Add m-esr52 at 52.6.0

24 files changed, 321 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
new file mode 100644
index 000000000..7b6e85210
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
@@ -0,0 +1 @@
+var dataScriptRan = false;
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
new file mode 100644
index 000000000..ba586810f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
@@ -0,0 +1,3 @@
+test(function () {
+            assert_true(dataScriptRan, "data script ran");
+        }, "Verify that data: as script src runs with this policy");
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
new file mode 100644
index 000000000..cd093ac94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -0,0 +1,18 @@
+(function () {
+
+  var dmTest = async_test("DOM manipulation inline tests");
+  var attachPoint = document.getElementById('attachHere');
+  var inlineScript = document.createElement('script');
+  var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});');
+
+  inlineScript.appendChild(scriptText);
+  attachPoint.appendChild(inlineScript);
+
+  document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});';
+  document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>';
+
+  document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>');
+  document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>');
+
+  dmTest.done();
+})();
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
new file mode 100644
index 000000000..8cd092147
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
@@ -0,0 +1,21 @@
+(function ()
+{
+ var workerSource = document.getElementById('inlineWorker');
+ var blob = new Blob([workerSource.textContent]);
+
+ // can I create a new script tag like this? ack...
+ var url = window.URL.createObjectURL(blob);
+
+ try {
+   var worker = new Worker(url);
+ }
+ catch (e) {
+   done();
+ }
+
+ worker.addEventListener('message', function(e) {
+   assert_unreached("script ran");
+ }, false);
+
+ worker.postMessage('');
+})();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
new file mode 100644
index 000000000..ea2be272a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -0,0 +1,8 @@
+var inlineRan = false;
+
+onload = function() {
+  test(function() {
+        assert_true(inlineRan, 'Unsafe inline script ran.')},
+        'Inline script in a script tag should  run with an unsafe-inline directive'
+    );
+}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
new file mode 100644
index 000000000..6e76b0a17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
@@ -0,0 +1,4 @@
+var t1 = async_test("Inline script block");
+var t2 = async_test("Inline event handler");
+
+onload = function() {t1.done(); t2.done()}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
new file mode 100644
index 000000000..c83f512bf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineTests.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1>
+    <div id='log'></div>
+
+    <script>
+      t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
new file mode 100644
index 000000000..d91fe1c87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
new file mode 100644
index 000000000..137a16421
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1>
+    <div id='log'></div>
+
+    <script>
+        var dataScriptRan = false;
+    </script>
+
+    <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+    <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+    <script>
+        test(function () {
+            assert_false(dataScriptRan, "data script ran");
+        }, "Verify that data: as script src doesn't run with this policy");
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
new file mode 100644
index 000000000..6c0c0fd0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
new file mode 100644
index 000000000..f1bfee200
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1>
+    <div id='log'></div>
+
+    <script src="10_1_support_1.js"></script>
+
+    <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+    <script src="10_1_support_2.js"></script>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
new file mode 100644
index 000000000..dfb6f345f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' data:; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
new file mode 100644
index 000000000..a41310da9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineTests.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1>
+    <div id='log'></div>
+
+    <script>
+      t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
new file mode 100644
index 000000000..4cf9c6950
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
new file mode 100644
index 000000000..255f5df9c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1>
+    <div id="log"></div>
+
+    <div id=attachHere></div>
+
+    <script id=emptyScript></script>
+
+    <div id=emptyDiv></div>
+
+    <script src="addInlineTestsWithDOMManipulation.js"></script>
+
+    <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
new file mode 100644
index 000000000..9c58f0efc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
new file mode 100644
index 000000000..30e6f6870
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineSuccessTest.js'></script>
+</head>
+<body>
+    <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1>
+    <div id='log'></div>
+
+    <script>
+      inlineRan = true;
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
new file mode 100644
index 000000000..8227c6272
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
new file mode 100644
index 000000000..5293183d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+
+        var evalRan = false;
+
+        test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
+
+        test(function() {assert_false(evalRan);})
+
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
new file mode 100644
index 000000000..28ad14b60
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
new file mode 100644
index 000000000..31664a169
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+        var t1 = async_test("window.setTimeout()");
+        var t2 = async_test("window.setInterval()");
+
+        onload = function() {t1.done(); t2.done()}
+
+        window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
+        window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
+
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
new file mode 100644
index 000000000..6bd48d1de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
new file mode 100644
index 000000000..31382936f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+
+        test(function() {
+            assert_throws(
+                new EvalError(),
+                function() {
+                    var funq = new Function('');
+                    funq();
+        })}, "Unsafe eval ran in Function() constructor.");
+
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
new file mode 100644
index 000000000..314849bb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file