Merge pull request #2126 from hillbrad/csp_crossbrowser_fixes

CSP crossbrowser fixes

content-security-policy/blink-contrib-2/base-uri-allow.sub.html

@@ -14,7 +14,13 @@
     <base href="http://www1.{{host}}:{{ports[http][0]}}/">
     <script>
         test(function() {
-            assert_equals(document.baseURI, 'http://www1.{{host}}:{{ports[http][0]}}/');
+            if ('{{ports[http][0]}}' == '80' ||
+               '{{ports[http][0]}}' == '443') {
+                assert_equals(document.baseURI, 'http://www1.{{host}}/');
+            } else {
+                assert_equals(document.baseURI, 'http://www1.{{host}}' + ':{{ports[http][0]}}/');
+            }
+
             log("TEST COMPLETE")
         });
 

content-security-policy/blink-contrib-2/form-action-src-allowed.sub.html

@@ -6,12 +6,15 @@
     <title>form-action-src-allowed</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing policy:
 form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
@@ -23,13 +26,15 @@
 </head>
 
 <body>
-    <form action="../support/pass.png" id="theform" method="post" target="_blank">
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
     <p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
     <div id="log"></div>
     <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
-</body>
+    </body>
 
 </html>

content-security-policy/blink-contrib-2/form-action-src-blocked.sub.html

@@ -12,25 +12,29 @@
 form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
-                log("TEST COMPLETE");
             }, 0);
         });
-        setTimeout(function() {}, 1000);
+        setTimeout(function() {log("TEST COMPLETE");}, 1);
 
     </script>
 </head>
 
 <body>
-    <form action="../content-security-policy/support/fail.png" id="theform" method="post">
+    <iframe name="test_target" id="test_iframe"></iframe>
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-fail.html" id="theform" method="post" target="test_target">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
     <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
     <div id="log"></div>
     <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
-</body>
+
+    </body>
 
 </html>

content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html

@@ -6,12 +6,15 @@
     <title>form-action-src-default-ignored</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing policy:
-default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';
+default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; frame-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
@@ -23,11 +26,13 @@
 </head>
 
 <body>
-    <form action="../support/pass.png" id="theform" method="post" target="_blank">
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py?location=/content-security-policy/blink-contrib/resources/postmessage-pass.html" id="theform" method="post" target="test_target">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
-    <p>Tests that default-src does. If this test passes, you will see a page indicating a form was POSTed or a blocked pop-up warning.</p>
+    <p>Tests that default-src does not cascade to form-action.</p>
     <div id="log"></div>
     <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
 </body>

content-security-policy/blink-contrib-2/form-action-src-default-ignored.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: form-action-src-default-ignored={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
-Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib-2/form-action-src-get-allowed.sub.html

@@ -3,15 +3,18 @@
 
 <head>
     <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <title>form-action-src-get-allowed</title>
+    <title>form-action-src-allowed</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing policy:
 form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            log(event.data);
+        }, false);
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
@@ -23,13 +26,16 @@
 </head>
 
 <body>
-    <form action="../support/pass.png" id="theform" method="get" target="_blank">
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+        <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-pass.html">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
-    <p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed or a blocked pop-up warning.</p>
+    <p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
     <div id="log"></div>
     <script async defer src="../support/checkReport.sub.js?reportExists=false"></script>
-</body>
+    </body>
 
-</html>
+</html>

content-security-policy/blink-contrib-2/form-action-src-get-blocked.sub.html

@@ -3,7 +3,7 @@
 
 <head>
     <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <title>form-action-src-get-blocked</title>
+    <title>form-action-src-allowed</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
@@ -12,23 +12,31 @@
 form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
         window.addEventListener('load', function() {
-            setTimeout(function() {}, 1000);
-            document.getElementById('submit').click();
-            log("TEST COMPLETE");
+            setTimeout(function() {
+                document.getElementById('submit').click();
+                log("TEST COMPLETE");
+            }, 0);
         });
 
     </script>
 </head>
 
 <body>
-    <form action="/navigation/resources/form-target.pl" id="theform" method="get">
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form action="/common/redirect.py" id="theform" method="get" target="test_target">
+        <input type="text" name="location" value="/content-security-policy/blink-contrib/resources/postmessage-fail.html">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
-    <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
+    <p>Tests that allowed form actions work correctly. If this test passes, you will see a page indicating a form was POSTed.</p>
     <div id="log"></div>
-    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
-</body>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;
+"></script>
+    </body>
 
 </html>

content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html

@@ -9,16 +9,15 @@
     <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing policy:
-form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';
+form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';
 -->
-    <script>
+    <script nonce='noncynonce'>
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
                 log("TEST COMPLETE");
             }, 0);
         });
-
     </script>
 </head>
 
@@ -29,7 +28,7 @@
     </form>
     <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p>
     <div id="log"></div>
-    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20&apos;none&apos;"></script>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
 </body>
 
 </html>

content-security-policy/blink-contrib-2/form-action-src-javascript-blocked.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: form-action-src-javascript-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
-Content-Security-Policy: form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html

@@ -9,9 +9,12 @@
     <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing policy:
-form-action 127.0.0.1:8000; script-src 'self' 'unsafe-inline'; connect-src 'self';
+form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';
 -->
     <script>
+        window.addEventListener("message", function(event) {
+            alert_assert(event.data);
+        }, false);
         window.addEventListener('load', function() {
             setTimeout(function() {
                 document.getElementById('submit').click();
@@ -24,13 +27,15 @@
 </head>
 
 <body>
-    <form id="form1" action="/navigation/resources/redirection-response.php?host=localhost:8000&amp;status=302&amp;target=form-target.pl" method="post">
+    <iframe name="test_target" id="test_iframe"></iframe>
+
+    <form id="form1" action="/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/blink-contrib/resources/postmessage-fail.html" method="post" target="test_target">
         <input type="text" name="fieldname" value="fieldvalue">
         <input type="submit" id="submit" value="submit">
     </form>
     <p>Tests that blocking form redirect works correctly. If this test passes, a CSP violation will be generated, and will not see a page indicating a form was POSTed.</p>
     <div id="log"></div>
-    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20127.0.0.1:8000"></script>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=form-action%20'self'"></script>
 </body>
 
 </html>

content-security-policy/blink-contrib-2/form-action-src-redirect-blocked.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: form-action-src-redirect-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
-Content-Security-Policy: form-action 127.0.0.1:8000; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib-2/scripthash-basic-blocked.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: scripthash-basic-blocked={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
-Content-Security-Policy: script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: script-src 'self' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib-2/scripthash-ignore-unsafeinline.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: scripthash-ignore-unsafeinline={{$id:uuid()}}; Path=/content-security-policy/blink-contrib-2
-Content-Security-Policy: script-src 'self' 'unsafe-inline' 'sha1-Au4uYFbkf7OYd+ACMnKq96FN3qo=' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: script-src 'self' unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib/blob-urls-do-not-match-self.sub.html.sub.headers

@@ -3,4 +3,4 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: blob-urls-do-not-match-self={{$id:uuid()}}; Path=/content-security-policy/blink-contrib
-Content-Security-Policy: script-src 'self' 'unsafe-inline' '*'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}}

content-security-policy/blink-contrib/combine-multiple-policies.sub.html → content-security-policy/blink-contrib/combine-header-and-meta-policies.sub.html

@@ -10,14 +10,15 @@
     <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
     <script src="../support/alertAssert.sub.js?alerts=[]"></script>
     <!-- enforcing multiple policies:
-Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'
 Content-Security-Policy: img-src 'none'
 -->
 </head>
 
 <body>
-    This test checks that we enforce all the supplied policies. This test passe if it doesn&apos;t alert fail and if the style doesn&apos;t apply.
-    Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+<p>Test passes if both style and image are blocked and a report is generated for the
+    style block from the header-supplied policy.</p>
+
     <script>
         var img = document.createElement('img');
         img.src = '../support/fail.png';

content-security-policy/blink-contrib/combine-multiple-header-policies.html.asis

@@ -0,0 +1,60 @@
+HTTP/1.1 200 OK
+Content-Type: text/html
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: combine-multiple-policies=d0140e7d-3800-4842-b66d-370840a4569a; Path=/content-security-policy/blink-contrib
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; report-uri /content-security-policy/support/report.py?op=put&reportID=d0140e7d-3800-4842-b66d-370840a4569a
+Content-Security-Policy: img-src 'none'
+
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+    <title>combine-multiple-policies</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+    <!-- enforcing multiple policies:
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; styls-src 'self'
+Content-Security-Policy: img-src 'none'
+-->
+</head>
+
+<body>
+    This test checks that we enforce all the supplied policies. This test passe if it doesn&apos;t alert fail and if the style doesn&apos;t apply.
+    Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+    <script>
+        var img = document.createElement('img');
+        img.src = '../support/fail.png';
+        img.onerror = function() {
+            log("TEST COMPLETE");
+        };
+        img.onload = function() {
+            log("FAIL");
+        };
+        document.body.appendChild(img);
+
+    </script>
+    <style>
+        body {
+            background-color: blue;
+        }
+
+    </style>
+    <script>
+        var el = document.querySelector('body');
+        test(function() {
+            assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)")
+        });
+
+    </script>
+    <div id="log"></div>
+    <script async defer src="../support/checkReport.sub.js?reportExists=true&amp;reportField=violated-directive&amp;reportValue=style-src%20&apos;self&apos;"></script>
+</body>
+
+</html>