-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1815 from hillbrad/hillbrad/manual-rebase-old-csp…
…-tests Hillbrad/manual rebase old csp tests
- Loading branch information
Showing
14 changed files
with
187 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| (function () { | ||
| scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') }); | ||
| })(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| <!DOCTYPE HTML> | ||
| <html> | ||
| <head> | ||
| <title>default-src should cascade to img-src directive</title> | ||
| <script src='/resources/testharness.js'></script> | ||
| <script src='/resources/testharnessreport.js'></script> | ||
| <script src='../support/siblingPath.js'></script> | ||
| </head> | ||
| <body> | ||
| <h1>default-src should cascade to img-src directive</h1> | ||
| <div id='log'></div> | ||
|
|
||
| <script> | ||
| var imgsrc = async_test("Verify cascading of default-src to img-src policy"); | ||
| var onerrorFired = false; | ||
| </script> | ||
|
|
||
| <img id='imgfail' src='' | ||
| onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });' | ||
| onerror='onerrorFired = true;'> | ||
| <img src='../support/pass.png' | ||
| onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'> | ||
|
|
||
| <script> | ||
| document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png'); | ||
| onload = function() { | ||
| imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");}); | ||
| imgsrc.done(); | ||
| } | ||
| </script> | ||
|
|
||
| <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script> | ||
|
|
||
| </body> | ||
| </html> |
6 changes: 6 additions & 0 deletions
6
content-security-policy/generic/generic-0_1-img-src.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | ||
| Cache-Control: no-store, no-cache, must-revalidate | ||
| Cache-Control: post-check=0, pre-check=0, false | ||
| Pragma: no-cache | ||
| Set-Cookie: generic-0_1-img-src={{$id:uuid()}}; Path=/content-security-policy/generic/ | ||
| Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} |
35 changes: 35 additions & 0 deletions
35
content-security-policy/generic/generic-0_1-script-src.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| <!DOCTYPE HTML> | ||
| <html> | ||
| <head> | ||
| <title>default-src should cascade to script-src directive</title> | ||
| <script src='/resources/testharness.js'></script> | ||
| <script src='/resources/testharnessreport.js'></script> | ||
| <script src='../support/siblingPath.js'></script> | ||
| </head> | ||
| <body> | ||
| <h1>default-src should cascade to script-src directive</h1> | ||
| <div id='log'></div> | ||
|
|
||
| <script> | ||
| var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block"); | ||
| var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow"); | ||
| var allowedScriptRan = false; | ||
| </script> | ||
|
|
||
| <script src='pass-0_1.js'></script> | ||
|
|
||
| <script> | ||
| var inlineScript = document.createElement('script'); | ||
| inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js'); | ||
| document.getElementById('log').appendChild(inlineScript); | ||
| onload = function() { | ||
| scriptsrc1.done(); | ||
| scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") }); | ||
| scriptsrc2.done(); | ||
| } | ||
| </script> | ||
|
|
||
| <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script> | ||
|
|
||
| </body> | ||
| </html> |
6 changes: 6 additions & 0 deletions
6
content-security-policy/generic/generic-0_1-script-src.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | ||
| Cache-Control: no-store, no-cache, must-revalidate | ||
| Cache-Control: post-check=0, pre-check=0, false | ||
| Pragma: no-cache | ||
| Set-Cookie: generic-0_1-script-src={{$id:uuid()}}; Path=/content-security-policy/generic/ | ||
| Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| (function () { | ||
| allowedScriptRan = true; | ||
| })(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| <!DOCTYPE HTML> | ||
| <html> | ||
| <head> | ||
| <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> | ||
| <script src='/resources/testharness.js'></script> | ||
| <script src='/resources/testharnessreport.js'></script> | ||
| <script src='inlineTests.js'></script> | ||
| </head> | ||
| <body> | ||
| <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1> | ||
| <div id='log'></div> | ||
|
|
||
| <script> | ||
| t1.step(function() {assert_unreached('Unsafe inline script ran.');}); | ||
| </script> | ||
|
|
||
| <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> | ||
|
|
||
| <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> | ||
|
|
||
| </body> | ||
| </html> |
6 changes: 6 additions & 0 deletions
6
content-security-policy/script-src/script-src-1_2.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | ||
| Cache-Control: no-store, no-cache, must-revalidate | ||
| Cache-Control: post-check=0, pre-check=0, false | ||
| Pragma: no-cache | ||
| Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ | ||
| Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE HTML> | ||
| <html> | ||
| <head> | ||
| <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title> | ||
| <script src='/resources/testharness.js'></script> | ||
| <script src='/resources/testharnessreport.js'></script> | ||
| </head> | ||
| <body> | ||
| <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1> | ||
| <div id='log'></div> | ||
|
|
||
| <script> | ||
| var t1 = async_test("window.setTimeout()"); | ||
| var t2 = async_test("window.setInterval()"); | ||
|
|
||
| onload = function() {t1.done(); t2.done()} | ||
|
|
||
| window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0); | ||
| window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0); | ||
|
|
||
| </script> | ||
|
|
||
| <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script> | ||
|
|
||
| </body> | ||
| </html> |
6 changes: 6 additions & 0 deletions
6
content-security-policy/script-src/script-src-1_4_1.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | ||
| Cache-Control: no-store, no-cache, must-revalidate | ||
| Cache-Control: post-check=0, pre-check=0, false | ||
| Pragma: no-cache | ||
| Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/ | ||
| Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <!DOCTYPE HTML> | ||
| <html> | ||
| <head> | ||
| <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title> | ||
| <script src='/resources/testharness.js'></script> | ||
| <script src='/resources/testharnessreport.js'></script> | ||
| </head> | ||
| <body> | ||
| <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1> | ||
| <div id='log'></div> | ||
|
|
||
| <script> | ||
|
|
||
| test(function() { | ||
| assert_throws( | ||
| new EvalError(), | ||
| function() { | ||
| var funq = new Function(''); | ||
| funq(); | ||
| })}, "Unsafe eval ran in Function() constructor."); | ||
|
|
||
| </script> | ||
|
|
||
| <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script> | ||
|
|
||
| </body> | ||
| </html> |
6 changes: 6 additions & 0 deletions
6
content-security-policy/script-src/script-src-1_4_2.html.sub.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | ||
| Cache-Control: no-store, no-cache, must-revalidate | ||
| Cache-Control: post-check=0, pre-check=0, false | ||
| Pragma: no-cache | ||
| Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/ | ||
| Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| buildSiblingPath = function(hostPrefix, relativePath, newPort) { | ||
| var port = newPort ? newPort : document.location.port; | ||
| var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1); | ||
| return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath); | ||
| }; |