 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html @@ -0,0 +1,24 @@ + + + + + + plugintypes-mismatched-data + + + + + + + + + + This tests that plugin content that doesn't match the declared type doesn't load, even if the document's CSP would allow it. This test passes if "FAIL!" isn't logged. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers new file mode 100644 index 000000000..4e5b31b2a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-mismatched-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html new file mode 100644 index 000000000..bc60994ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html @@ -0,0 +1,24 @@ + + + + + + plugintypes-mismatched-url + + + + + + + + + + This tests that plugin content that doesn't match the declared type doesn't load, even if the document's CSP would allow it. This test passes if no iframe is dumped (meaning that no PluginDocument was created). + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers new file mode 100644 index 000000000..38a7450ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-mismatched-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html new file mode 100644 index 000000000..eb60d5d4c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html @@ -0,0 +1,23 @@ + + + + + + plugintypes-notype-data + + + + + + + + + Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a CSP report and "FAIL!" isn't logged. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers new file mode 100644 index 000000000..ea938378a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-notype-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html new file mode 100644 index 000000000..e9918941f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html @@ -0,0 +1,24 @@ + + + + + + plugintypes-notype-url + + + + + + + + + + Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's an error report is sent. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers new file mode 100644 index 000000000..ffe26cdf1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-notype-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html new file mode 100644 index 000000000..222d6500d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html @@ -0,0 +1,23 @@ + + + + + + plugintypes-nourl-allowed + + + + + + + + + This test passes if there isn't a CSP violation sayingthe plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7fef2a5b5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html new file mode 100644 index 000000000..b5cc5a5a4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html @@ -0,0 +1,23 @@ + + + + + + plugintypes-nourl-blocked + + + + + + + + + This test passes if there is a CSP violation sayingthe plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers new file mode 100644 index 000000000..709bf90df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-nourl-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html new file mode 100644 index 000000000..2a94692ee --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html @@ -0,0 +1,65 @@ + + + + script-src disallowed wildcard use + + + + + + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers new file mode 100644 index 000000000..cd9543913 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-wildcards-disallowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'nonce-nonce' *; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html new file mode 100644 index 000000000..a7a217448 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html @@ -0,0 +1,42 @@ + + + + + + scripthash-allowed + + + + + + + + + + + +

+ This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers new file mode 100644 index 000000000..e0fe373b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html new file mode 100644 index 000000000..ac7b2c02f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html @@ -0,0 +1,69 @@ + + + + + + scripthash-basic-blocked + + + + + + + + + + + + + +

+ This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..6a92e06f4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html new file mode 100644 index 000000000..a11a224ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html @@ -0,0 +1,15 @@ + + + + script-hash allowed from default-src + + + + + + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers new file mode 100644 index 000000000..d8893af41 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'self' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html new file mode 100644 index 000000000..545099e08 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html @@ -0,0 +1,57 @@ + + + + + + scripthash-ignore-unsafeinline + + + + + + + + + + +

+ This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers new file mode 100644 index 000000000..fb3fc7655 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html new file mode 100644 index 000000000..bd1e0365c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html @@ -0,0 +1,71 @@ + + + + + + scripthash-unicode-normalization + + + + + + + + + + + +

+ This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers new file mode 100644 index 000000000..a23724f8a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-unicode-normalization={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html new file mode 100644 index 000000000..2a1321d24 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html @@ -0,0 +1,64 @@ + + + + + + scriptnonce-allowed + + + + + + + + + + +

+ This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers new file mode 100644 index 000000000..a69c927c9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html new file mode 100644 index 000000000..2b333cbea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html @@ -0,0 +1,76 @@ + + + + + + scriptnonce-and-scripthash + + + + + + + + + + + + + +

+ This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers new file mode 100644 index 000000000..afa33e6df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-and-scripthash={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html new file mode 100644 index 000000000..4815ca100 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html @@ -0,0 +1,43 @@ + + + + + + scriptnonce-basic-blocked + + + + + + + + + + + + +

+ This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ee4e8b3f0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html new file mode 100644 index 000000000..d1b97dfb9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html @@ -0,0 +1,72 @@ + + + + + + scriptnonce-ignore-unsafeinline + + + + + + + + + + + + +

+ This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers new file mode 100644 index 000000000..01f7e185a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html new file mode 100644 index 000000000..a17f1fb5c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html @@ -0,0 +1,59 @@ + + + + + + scriptnonce-redirect + + + + + + + + + This tests whether a deferred script load caused by a redirect is properly allowed by a nonce. + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers new file mode 100644 index 000000000..8d71f88d5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-redirect={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html new file mode 100644 index 000000000..82cad0347 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html @@ -0,0 +1,27 @@ + + + + + + securitypolicyviolation-block-cross-origin-image-from-script + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers new file mode 100644 index 000000000..723ed281f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-cross-origin-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html new file mode 100644 index 000000000..9b7dc32e1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html @@ -0,0 +1,29 @@ + + + + + + securitypolicyviolation-block-cross-origin-image + + + + + + + + + +

Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers new file mode 100644 index 000000000..d701a476f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-cross-origin-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html new file mode 100644 index 000000000..33facfbc3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html @@ -0,0 +1,29 @@ + + + + + + securitypolicyviolation-block-image-from-script + + + + + + + + + +

Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers new file mode 100644 index 000000000..6b6084dc5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html new file mode 100644 index 000000000..3e62e2d35 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html @@ -0,0 +1,34 @@ + + + + + + securitypolicyviolation-block-image + + + + + + + + + +

Check that a SecurityPolicyViolationEvent is fired upon blocking an image.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers new file mode 100644 index 000000000..1f4f84578 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html new file mode 100644 index 000000000..282b18502 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html @@ -0,0 +1,77 @@ + + + + + + stylehash-allowed + + + + + + + + +

This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired.

+

This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired.

+

This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired.

+

This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired.

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers new file mode 100644 index 000000000..2b519e85e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html new file mode 100644 index 000000000..274db0140 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html @@ -0,0 +1,61 @@ + + + + + + stylehash-basic-blocked + + + + + + + + + + + + +

+ This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated. +

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ac9ca4e87 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html new file mode 100644 index 000000000..159338c6d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html @@ -0,0 +1,21 @@ + + + + stylehash allowed from default-src + + + + + +

Test

+ + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers new file mode 100644 index 000000000..8efe9d965 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html new file mode 100644 index 000000000..c8622ba24 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html @@ -0,0 +1,54 @@ + + + + + + stylenonce-allowed + + + + + + + + + + + + +

This text should be green.

+

This text should also be green.

+ +

Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers new file mode 100644 index 000000000..28c85c91a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylenonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html new file mode 100644 index 000000000..43204f64d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html @@ -0,0 +1,38 @@ + + + + + + stylenonce-blocked + + + + + + + + + + + +

This text should be green.

+ +

Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e51a02dd0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylenonce-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html new file mode 100644 index 000000000..912a29e0b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html @@ -0,0 +1,36 @@ + + + + + + blob-urls-do-not-match-self + + + + + + + + +

+ blob: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content. +

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers new file mode 100644 index 000000000..cbfc8d4e4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html new file mode 100644 index 000000000..819c1a699 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html @@ -0,0 +1,36 @@ + + + + + + blob-urls-match-blob + + + + + + + + +

+ blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified. +

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..be74e61a7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/blob-urls-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: blob-urls-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' blob:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html new file mode 100644 index 000000000..66b86f195 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html @@ -0,0 +1,51 @@ + + + + + + + combine-header-and-meta-policies + + + + + + + + +

Test passes if both style and image are blocked and a report is generated for the + style block from the header-supplied policy.

+ + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers new file mode 100644 index 000000000..b1f0e7f01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: combine-header-and-meta-policies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis new file mode 100644 index 000000000..a14be5cd9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis @@ -0,0 +1,60 @@ +HTTP/1.1 200 OK +Content-Type: text/html +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a +Content-Security-Policy: img-src 'none' + + + + + + + + combine-multiple-policies + + + + + + + + + This test checks that we enforce all the supplied policies. This test passe if it doesn't alert fail and if the style doesn't apply. + Check that a SecurityPolicyViolationEvent is fired upon blocking an image. + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html new file mode 100644 index 000000000..2beb00d02 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html @@ -0,0 +1,41 @@ + + + + + + connect-src-beacon-allowed + + + + + + + + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers new file mode 100644 index 000000000..bd3eda40a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html new file mode 100644 index 000000000..f68d3c384 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html @@ -0,0 +1,40 @@ + + + + + + connect-src-beacon-blocked + + + + + + + + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers new file mode 100644 index 000000000..69ded8da7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html new file mode 100644 index 000000000..3d03100e3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html @@ -0,0 +1,41 @@ + + + + + + connect-src-beacon-redirect-to-blocked + + + + + + + + + +

The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.

+

Verify that a CSP connect-src directive blocks redirects.

+ +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..2c69d0dc8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-beacon-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html new file mode 100644 index 000000000..b3a65f1c1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html @@ -0,0 +1,30 @@ + + + + + + connect-src-eventsource-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers new file mode 100644 index 000000000..eff5c546a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html new file mode 100644 index 000000000..5be570c46 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html @@ -0,0 +1,40 @@ + + + + + + connect-src-eventsource-blocked + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ac37816a4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html new file mode 100644 index 000000000..a3ba4bad0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html @@ -0,0 +1,39 @@ + + + + + + connect-src-eventsource-redirect-to-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c63c8a9de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-eventsource-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html new file mode 100644 index 000000000..4e8499bd4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html @@ -0,0 +1,30 @@ + + + + + + connect-src-websocket-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers new file mode 100644 index 000000000..707435174 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-websocket-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html new file mode 100644 index 000000000..68f86dec6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html @@ -0,0 +1,30 @@ + + + + + + connect-src-websocket-blocked + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers new file mode 100644 index 000000000..69036f5bd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-websocket-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-websocket-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html new file mode 100644 index 000000000..a2ad12186 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html @@ -0,0 +1,31 @@ + + + + + + connect-src-xmlhttprequest-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers new file mode 100644 index 000000000..dbabcad7a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html new file mode 100644 index 000000000..014bb21ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html @@ -0,0 +1,37 @@ + + + + + + connect-src-xmlhttprequest-blocked + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers new file mode 100644 index 000000000..d338034cf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html new file mode 100644 index 000000000..6fc0769b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html @@ -0,0 +1,45 @@ + + + + + + connect-src-xmlhttprequest-redirect-to-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers new file mode 100644 index 000000000..452104ecd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: connect-src-xmlhttprequest-redirect-to-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html new file mode 100644 index 000000000..f5859087a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html @@ -0,0 +1,26 @@ + + + + + + default-src-inline-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers new file mode 100644 index 000000000..f223f0661 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: default-src-inline-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src 'self' about: 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html new file mode 100644 index 000000000..ad66a9d1f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html @@ -0,0 +1,27 @@ + + + + + + default-src-inline-blocked + + + + + + + This test passes if the inline scripts don't create failing tests and a CSP report is sent. + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers new file mode 100644 index 000000000..63ea706f9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/default-src-inline-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: default-src-inline-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html new file mode 100644 index 000000000..4336b729b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html @@ -0,0 +1,29 @@ + + + + + + duplicate-directive + + + + + + + + + + +

+ This tests the effect of duplicated directives. It passes if the alert_assert() is executed. +

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers new file mode 100644 index 000000000..eefd7197f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/duplicate-directive.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: duplicate-directive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html new file mode 100644 index 000000000..88da806a8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html @@ -0,0 +1,29 @@ + + + + + + eval-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers new file mode 100644 index 000000000..6bf55a116 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html new file mode 100644 index 000000000..599b01c31 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html @@ -0,0 +1,29 @@ + + + + + + eval-blocked-and-sends-report + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers new file mode 100644 index 000000000..f197e41de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-and-sends-report.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html new file mode 100644 index 000000000..449f9d192 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html @@ -0,0 +1,10 @@ + + +Eval should be blocked in the iframe, but inline script should be allowed. + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers new file mode 100644 index 000000000..224f25ba7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked-in-about-blank-iframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked-in-about-blank-iframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html new file mode 100644 index 000000000..229667e7d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html @@ -0,0 +1,37 @@ + + + + + + eval-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..124f56bfa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html new file mode 100644 index 000000000..66fa95d31 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html @@ -0,0 +1,31 @@ + + + + + + eval-scripts-setInterval-allowed + + + + + + +
+
+
+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers new file mode 100644 index 000000000..f13ba4c64 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setInterval-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html new file mode 100644 index 000000000..45d873c80 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html @@ -0,0 +1,31 @@ + + + + + + eval-scripts-setInterval-blocked + + + + + + +
+
+
+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..1bd6b636d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setInterval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setInterval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html new file mode 100644 index 000000000..9b2e595e5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html @@ -0,0 +1,30 @@ + + + + + + eval-scripts-setTimeout-allowed + + + + + + +
+
+
+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers new file mode 100644 index 000000000..4d664d600 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setTimeout-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html new file mode 100644 index 000000000..72ed2ce1a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html @@ -0,0 +1,30 @@ + + + + + + eval-scripts-setTimeout-blocked + + + + + + +
+
+
+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers new file mode 100644 index 000000000..81537fe3e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/eval-scripts-setTimeout-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: eval-scripts-setTimeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html new file mode 100644 index 000000000..f9e814a1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html @@ -0,0 +1,62 @@ + + + + + + filesystem-urls-do-not-match-self + + + + + + + + +

+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.. +

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers new file mode 100644 index 000000000..a68e2a3df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-do-not-match-self.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: filesystem-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html new file mode 100644 index 000000000..99e8592e5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html @@ -0,0 +1,59 @@ + + + + + + filesystem-urls-match-filesystem + + + + + + + + +

+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source. +

+ +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers new file mode 100644 index 000000000..f9956ede8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/filesystem-urls-match-filesystem.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: filesystem-urls-match-filesystem={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html new file mode 100644 index 000000000..a363ce911 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html @@ -0,0 +1,24 @@ + + + + + + frame-src-about-blank-allowed-by-default + + + + +

These frames should not be blocked by Content-Security-Policy. + It's pointless to block about:blank iframes because + blocking a frame just results in displaying about:blank anyway! +

+ + + +
+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers new file mode 100644 index 000000000..ba1169956 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-default.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html new file mode 100644 index 000000000..e4c47392c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html @@ -0,0 +1,20 @@ + + + + + + frame-src-about-blank-allowed-by-scheme + + + + +

This frame should not be blocked by Content-Security-Policy. +

+ +
+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers new file mode 100644 index 000000000..e23b82a93 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html new file mode 100644 index 000000000..1d34679c8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html @@ -0,0 +1,63 @@ + + + + + frame-src-allowed + + + + + +

+ This iframe should be allowed. +

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..05247b402 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html new file mode 100644 index 000000000..fe7555aeb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html @@ -0,0 +1,61 @@ + + + + + + frame-src-blocked + + + + + +

+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. +

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..bd0e6d17f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html new file mode 100644 index 000000000..5238e7c0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html @@ -0,0 +1,66 @@ + + + + + + frame-src-cross-origin-load + + + + + +

+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. +

+ + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers new file mode 100644 index 000000000..0970bbebf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/frame-src-cross-origin-load.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: frame-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html new file mode 100644 index 000000000..92cd088c5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html @@ -0,0 +1,25 @@ + + + + + + function-constructor-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers new file mode 100644 index 000000000..dd80ebacc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: function-constructor-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html new file mode 100644 index 000000000..be0c57477 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html @@ -0,0 +1,29 @@ + + + + + + function-constructor-blocked + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers new file mode 100644 index 000000000..eb7da39cb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/function-constructor-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: function-constructor-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html new file mode 100644 index 000000000..8bacdd305 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html @@ -0,0 +1,19 @@ + + + +

Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.

+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers new file mode 100644 index 000000000..b7d557b52 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: icon-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src http://localhost; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html new file mode 100644 index 000000000..978f25f63 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html @@ -0,0 +1,17 @@ + + + +

Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.

+ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c4dc69985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/icon-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: icon-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html new file mode 100644 index 000000000..f3d1e1424 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html @@ -0,0 +1 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers new file mode 100644 index 000000000..2cb1c7214 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/iframe-inside-csp.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: iframe-inside-csp={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html new file mode 100644 index 000000000..c087692db --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html @@ -0,0 +1,22 @@ + + + + + + image-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3b85fc689 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html new file mode 100644 index 000000000..e572070ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html @@ -0,0 +1,23 @@ + + + + + + image-blocked + + + + + + + + + This test passes if it doesn't alert FAIL and does alert PASS. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers new file mode 100644 index 000000000..c58bb88bb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html new file mode 100644 index 000000000..6482654cd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html @@ -0,0 +1,22 @@ + + + + + + image-full-host-wildcard-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers new file mode 100644 index 000000000..0f384f093 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/image-full-host-wildcard-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: image-full-host-wildcard-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src http://*.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html new file mode 100644 index 000000000..8ec6fe433 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html @@ -0,0 +1,22 @@ + + + + + + injected-inline-script-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7f3453924 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-script-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html new file mode 100644 index 000000000..bee3f9abd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html @@ -0,0 +1,20 @@ + + + + + + injected-inline-script-blocked + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e90dec673 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-script-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-script-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html new file mode 100644 index 000000000..f52289e49 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html @@ -0,0 +1,35 @@ + + + + + + injected-inline-style-allowed + + + + + + + + +
+ FAIL 1/2 +
+
+ FAIL 2/2 +
+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..8a48dc248 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html new file mode 100644 index 000000000..1ed46cb65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html @@ -0,0 +1,32 @@ + + + + + + injected-inline-style-blocked + + + + + + + + +
+ PASS 1/2 +
+
+ PASS 2/2 +
+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..d3f0a5efb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/injected-inline-style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: injected-inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html new file mode 100644 index 000000000..efb5043ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html @@ -0,0 +1,128 @@ + + + + + + inline-style-allowed-while-cloning-objects + + + + + + + + + +

+ This test ensures that styles can be set by object.cloneNode() +

+
+ This is a div (nodes) +
This is a div. (node 1 or 2)
+
This is a div. (node 3 or 4)
+
+
+ Yet another div. +
+
+ Yet another div. +
+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers new file mode 100644 index 000000000..963fa1751 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed-while-cloning-objects.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-allowed-while-cloning-objects={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html new file mode 100644 index 000000000..bf5ac125d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html @@ -0,0 +1,31 @@ + + + + + + inline-style-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..8ff58f55f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html new file mode 100644 index 000000000..ab446040a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html @@ -0,0 +1,25 @@ + + + + + + inline-style-attribute-allowed + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7d765e2b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html new file mode 100644 index 000000000..90efe9fe7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html @@ -0,0 +1,25 @@ + + + + + + inline-style-attribute-blocked + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers new file mode 100644 index 000000000..0b1ec14c1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html new file mode 100644 index 000000000..b002af987 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html @@ -0,0 +1,28 @@ + + + + + + + inline-style-attribute-on-html + + + + + + + + +

Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element. +

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers new file mode 100644 index 000000000..66bf93faa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-attribute-on-html.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-attribute-on-html={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html new file mode 100644 index 000000000..3f7756e44 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html @@ -0,0 +1,31 @@ + + + + + + inline-style-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..0b8306326 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/inline-style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: inline-style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html new file mode 100644 index 000000000..fe6d2b1c2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html @@ -0,0 +1,9 @@ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3fbdc7337 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: manifest-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: manifest-src *; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html new file mode 100644 index 000000000..fe6d2b1c2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html @@ -0,0 +1,9 @@ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..4d6e5e395 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/manifest-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: manifest-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: manifest-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html new file mode 100644 index 000000000..4cb4002d9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html @@ -0,0 +1,14 @@ + + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..b0401f7c7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html new file mode 100644 index 000000000..57c8d5f65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html @@ -0,0 +1,15 @@ + + + +

This test passes if it doesn't alert failure.

+ diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..86c56953d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html new file mode 100644 index 000000000..c8036ce17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html @@ -0,0 +1,39 @@ + + + + + media-src-track-block + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers new file mode 100644 index 000000000..85c496e74 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/media-src-track-block.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: media-src-track-block={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: media-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html new file mode 100644 index 000000000..358b7af1a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html @@ -0,0 +1,28 @@ + + + + + + object-in-svg-foreignobject + + + + + + + + +

This test ensures that objects inside SVG foreignobject elements are beholden to the same policy as the rest of the document. This test passes if there i a CSP violation saying the plugin was blocked.

+ + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers new file mode 100644 index 000000000..a196a1558 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-in-svg-foreignobject.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-in-svg-foreignobject={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html new file mode 100644 index 000000000..d77027840 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html @@ -0,0 +1,41 @@ + + + + + + object-src-applet-archive-codebase + + + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers new file mode 100644 index 000000000..0b71a188b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive-codebase.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-archive-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html new file mode 100644 index 000000000..69c71986e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html @@ -0,0 +1,41 @@ + + + + + + object-src-applet-archive + + + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers new file mode 100644 index 000000000..4bd5ec149 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-archive.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-archive={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html new file mode 100644 index 000000000..6121dad56 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html @@ -0,0 +1,41 @@ + + + + + + object-src-applet-archive-code-codebase + + + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers new file mode 100644 index 000000000..1ced1a8e2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code-codebase.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-code-codebase={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html new file mode 100644 index 000000000..af598bfd1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html @@ -0,0 +1,41 @@ + + + + + + object-src-applet-code + + + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers new file mode 100644 index 000000000..44bd725f8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-applet-code.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-applet-code={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html new file mode 100644 index 000000000..2e2bef25d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html @@ -0,0 +1,23 @@ + + + + + + object-src-no-url-allowed + + + + + + + + + This test passes if there isn't a CSP violation saying the plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers new file mode 100644 index 000000000..3746103fe --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html new file mode 100644 index 000000000..ad3eebcae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html @@ -0,0 +1,23 @@ + + + + + + object-src-no-url-blocked + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers new file mode 100644 index 000000000..dba0ece70 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-no-url-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-no-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html new file mode 100644 index 000000000..dace2c417 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html @@ -0,0 +1,23 @@ + + + + + + object-src-url-allowed + + + + + + + + + This test passes if there is no CSP violation saying the plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers new file mode 100644 index 000000000..bce19c1de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html new file mode 100644 index 000000000..4f12d747b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html @@ -0,0 +1,23 @@ + + + + + + object-src-url-blocked + + + + + + + + + This test passes if there is a CSP violation saying the plugin was blocked. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers new file mode 100644 index 000000000..1447fd0fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/object-src-url-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: object-src-url-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html new file mode 100644 index 000000000..a43e4be27 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html @@ -0,0 +1 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers new file mode 100644 index 000000000..ff37e37ee --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/policy-does-not-affect-child.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: policy-does-not-affect-child={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html new file mode 100644 index 000000000..dea8a87a3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html @@ -0,0 +1,22 @@ + + + + + + report-blocked-data-uri + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers new file mode 100644 index 000000000..8530a1cc4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-blocked-data-uri.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html new file mode 100644 index 000000000..ed2cd2a74 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html @@ -0,0 +1,24 @@ + + + + + + report-cross-origin-no-cookies + + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers new file mode 100644 index 000000000..5a7122975 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-cross-origin-no-cookies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html new file mode 100644 index 000000000..cb001a220 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html @@ -0,0 +1,24 @@ + + + + + + report-disallowed-from-meta + + + + + + + + + + This image should be blocked, but should not show up in the violation report because meta policies MUST ignore report-uri. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers new file mode 100644 index 000000000..4c620525a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-disallowed-from-meta.sub.html.sub.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-disallowed-from-meta=5ada7c32-1c46-4b79-a95f-af33fcf95f8e; Path=/content-security-policy/blink-contrib \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html new file mode 100644 index 000000000..e90cb066b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html @@ -0,0 +1,24 @@ + + + + + + report-cross-origin-no-cookies + + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers new file mode 100644 index 000000000..4655de254 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-same-origin-with-cookies.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html new file mode 100644 index 000000000..cf3f72f1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html @@ -0,0 +1,28 @@ + + + + + + report-uri-from-inline-javascript + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers new file mode 100644 index 000000000..c37a9ff8d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-inline-javascript.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html new file mode 100644 index 000000000..790a75bda --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html @@ -0,0 +1,22 @@ + + + + + + report-uri-from-javascript + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers new file mode 100644 index 000000000..ed6560118 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri-from-javascript.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html new file mode 100644 index 000000000..9ffb835f2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html @@ -0,0 +1,6 @@ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers new file mode 100644 index 000000000..1416ea7f1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/report-uri.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: report-uri={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self'; report-uri resources/save-report.php?test=report-uri.html; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html new file mode 100644 index 000000000..c0fb8173d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-fail.html @@ -0,0 +1,4 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html new file mode 100644 index 000000000..50e753d0d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/alert-pass.html @@ -0,0 +1,4 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css new file mode 100644 index 000000000..54aeecc12 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/blue.css @@ -0,0 +1,3 @@ +.target { + background-color: blue; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js new file mode 100644 index 000000000..5e78ca0da --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/document-write-alert-fail.js @@ -0,0 +1 @@ +document.write(""); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html new file mode 100644 index 000000000..887f44f48 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/generate-csp-report.html @@ -0,0 +1,7 @@ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js new file mode 100644 index 000000000..e220f2a47 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/go-to-echo-report.js @@ -0,0 +1,12 @@ +if (window.testRunner) { + testRunner.dumpAsText(); + testRunner.waitUntilDone(); +} + +window.onload = function() { + var test = window.location.pathname.replace(/^.+\//, ''); + var match = window.location.search.match(/^\?test=([^&]+)/); + if (match) + test = match[1]; + window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=" + test; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js new file mode 100644 index 000000000..1e1f93b39 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-image.js @@ -0,0 +1,4 @@ +// This script block will trigger a violation report. +var i = document.createElement('img'); +i.src = '/security/resources/abe.png'; +document.body.appendChild(i); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js new file mode 100644 index 000000000..155371985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-script.js @@ -0,0 +1,5 @@ +document.write(""); + +var s = document.createElement('script'); +s.textContent = "alert_assert('Pass 2 of 2');"; +document.body.appendChild(s); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js new file mode 100644 index 000000000..532645a45 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/inject-style.js @@ -0,0 +1,5 @@ +document.write(""); + +var s = document.createElement('style'); +s.textContent = "#test2 { display: none; }"; +document.body.appendChild(s); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js new file mode 100644 index 000000000..69daa31d2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/post-message.js @@ -0,0 +1 @@ +postMessage("importScripts allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html new file mode 100644 index 000000000..a0308ad98 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-fail.html @@ -0,0 +1,4 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html new file mode 100644 index 000000000..700167b5d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/postmessage-pass.html @@ -0,0 +1,4 @@ + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js new file mode 100644 index 000000000..54eaf530c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/script.js @@ -0,0 +1,2 @@ +var result = document.getElementById("result"); +result.firstChild.nodeValue = result.attributes.getNamedItem("text").value; diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers new file mode 100644 index 000000000..1d5fbba17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/set-cookie.js.sub.headers @@ -0,0 +1 @@ +Set-Cookie: report-cookie=true \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js new file mode 100644 index 000000000..28937d05d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-allowed.sub.js @@ -0,0 +1,23 @@ +onconnect = function (event) { + var port = event.ports[0]; + var xhr = new XMLHttpRequest; + xhr.onerror = function () { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + }; + xhr.onload = function () { + if (xhr.responseText == "FAIL") { + port.postMessage("xhr allowed"); + } else { + port.postMessage("xhr blocked"); + } + port.postMessage("TEST COMPLETE"); + }; + try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); + } catch (e) { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + } +} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js new file mode 100644 index 000000000..28937d05d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js @@ -0,0 +1,23 @@ +onconnect = function (event) { + var port = event.ports[0]; + var xhr = new XMLHttpRequest; + xhr.onerror = function () { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + }; + xhr.onload = function () { + if (xhr.responseText == "FAIL") { + port.postMessage("xhr allowed"); + } else { + port.postMessage("xhr blocked"); + } + port.postMessage("TEST COMPLETE"); + }; + try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); + } catch (e) { + port.postMessage("xhr blocked"); + port.postMessage("TEST COMPLETE"); + } +} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers new file mode 100644 index 000000000..ac7368c32 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/shared-worker-make-xhr-blocked.sub.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: connect-src 'none' \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream new file mode 100644 index 000000000..e467657bc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream @@ -0,0 +1 @@ +data: hello diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers new file mode 100644 index 000000000..9bb8badca --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/simple-event-stream.headers @@ -0,0 +1 @@ +Content-Type: text/event-stream diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt new file mode 100644 index 000000000..365e9ae15 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/track.vtt @@ -0,0 +1 @@ +Subtitles! diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js new file mode 100644 index 000000000..9aa87129a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = eval("1 + 2 + 3"); +} catch (e) {} +postMessage(id === 0 ? "eval blocked" : "eval allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers new file mode 100644 index 000000000..afdcc7c01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-eval.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js new file mode 100644 index 000000000..03d9bf4cb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js @@ -0,0 +1,7 @@ +var fn = function() { + postMessage('Function() function blocked'); +} +try { + fn = new Function("", "postMessage('Function() function allowed');"); +} catch (e) {} +fn(); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers new file mode 100644 index 000000000..afdcc7c01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-function-function.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'unsafe-inline' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js new file mode 100644 index 000000000..65ec6f446 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js @@ -0,0 +1,6 @@ +try { + importScripts("/content-security-policy/blink-contrib/resources/post-message.js"); + postMessage("importScripts allowed"); +} catch (e) { + postMessage("importScripts blocked"); +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers new file mode 100644 index 000000000..57616b1fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-importscripts.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js new file mode 100644 index 000000000..22819d57a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js @@ -0,0 +1,21 @@ +var xhr = new XMLHttpRequest; +xhr.onerror = function () { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}; +xhr.onload = function () { + //cons/**/ole.log(xhr.responseText); + if (xhr.responseText == "FAIL") { + postMessage("xhr allowed"); + } else { + postMessage("xhr blocked"); + } + postMessage("TEST COMPLETE"); +}; +try { + xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); +} catch (e) { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers new file mode 100644 index 000000000..ac7368c32 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr-blocked.sub.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: connect-src 'none' \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js new file mode 100644 index 000000000..73359a39e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-make-xhr.sub.js @@ -0,0 +1,21 @@ +var xhr = new XMLHttpRequest; +xhr.onerror = function () { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +}; +xhr.onload = function () { + //cons/**/ole.log(xhr.responseText); + if (xhr.responseText == "FAIL") { + postMessage("xhr allowed"); + } else { + postMessage("xhr blocked"); + } + postMessage("TEST COMPLETE"); +}; +try { + xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); + xhr.send(); +} catch (e) { + postMessage("xhr blocked"); + postMessage("TEST COMPLETE"); +} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js new file mode 100644 index 000000000..a16827edd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js @@ -0,0 +1,5 @@ +var id = 0; +try { + id = setTimeout("postMessage('handler invoked')", 100); +} catch (e) {} +postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed"); diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers new file mode 100644 index 000000000..57616b1fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/resources/worker-set-timeout.js.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: script-src 'none' diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html new file mode 100644 index 000000000..c755504b1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html @@ -0,0 +1,3 @@ + +This test passes if it does alert pass. + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers new file mode 100644 index 000000000..4c7945728 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts-subframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-allow-scripts-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html new file mode 100644 index 000000000..3bdaa12ea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html @@ -0,0 +1,6 @@ + +This test passes if it does alert pass. + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers new file mode 100644 index 000000000..b6df57d17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-allow-scripts.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-allow-scripts={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox allow-scripts; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html new file mode 100644 index 000000000..5ddccfaa3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html @@ -0,0 +1,3 @@ + +This test passes if it doesn't alert fail. + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers new file mode 100644 index 000000000..5287112d6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty-subframe.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-empty-subframe={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html new file mode 100644 index 000000000..4e04e9875 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html @@ -0,0 +1,6 @@ + +This test passes if it doesn't alert fail. + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers new file mode 100644 index 000000000..f7d31c959 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/sandbox-empty.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: sandbox-empty={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: sandbox; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html new file mode 100644 index 000000000..cf4aab201 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html @@ -0,0 +1,25 @@ + + + + + + script-src-overrides-default-src + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers new file mode 100644 index 000000000..5d3456433 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/script-src-overrides-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-overrides-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html new file mode 100644 index 000000000..5f388622c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html @@ -0,0 +1,49 @@ + + + + + + worker-connect-src-blocked + + + + + + + +

This test loads a worker, from a guid. + The worker should be blocked from loading with a child-src policy of 'self' + as the blob: scheme must be specified explicitly. + A report should be sent to the report-uri specified + with this resource.

+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..05843484b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/self-doesnt-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: self-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html new file mode 100644 index 000000000..17da111a8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html @@ -0,0 +1,43 @@ + + + + + + shared-worker-connect-src-allowed + + + + + + + + + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..eefff95c6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: shared-worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html new file mode 100644 index 000000000..63225bf27 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html @@ -0,0 +1,50 @@ + + + + + + shared-worker-connect-src-blocked + + + + + + + + + +

This test loads a shared worker, delivered with its own + policy. The worker should be blocked from making an XHR + as that policy specifies a connect-src 'none', though + this resource's policy is connect-src *. No report + should be sent since the worker's policy doesn't specify + a report-uri.

+ +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..bb4fb4c90 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: shared-worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html new file mode 100644 index 000000000..b60eccb9b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html @@ -0,0 +1,22 @@ + + + + + + source-list-parsing-paths-03 + + + + + + + + +

This test passes if the source expression does not throw an "invalid source" error.

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers new file mode 100644 index 000000000..58e7a22df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/source-list-parsing-paths-03.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: source-list-parsing-paths-03={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-inline' example.com/js/; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html new file mode 100644 index 000000000..50b76688f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html @@ -0,0 +1,22 @@ + + + + + + srcdoc-doesnt-bypass-script-src + + + + + + + + This test passes if it doesn't alert fail. + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers new file mode 100644 index 000000000..e2ffd1185 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: srcdoc-doesnt-bypass-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html new file mode 100644 index 000000000..fac12b52a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html @@ -0,0 +1,49 @@ + + + + + + worker-connect-src-blocked + + + + + + + +

This test loads a worker, from a guid. + The worker should be blocked from loading with a child-src policy of * + as the blob: scheme must be specified explicitly. + A report should be sent to the report-uri specified + with this resource.

+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers new file mode 100644 index 000000000..9f7db5b0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/star-doesnt-match-blob.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: star-doesnt-match-blob={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html new file mode 100644 index 000000000..176a8e3ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html @@ -0,0 +1,26 @@ + + + + + + style-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers new file mode 100644 index 000000000..cdf394548 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: style-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html new file mode 100644 index 000000000..847e05b6a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html @@ -0,0 +1,26 @@ + + + + + + style-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers new file mode 100644 index 000000000..54c3272a3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/style-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: style-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html new file mode 100644 index 000000000..923149199 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html @@ -0,0 +1,33 @@ + + + + + + worker-connect-src-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..92ef91f0d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-connect-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html new file mode 100644 index 000000000..054132290 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html @@ -0,0 +1,38 @@ + + + + + + worker-connect-src-blocked + + + + + + + +

This test loads a worker, which is delivered with its own + policy. The worker should be blocked from making an XHR + as that policy specifies a connect-src 'none', though + this resource's policy is connect-src *. No report + should be sent since the worker's policy doesn't specify + a report-uri.

+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e302aa84a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-connect-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src *; script-src 'self' 'unsafe-inline'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html new file mode 100644 index 000000000..ac96e0f4d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html @@ -0,0 +1,37 @@ + + + + + + worker-eval-blocked + + + + + + + + +

This test loads a worker, delivered with its own policy. + The eval() call in the worker should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers new file mode 100644 index 000000000..8964f80ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-eval-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-eval-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html new file mode 100644 index 000000000..b290b82f6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html @@ -0,0 +1,65 @@ + + + + + + worker-connect-src-blocked + + + + + + + +

This test loads a worker, from a guid. + The worker should be blocked from making an XHR + to www1 as this resource's policy is connect-src 'self + and a guid Worker should inherit is parent's policy. + A report should be sent to the report-uri specified + with this resource.

+ + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers new file mode 100644 index 000000000..d94d31ace --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-from-guid.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-from-guid={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: connect-src 'self'; script-src 'self' 'unsafe-inline' blob:; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html new file mode 100644 index 000000000..1db574780 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html @@ -0,0 +1,38 @@ + + + + + + worker-function-function-blocked + + + + + + + + + +

This test loads a worker, delivered with its own policy. + The Function constructor should be forbidden by that + policy. No report should be generated because the worker + policy does not set a report-uri (although this parent + resource does).

+ +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers new file mode 100644 index 000000000..b012518ec --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-function-function-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-function-function-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html new file mode 100644 index 000000000..9ec49c030 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html @@ -0,0 +1,43 @@ + + + + + + worker-importscripts-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers new file mode 100644 index 000000000..04de51d14 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-importscripts-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-importscripts-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html new file mode 100644 index 000000000..9caf77224 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html @@ -0,0 +1,33 @@ + + + + + + worker-script-src + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers new file mode 100644 index 000000000..76e5a3ba2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-script-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-script-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html new file mode 100644 index 000000000..119121ca5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html @@ -0,0 +1,33 @@ + + + + + + worker-set-timeout-blocked + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers new file mode 100644 index 000000000..fb6b3d0a2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib/worker-set-timeout-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: worker-set-timeout-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png new file mode 100644 index 000000000..b5daa8555 Binary files /dev/null and b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-blocked-expected.png differ diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png new file mode 100644 index 000000000..b5daa8555 Binary files /dev/null and b/testing/web-platform/tests/content-security-policy/blink-contrib/xsl-unaffected-by-style-src-1-expected.png differ diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html new file mode 100644 index 000000000..9222a8ddc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html @@ -0,0 +1,24 @@ + + + + + + child-src-about-blank-allowed-by-default + + + + +

These frames should not be blocked by Content-Security-Policy. + It's pointless to block about:blank iframes because + blocking a frame just results in displaying about:blank anyway! +

+ + + +
+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers new file mode 100644 index 000000000..68b2fb2fb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-about-blank-allowed-by-default={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html new file mode 100644 index 000000000..d94eff684 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html @@ -0,0 +1,20 @@ + + + + + + child-src-about-blank-allowed-by-scheme + + + + +

This frame should not be blocked by Content-Security-Policy. +

+ +
+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers new file mode 100644 index 000000000..9ff84d67d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-about-blank-allowed-by-scheme={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html new file mode 100644 index 000000000..12a075adb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html @@ -0,0 +1,63 @@ + + + + + child-src-allowed + + + + + +

+ This iframe should be allowed. +

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7eb8d76f9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html new file mode 100644 index 000000000..e32cc0af0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html @@ -0,0 +1,61 @@ + + + + + + child-src-blocked + + + + + +

+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. +

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..961d18a7d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html new file mode 100644 index 000000000..b681253ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html @@ -0,0 +1,61 @@ + + + + child-src-blocked + + + + + +

+ A more permissive child-src should not relax restrictions from a less- + permissive frame-src. Directives still combine for least privilege, even when + one obsoletes another. +

+ + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers new file mode 100644 index 000000000..9c3ce8426 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-conflicting-frame-src={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html new file mode 100644 index 000000000..b6f3e5164 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html @@ -0,0 +1,68 @@ + + + + + + child-src-cross-origin-load + + + + + +

+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. +

+ + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers new file mode 100644 index 000000000..53527c1ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-cross-origin-load={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html new file mode 100644 index 000000000..361d09742 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html @@ -0,0 +1,32 @@ + + + + + child-src-worker-allowed + + + + + + + + + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers new file mode 100644 index 000000000..4ddb39e84 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-worker-allowed={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html new file mode 100644 index 000000000..8ed6b157a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html @@ -0,0 +1,35 @@ + + + + + child-src-worker-blocked + + + + + + + + + + +
+ + + diff --git a/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers new file mode 100644 index 000000000..685d6dcf5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: child-src-worker-blocked={{$id:uuid()}}; Path=/content-security-policy/child-src +Content-Security-Policy: child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html new file mode 100644 index 000000000..fdfbdd93d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted-ref.html @@ -0,0 +1,6 @@ + + +csp font-src: blacklisted + +          +

The test passes if the line above are boxes in the test and glyphs in the reference.

\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html new file mode 100644 index 000000000..a430a417d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/font-src/font-blacklisted.html @@ -0,0 +1,9 @@ + + + +csp font-src: blacklisted + + + +          +

The test passes if the line above are boxes in the test and glyphs in the reference.

\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html new file mode 100644 index 000000000..25ad3bd75 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted-ref.html @@ -0,0 +1,6 @@ + + +csp font-src: whitelisted + +          +

The test passes if the line above shows the same glyphs in the reference.

\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html new file mode 100644 index 000000000..f3558f766 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/font-src/font-whitelisted.html @@ -0,0 +1,9 @@ + + + +csp font-src: whitelisted + + + +          +

The test passes if the line above shows the same glyphs in the reference.

\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/font-src/fonts.css b/testing/web-platform/tests/content-security-policy/font-src/fonts.css new file mode 100644 index 000000000..30dd02cdb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/font-src/fonts.css @@ -0,0 +1,8 @@ +@font-face { + font-family: 'Halflings'; + src: url('/tools/runner/fonts/glyphicons-halflings-regular.woff') format('woff'); +} + +body { + font-family: 'Halflings', Fallback, sans-serif; +} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html new file mode 100644 index 000000000..1926007d3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/deep-allows-none.sub.html @@ -0,0 +1,37 @@ + + + + single-frame-self-allowed + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html new file mode 100644 index 000000000..6b9c91c93 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html @@ -0,0 +1,21 @@ + + + +

Reporting Frame...

+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers new file mode 100644 index 000000000..f0eb936b3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-self.sub.html.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Content-Security-Policy: frame-ancestors 'self' diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html new file mode 100644 index 000000000..d51e0d532 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html @@ -0,0 +1,20 @@ + + + +

Reporting Frame...

+ + + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers new file mode 100644 index 000000000..734aa227f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/intermediate-reporting-frame-allows-star.sub.html.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Content-Security-Policy: frame-ancestors * diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html new file mode 100644 index 000000000..47bb0244b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-meta-ignored.sub.html @@ -0,0 +1,41 @@ + + + + multiple-frames-self-allowed + + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html new file mode 100644 index 000000000..3857a173c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-one-blocked.sub.html @@ -0,0 +1,37 @@ + + + + multiple-frames-self-allowed + + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html new file mode 100644 index 000000000..485b6eb0f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/multiple-frames-self-allowed.sub.html @@ -0,0 +1,39 @@ + + + + multiple-frames-self-allowed + + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html new file mode 100644 index 000000000..a49049d13 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-allowed.sub.html @@ -0,0 +1,33 @@ + + + + single-frame-self-allowed + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html new file mode 100644 index 000000000..ced262fd7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned-top-is-self.sub.html @@ -0,0 +1,35 @@ + + + + single-frame-self-allowed + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html new file mode 100644 index 000000000..e58f0ba8d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/nested-traversing-banned.sub.html @@ -0,0 +1,37 @@ + + + + single-frame-self-allowed + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html new file mode 100644 index 000000000..c0d079f01 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none-meta.html @@ -0,0 +1,23 @@ + + + + + + +

Reporting Frame...

+ + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html new file mode 100644 index 000000000..e38d99a6c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html @@ -0,0 +1,22 @@ + + + +

Reporting Frame...

+ + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers new file mode 100644 index 000000000..18bfb8156 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-none.html.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Content-Security-Policy: frame-ancestors 'none' diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html new file mode 100644 index 000000000..7c1186e77 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html @@ -0,0 +1,22 @@ + + + +

Reporting Frame...

+ + + \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers new file mode 100644 index 000000000..f0eb936b3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/reporting-frame-allows-self.html.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Content-Security-Policy: frame-ancestors 'self' diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html new file mode 100644 index 000000000..3a9b4552e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/single-frame-self-allowed.sub.html @@ -0,0 +1,35 @@ + + + + single-frame-self-allowed + + + + + + + + + +
+ + diff --git a/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js new file mode 100644 index 000000000..5c580273d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/fail-0_1.js @@ -0,0 +1,3 @@ +(function () { + scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') }); +})(); diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html new file mode 100644 index 000000000..c3778f816 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html @@ -0,0 +1,35 @@ + + + + default-src should cascade to img-src directive + + + + + +

default-src should cascade to img-src directive

+
+ + + + + + + + + + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers new file mode 100644 index 000000000..61bdc0a30 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-img-src.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_1-img-src={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html new file mode 100644 index 000000000..740b2a553 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html @@ -0,0 +1,35 @@ + + + + default-src should cascade to script-src directive + + + + + +

default-src should cascade to script-src directive

+
+ + + + + + + + + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers new file mode 100644 index 000000000..b3ff8c460 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_1-script-src.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_1-script-src={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html new file mode 100644 index 000000000..703e50b44 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html @@ -0,0 +1,21 @@ + + + + test implicit port number matching (requires port 80) + + + + + +

test implicit port number matching (requires port 80)

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers new file mode 100644 index 000000000..c58b0536f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_10={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html new file mode 100644 index 000000000..c66640de3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html @@ -0,0 +1,22 @@ + + + + implicit port number matching fails with a different port + + + + + + +

implicit port number matching fails with a different port

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers new file mode 100644 index 000000000..e8fcf07c2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_10_1.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_10_1={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' www.{{host}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html new file mode 100644 index 000000000..130bfadad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html @@ -0,0 +1,15 @@ + + + + 'self' keyword positive test + + + + + +

'self' keyword positive test

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers new file mode 100644 index 000000000..776112de6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_2={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html new file mode 100644 index 000000000..9d274ea59 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html @@ -0,0 +1,22 @@ + + + + 'self' fails with a different port + + + + + + +

'self' fails with a different port

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers new file mode 100644 index 000000000..769ccc154 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_2.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_2_2={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html new file mode 100644 index 000000000..ff4b8db8a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html @@ -0,0 +1,22 @@ + + + + 'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com) + + + + + + +

'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers new file mode 100644 index 000000000..0a8defccd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_2_3.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_2_3={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html new file mode 100644 index 000000000..2e7df3776 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html @@ -0,0 +1,22 @@ + + + + test wildcard host name matching (*.web-platform.test is good) + + + + + + +

test wildcard host name matching (*.web-platform.test is good)

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers new file mode 100644 index 000000000..34756f9db --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_8={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html new file mode 100644 index 000000000..167b4458d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html @@ -0,0 +1,21 @@ + + + + test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad) + + + + + + +

test wildcard host name matching (www*.web-platform.test is bad, *www.web-platform.test is bad)

+
+ + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers new file mode 100644 index 000000000..57a038a05 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_8_1.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_8_1={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html new file mode 100644 index 000000000..cadeb178f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html @@ -0,0 +1,22 @@ + + + + test wildcard port number matching + + + + + + +

test wildcard port number matching

+
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers new file mode 100644 index 000000000..2f2336009 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/generic-0_9.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: generic-0_9={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: script-src 'self' {{host}}:* 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/generic/negativeTests.js b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js new file mode 100644 index 000000000..44b4d7f68 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/negativeTests.js @@ -0,0 +1,3 @@ +var t1 = async_test("Prevents access to external scripts."); + +onload = function() {t1.done();} diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html new file mode 100644 index 000000000..933986800 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html @@ -0,0 +1,27 @@ + + + + no default src doesn't behave exactly like * + + + + + + + +

no default src doesn't behave exactly like *

+ This page has a CSP header but an unknown directive. + This should have no impact on an img loaded from a data: + uri, or an inline script, although that would be blocked by a default-src policy of *. +
+ + + +
+ + + + diff --git a/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers new file mode 100644 index 000000000..a7337acce --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/no-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/ +Content-Security-Policy: foobar; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js new file mode 100644 index 000000000..3a08dd562 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/pass-0_1.js @@ -0,0 +1,3 @@ +(function () { + allowedScriptRan = true; +})(); diff --git a/testing/web-platform/tests/content-security-policy/generic/positiveTest.js b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js new file mode 100644 index 000000000..63c999196 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/positiveTest.js @@ -0,0 +1,6 @@ +onload = function() { + test(function() { + assert_true(true, 'Script ran.')}, + "Allows scripts from the same host." + ); +} diff --git a/testing/web-platform/tests/content-security-policy/generic/unreached.js b/testing/web-platform/tests/content-security-policy/generic/unreached.js new file mode 100644 index 000000000..893fb5eba --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/unreached.js @@ -0,0 +1,3 @@ +onload = function() { + t1.step(function() {assert_unreached("Script should not have ran.");}); +} diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js new file mode 100644 index 000000000..da3e2790f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTest.js @@ -0,0 +1,8 @@ +wildcardHostTestRan = false; + +onload = function() { + test(function() { + assert_true(wildcardHostTestRan, 'Script should have ran.')}, + "Wildcard host matching works." + ); +} diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js new file mode 100644 index 000000000..75ec8cf80 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestFailure.js @@ -0,0 +1,8 @@ +wildcardHostTestRan = false; + +onload = function() { + test(function() { + assert_false(wildcardHostTestRan, 'Script should not have ran.')}, + "Wildcard host matching works." + ); +} diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js new file mode 100644 index 000000000..8b115d7fc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/wildcardHostTestSuceeds.js @@ -0,0 +1 @@ +wildcardHostTestRan = true; diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js new file mode 100644 index 000000000..3cd1d2eae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTest.js @@ -0,0 +1,8 @@ +wildcardPortTestRan = false; + +onload = function() { + test(function() { + assert_true(wildcardPortTestRan, 'Script should have ran.')}, + "Wildcard port matching works." + ); +} diff --git a/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js new file mode 100644 index 000000000..0138deb2e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/generic/wildcardPortTestSuceeds.js @@ -0,0 +1 @@ +wildcardPortTestRan = true; \ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html new file mode 100644 index 000000000..edf04fb19 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html @@ -0,0 +1,46 @@ + + + + img element src attribute must match src list. + + + + +

img element src attribute must match src list.

+

+

+ + + + + + + +
+ + + + + + diff --git a/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers new file mode 100644 index 000000000..543e48c14 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/img-src/img-src-4_1.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: img-src-4_1={{$id:uuid()}}; Path=/content-security-policy/img-src/ +Content-Security-Policy: img-src 'self' www.{{host}}:{{ports[http][0]}}; report-uri ../support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html new file mode 100644 index 000000000..d912b86bb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/media-src/media-src-7_1.html @@ -0,0 +1,44 @@ + + + + Video element src attribute must match src list - positive test + + + + +

Video element src attribute must match src list - positive test

+
+ + + + +