diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/blink-contrib-2')
74 files changed, 1744 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css new file mode 100644 index 000000000..ace543489 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/allowed.css @@ -0,0 +1,3 @@ +#test { + color: green; +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html new file mode 100644 index 000000000..143777407 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html @@ -0,0 +1,36 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>base-uri-allow</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; +--> + <base href="http://www1.{{host}}:{{ports[http][0]}}/"> + <script> + test(function() { + if ('{{ports[http][0]}}' == '80' || + '{{ports[http][0]}}' == '443') { + assert_equals(document.baseURI, 'http://www1.{{host}}/'); + } else { + assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/'); + } + + log("TEST COMPLETE") + }); + + </script> +</head> + +<body> + <p>Check that base URIs can be set if they do not violate the page's policy.</p> + <div id="log"></div> + <script async defer src="./content-security-policy/support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers new file mode 100644 index 000000000..e749d7238 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-allow.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: base-uri-allow={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: base-uri http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline' http://www1.{{host}}:{{ports[http][0]}}; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html new file mode 100644 index 000000000..f2b7c591e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>base-uri-deny</title> + <base href="http://www1.{{host}}:{{ports[http][0]}}/"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS document.baseURI is document.location.href","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + var base = document.createElement('base'); + base.href = 'http://www1.{{host}}:{{ports[http][0]}}/'; + document.head.appendChild(base); + if (document.baseURI == document.location.href) { + log("PASS document.baseURI is document.location.href"); + log("TEST COMPLETE"); + } + + </script> +</head> + +<body> + <p>Check that base URIs cannot be set if they violate the page's policy.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=base-uri%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers new file mode 100644 index 000000000..0312c46d0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/base-uri-deny.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: base-uri-deny={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: base-uri 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html new file mode 100644 index 000000000..19cf6811c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that allowed form actions work correctly.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers new file mode 100644 index 000000000..88cbfda0e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html new file mode 100644 index 000000000..0960a8a02 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + }, 0); + }); + setTimeout(function() {log("TEST COMPLETE");}, 1); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking form actions works correctly.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none'"></script> + + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers new file mode 100644 index 000000000..29351c008 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html new file mode 100644 index 000000000..32823d680 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html @@ -0,0 +1,40 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-default-ignored</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that default-src does not cascade to form-action.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers new file mode 100644 index 000000000..1abbcf50c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html new file mode 100644 index 000000000..a7d3e584b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + log(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py" id="theform" method="get" target="test_target"> + <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that allowed form actions work correctly + with GET and a redirect.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> + </body> + +</html>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers new file mode 100644 index 000000000..ac8761518 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-get-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html new file mode 100644 index 000000000..0910eb419 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form action="/common/redirect.py" id="theform" method="get" target="test_target"> + <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that disallowed form actions are blocked + with GET and redirects.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'none' +"></script> + </body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e7a044dbc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-get-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html new file mode 100644 index 000000000..c362ea6fd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html @@ -0,0 +1,34 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-javascript-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; +--> + <script nonce='noncynonce'> + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + </script> +</head> + +<body> + <form action="javascript:alert_assert("FAIL!")" id="theform" method="post"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ffa2288c0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html new file mode 100644 index 000000000..e311817eb --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html @@ -0,0 +1,41 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>form-action-src-redirect-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script> + window.addEventListener("message", function(event) { + alert_assert(event.data); + }, false); + window.addEventListener('load', function() { + setTimeout(function() { + document.getElementById('submit').click(); + log("TEST COMPLETE"); + }, 0); + }); + setTimeout(function() {}, 1000); + + </script> +</head> + +<body> + <iframe name="test_target" id="test_iframe"></iframe> + + <form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target"> + <input type="text" name="fieldname" value="fieldvalue"> + <input type="submit" id="submit" value="submit"> + </form> + <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=form-action%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ee767f4a7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html new file mode 100644 index 000000000..41618d4ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>meta-outside-head</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; +--> +</head> + +<body> + <meta http-equiv="Content-Security-Policy" content="script-src 'self'"> + <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document's head.</p> + <script> + var aa = "PASS (1/1)"; + </script> + <script src="metaHelper.js"></script> + <div id="log"></div> + <script src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers new file mode 100644 index 000000000..3cd335192 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/meta-outside-head.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: meta-outside-head={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'none'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js new file mode 100644 index 000000000..9191a39c7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/metaHelper.js @@ -0,0 +1,5 @@ +if (typeof aa != 'undefined') { + alert_assert(aa); +} else { + alert_assert("Failed - allowed inline script blocked by meta policy outside head."); +} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html new file mode 100644 index 000000000..fe3f95878 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-mismatched-data</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + This tests that plugin content that doesn't match the declared type doesn't load, even if the document's CSP would allow it. This test passes if "FAIL!" isn't logged. + <object type="application/x-invalid-type" data="data:application/x-webkit-test-netscape,logifloaded" log="FAIL!"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers new file mode 100644 index 000000000..4e5b31b2a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-data.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-mismatched-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html new file mode 100644 index 000000000..bc60994ad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-mismatched-url</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + This tests that plugin content that doesn't match the declared type doesn't load, even if the document's CSP would allow it. This test passes if no iframe is dumped (meaning that no PluginDocument was created). + <object type="application/x-invalid-type" data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers new file mode 100644 index 000000000..38a7450ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-mismatched-url.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-mismatched-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html new file mode 100644 index 000000000..eb60d5d4c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-notype-data</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS: object tag onerror handler fired"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a CSP report and "FAIL!" isn't logged. + <object data="data:application/x-webkit-test-netscape" onload="log('FAIL');" onerror="log('PASS: object tag onerror handler fired');"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=plugin-types+application/x-invalid-type"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers new file mode 100644 index 000000000..ea938378a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-data.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-notype-data={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html new file mode 100644 index 000000000..e9918941f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-notype-url</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + +</head> + +<body> + Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's an error report is sent. + <object data="/plugins/resources/mock-plugin.pl" log="FAIL!"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=plugin-types%20application/x-invalid-type"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers new file mode 100644 index 000000000..ffe26cdf1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-notype-url.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-notype-url={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-invalid-type; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html new file mode 100644 index 000000000..222d6500d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-nourl-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there isn't a CSP violation sayingthe plugin was blocked. + <object type="application/x-webkit-test-netscape"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers new file mode 100644 index 000000000..7fef2a5b5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types application/x-webkit-test-netscape; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html new file mode 100644 index 000000000..b5cc5a5a4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>plugintypes-nourl-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + This test passes if there is a CSP violation sayingthe plugin was blocked. + <object type="application/x-webkit-test-netscape"></object> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=plugin-types%20text/plain"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers new file mode 100644 index 000000000..709bf90df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/plugintypes-nourl-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: plugintypes-nourl-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: plugin-types text/plain; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html new file mode 100644 index 000000000..2a94692ee --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html @@ -0,0 +1,65 @@ +<!DOCTYPE html> +<html> + <head> + <title>script-src disallowed wildcard use</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + </head> + <body> + <!-- enforcing policy: +script-src 'nonce-nonce' *; connect-src 'self'; +--> + <script nonce="nonce"> + var t1 = async_test('data: URIs should not match *'); + t1.step(function() { + var script = document.createElement("script"); + script.src = 'data:application/javascript,'; + script.addEventListener('load', t1.step_func(function() { + assert_unreached('Should not successfully load data URI.'); + })); + script.addEventListener('error', t1.step_func(function() { + t1.done(); + })); + document.head.appendChild(script); + }); + + var t2 = async_test('blob: URIs should not match *'); + t2.step(function() { + var b = new Blob([''], { type: 'application/javascript' }); + var script = document.createElement('script'); + script.addEventListener('load', t2.step_func(function() { + assert_unreached('Should not successfully load blob URI.'); + })); + script.addEventListener('error', t2.step_func(function() { + t2.done(); + })); + + script.src = URL.createObjectURL(b); + document.head.appendChild(script); + }); + + var t3 = async_test('filesystem URIs should not match *'); + if (window.webkitRequestFileSystem) { + window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { + fs.root.getFile('fail.js', {create: true}, function(fileEntry) { + fileEntry.createWriter(function(fileWriter) { + var script = document.createElement('script'); + + script.addEventListener('load', t3.step_func(function() { + assert_unreached('Should not successfully load filesystem URI.'); + })); + script.addEventListener('error', t3.step_func(function() { + t3.done(); + })); + + script.src = fileEntry.toURL('application/javascript'); + document.body.appendChild(script); + }); + }); + }); + } else { + t3.done(); + } + </script> + </body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers new file mode 100644 index 000000000..cd9543913 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: script-src-wildcards-disallowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'nonce-nonce' *; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html new file mode 100644 index 000000000..a7a217448 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html @@ -0,0 +1,42 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scripthash-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D"> + + + </script> + <!-- enforcing policy: +script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; +--> + <script> + alert_assert('PASS (1/4)'); + + </script> + <script> + alert_assert('PASS (2/4)'); + + </script> + <script> + alert_assert('PASS (3/4)'); + + </script> + <script> + alert_assert('PASS (4/4)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers new file mode 100644 index 000000000..e0fe373b6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html new file mode 100644 index 000000000..ac7b2c02f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html @@ -0,0 +1,69 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scripthash-basic-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script> + var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); + var expected_alerts = ["PASS (1/1)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self'; +--> + <script> + alert_assert('PASS (1/1)'); + + </script> + <script> + alert_assert('FAIL (1/4)'); + + </script> + <script> + alert_assert('FAIL (2/4)'); + + </script> + <script> + alert_assert('FAIL (3/4)'); + + </script> + <script> + alert_assert('FAIL (4/4)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..6a92e06f4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html new file mode 100644 index 000000000..a11a224ae --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html> + <head> + <title>script-hash allowed from default-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <script>done();</script> + </head> + + <body> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> + </body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers new file mode 100644 index 000000000..d8893af41 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'self' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html new file mode 100644 index 000000000..545099e08 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html @@ -0,0 +1,57 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scripthash-ignore-unsafeinline</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script> + var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); + var expected_alerts = ["PASS (1/1)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self'; +--> + <script> + alert_assert('PASS (1/1)'); + + </script> + <script> + alert_assert('FAIL (1/1)'); + + </script> +</head> + +<body> + <p> + This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='%20'unsafe-inline'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers new file mode 100644 index 000000000..fb3fc7655 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html new file mode 100644 index 000000000..bd1e0365c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html @@ -0,0 +1,71 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scripthash-unicode-normalization</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <!-- enforcing policy: +script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self'; +--> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +</head> + +<body> + <!-- The following two scripts contain two separate code points (U+00C5 + and U+212B, respectively) which, depending on your text editor, might be + rendered the same.However, their difference is important because, under + NFC normalization, they would become the same code point, which would be + against the spec. This test, therefore, validates that the scripts have + *different* hash values. --> + <script nonce="nonceynonce"> + var matchingContent = 'Ã…'; + var nonMatchingContent = 'â„«'; + + // This script should have a hash value of + // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c= + var scriptContent1 = "window.finish('" + matchingContent + "');"; + + // This script should have a hash value of + // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM= + var scriptContent2 = "window.finish('" + nonMatchingContent + "');"; + + var script1 = document.createElement('script'); + var script2 = document.createElement('script'); + + script1.test = async_test("Only matching content runs even with NFC normalization."); + + var failure = function() { + assert_unreached(); + } + + window.finish = function(content) { + if (content == matchingContent) { + script1.test.step(function() { + script1.test.done(); + }); + } else { + script1.test.step(function() { + assert_unreached("nonMatchingContent script ran"); + }); + } + } + + script1.onerror = failure; + + document.body.appendChild(script2); + script2.textContent = scriptContent2; + document.body.appendChild(script1); + script1.textContent = scriptContent1; + </script> + + <p> + This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers new file mode 100644 index 000000000..a23724f8a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scripthash-unicode-normalization={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html new file mode 100644 index 000000000..2a1321d24 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html @@ -0,0 +1,64 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scriptnonce-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="noncynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + </script> + <script nonce="noncynonce"> + var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]'); + var expected_alerts = ["PASS (1/2)", "PASS (2/2)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; +--> + <script nonce="noncynonce"> + alert_assert('PASS (1/2)'); + + </script> + <script nonce="noncy+/=nonce"> + alert_assert('PASS (2/2)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers new file mode 100644 index 000000000..a69c927c9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html new file mode 100644 index 000000000..2b333cbea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html @@ -0,0 +1,76 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scriptnonce-and-scripthash</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="nonceynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + </script> + <script nonce="nonceynonce"> + var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]'); + var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; +--> + <script nonce="nonceynonce"> + alert_assert('PASS (1/3)'); + + </script> + <script> + alert_assert('PASS (2/3)'); + + </script> + <script nonce="nonceynonce"> + alert_assert('PASS (3/3)'); + + </script> + <script> + alert_assert('FAIL (1/2)'); + + </script> + <script nonce="notanonce"> + alert_assert('FAIL (2/2)'); + + </script> +</head> + +<body> + <p> + This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA='%20'sha1-p70t5PXyndLfjKNjbyBBOL1gFiM='%20'nonce-nonceynonce'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers new file mode 100644 index 000000000..afa33e6df --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-and-scripthash.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-and-scripthash={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html new file mode 100644 index 000000000..4815ca100 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scriptnonce-basic-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)"]'></script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; +--> + <script nonce="noncynonce"> + alert_assert('PASS (closely-quoted nonce)'); + + </script> + <script nonce=" noncynonce "> + alert_assert('PASS (nonce w/whitespace)'); + + </script> + <script nonce="noncynonce noncynonce"> + alert_assert('FAIL (1/3)'); + + </script> + <script> + alert_assert('FAIL (2/3)'); + + </script> + <script nonce="noncynonceno?"> + alert_assert('FAIL (3/3)'); + + </script> +</head> + +<body> + <p> + This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'nonce-noncynonce'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ee4e8b3f0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html new file mode 100644 index 000000000..d1b97dfb9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html @@ -0,0 +1,72 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scriptnonce-ignore-unsafeinline</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce='noncynonce'> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + </script> + <script nonce='noncynonce'> + var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]'); + var expected_alerts = ["PASS (1/2)", "PASS (2/2)"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; +--> + <script nonce="noncynonce"> + + + </script> + <script nonce="noncynonce"> + alert_assert('PASS (1/2)'); + + </script> + <script nonce="noncy+/=nonce"> + alert_assert('PASS (2/2)'); + + </script> + <script> + alert_assert('FAIL (1/1)'); + + </script> +</head> + +<body> + <p> + This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present. + </p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'nonce-noncynonce'%20'nonce-noncy+/=nonce'%20'unsafe-inline'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers new file mode 100644 index 000000000..01f7e185a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html new file mode 100644 index 000000000..a17f1fb5c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html @@ -0,0 +1,59 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>scriptnonce-redirect</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script nonce="noncynonce"> + function log(msg) { + test(function() { + assert_unreached(msg) + }); + } + + </script> + <script nonce="noncynonce"> + var t_alert = async_test('Expecting alerts: ["PASS"]'); + var expected_alerts = ["PASS"]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; +--> +</head> + +<body> + This tests whether a deferred script load caused by a redirect is properly allowed by a nonce. + <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script> + <script nonce="noncynonce"> + + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers new file mode 100644 index 000000000..8d71f88d5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/scriptnonce-redirect.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: scriptnonce-redirect={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html new file mode 100644 index 000000000..82cad0347 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>securitypolicyviolation-block-cross-origin-image-from-script</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + var x = document.createElement('script'); + x.src = 'http://{{host}}:{{ports[http][0]}}/content-security-policy/support/inject-image.js'; + document.body.appendChild(x); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers new file mode 100644 index 000000000..723ed281f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-cross-origin-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html new file mode 100644 index 000000000..9b7dc32e1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>securitypolicyviolation-block-cross-origin-image</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + var img = document.createElement('img'); + img.src = 'http://{{host}}:{{ports[http][0]}}/security/resources/abe.png'; + document.body.appendChild(img); + log("TEST COMPLETE"); + + </script> + <p>Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers new file mode 100644 index 000000000..d701a476f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-cross-origin-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html new file mode 100644 index 000000000..33facfbc3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>securitypolicyviolation-block-image-from-script</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + var script = document.createElement('script'); + script.src = '../support/inject-image.js'; + document.body.appendChild(script); + log("TEST COMPLETE"); + + </script> + <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers new file mode 100644 index 000000000..6b6084dc5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-image-from-script={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html new file mode 100644 index 000000000..3e62e2d35 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html @@ -0,0 +1,34 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>securitypolicyviolation-block-image</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <script> + var img = document.createElement('img'); + img.src = '../support/fail.png'; + img.onerror = function() { + log("TEST COMPLETE"); + }; + img.onload = function() { + log("FAIL"); + }; + document.body.appendChild(img); + + </script> + <p>Check that a SecurityPolicyViolationEvent is fired upon blocking an image.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=img-src%20'none'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers new file mode 100644 index 000000000..1f4f84578 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/securitypolicyviolation-block-image.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: securitypolicyviolation-block-image={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html new file mode 100644 index 000000000..282b18502 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html @@ -0,0 +1,77 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>stylehash-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script> + var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]'); + var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> +</head> + +<body> + <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired.</p> + <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired.</p> + <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired.</p> + <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired.</p> + <style>p#p1 { color: green; }</style> + <style>p#p2 { color: green; }</style> + <style>p#p3 { color: green; }</style> + <style>p#p4 { color: green; }</style> + <script> + var color = window.getComputedStyle(document.querySelector('#p1')).color; + if (color === "rgb(0, 128, 0)") + alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied."); + else + alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied."); + var color = window.getComputedStyle(document.querySelector('#p2')).color; + if (color === "rgb(0, 128, 0)") + alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied."); + else + alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied."); + var color = window.getComputedStyle(document.querySelector('#p3')).color; + if (color === "rgb(0, 128, 0)") + alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied."); + else + alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied."); + var color = window.getComputedStyle(document.querySelector('#p4')).color; + if (color === "rgb(0, 128, 0)") + alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."); + else + alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied."); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers new file mode 100644 index 000000000..2b519e85e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html new file mode 100644 index 000000000..274db0140 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html @@ -0,0 +1,61 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>stylehash-basic-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script> + var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied."]'); + var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied."]; + + function alert_assert(msg) { + t_alert.step(function() { + if (msg.match(/^FAIL/i)) { + assert_unreached(msg); + t_alert.done(); + } + for (var i = 0; i < expected_alerts.length; i++) { + if (expected_alerts[i] == msg) { + assert_true(expected_alerts[i] == msg); + expected_alerts.splice(i, 1); + if (expected_alerts.length == 0) { + t_alert.done(); + } + return; + } + } + assert_unreached('unexpected alert: ' + msg); + t_log.done(); + }); + } + + </script> + <!-- enforcing policy: +style-src 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <style>p { color: green; }</style> + <style>p { color: red; }</style> + <style>p { color: purple; }</style> + <style>p { color: blue; }</style> +</head> + +<body> + <p> + This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated. + </p> + <script> + var color = window.getComputedStyle(document.querySelector('p')).color; + if (color === "rgb(0, 128, 0)") + alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied."); + else + alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied."); + + </script> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers new file mode 100644 index 000000000..ac9ca4e87 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-basic-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'sha1-pfeR5wMA6np45oqDTP6Pj3tLpJo='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html new file mode 100644 index 000000000..159338c6d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> + <head> + <title>stylehash allowed from default-src</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + </head> + + <body> + <p id="p">Test</p> + <style>p#p { color: green; }</style> + <script> + var color = window.getComputedStyle(document.querySelector('#p')).color; + assert_equals(color, "rgb(0, 128, 0)"); + done(); + </script> + + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=false"></script> + </body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers new file mode 100644 index 000000000..8efe9d965 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylehash-default-src.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylehash-default-src={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html new file mode 100644 index 000000000..c8622ba24 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html @@ -0,0 +1,54 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>stylenonce-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'self' nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script></script> + <style nonce="noncynonce"> + #test1 { + color: green; + } + + </style> + <style> + #test1 { + color: red; + } + + </style> + <style nonce="noncynonce"> + #test2 { + color: green; + } + + </style> +</head> + +<body> + <p id="test1">This text should be green.</p> + <p id="test2">This text should also be green.</p> + <script> + var el = document.querySelector('#test1'); + test(function() { + assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") + }); + var el = document.querySelector('#test2'); + test(function() { + assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") + }); + + </script> + <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'nonce-noncynonce'%20'nonce-noncy+/=nonce'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers new file mode 100644 index 000000000..28c85c91a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-allowed.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylenonce-allowed={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/=nonce'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html new file mode 100644 index 000000000..43204f64d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html @@ -0,0 +1,38 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>stylenonce-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <link rel="stylesheet" type="text/css" href="allowed.css"> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> + <!-- enforcing policy: +style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; +--> + <script></script> + <style nonce="noncynonce"> + #test { + color: red; + } + + </style> +</head> + +<body> + <p id="test">This text should be green.</p> + <script> + var el = document.querySelector('#test'); + test(function() { + assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") + }); + + </script> + <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p> + <div id="log"></div> + <script async defer src="../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=style-src%20'self'"></script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers new file mode 100644 index 000000000..e51a02dd0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/blink-contrib-2/stylenonce-blocked.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: stylenonce-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2 +Content-Security-Policy: style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} |