Hillbrad/csp level2

content-security-policy/generic/fail-0_1.js

@@ -0,0 +1,3 @@
+(function () {
+  scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') });
+})();

content-security-policy/generic/generic-0_1-img-src.html

@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to img-src directive</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to img-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var imgsrc = async_test("Verify cascading of default-src to img-src policy");
+      var onerrorFired = false;
+    </script>
+
+    <img id='imgfail' src=''
+         onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });'
+         onerror='onerrorFired = true;'>
+    <img src='../support/pass.png'
+         onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'>
+
+    <script>
+      document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png');
+      onload = function() {
+        imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");});
+        imgsrc.done();
+      }
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>

content-security-policy/generic/generic-0_1-img-src.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-img-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}

content-security-policy/generic/generic-0_1-script-src.html

@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>default-src should cascade to script-src directive</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='../support/siblingPath.js'></script>
+</head>
+<body>
+    <h1>default-src should cascade to script-src directive</h1>
+    <div id='log'></div>
+
+    <script>
+      var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block");
+      var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow");
+      var allowedScriptRan = false;
+    </script>
+
+    <script src='pass-0_1.js'></script>
+
+    <script>
+      var inlineScript = document.createElement('script');
+      inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js');
+      document.getElementById('log').appendChild(inlineScript);
+      onload = function() {
+          scriptsrc1.done();
+          scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") });
+          scriptsrc2.done();
+      }
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27%20%27unsafe-inline%27'></script>
+
+</body>
+</html>

content-security-policy/generic/generic-0_1-script-src.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: generic-0_1-script-src={{$id:uuid()}}; Path=/content-security-policy/generic/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}

content-security-policy/generic/pass-0_1.js

@@ -0,0 +1,3 @@
+(function () {
+   allowedScriptRan = true;
+})();

content-security-policy/script-src/script-src-1_1.html

@@ -7,7 +7,7 @@
     <script src='inlineTests.js'></script>
 </head>
 <body>
-    <h1>Inline script should not run without 'unsafe-inline' script-src directive.</h1>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1>
     <div id='log'></div>
 
     <script>

content-security-policy/script-src/script-src-1_2.html

@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+    <script src='inlineTests.js'></script>
+</head>
+<body>
+    <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1>
+    <div id='log'></div>
+
+    <script>
+      t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+    </script>
+
+    <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>

content-security-policy/script-src/script-src-1_2.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri  ../support/report.py?op=put&reportID={{$id}}

content-security-policy/script-src/script-src-1_4_1.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+        var t1 = async_test("window.setTimeout()");
+        var t2 = async_test("window.setInterval()");
+
+        onload = function() {t1.done(); t2.done()}
+
+        window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
+        window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
+
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
+
+</body>
+</html>

content-security-policy/script-src/script-src-1_4_1.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}

content-security-policy/script-src/script-src-1_4_2.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+    <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1>
+    <div id='log'></div>
+
+   	<script>
+
+        test(function() {
+            assert_throws(
+                new EvalError(),
+                function() {
+                    var funq = new Function('');
+                    funq();
+        })}, "Unsafe eval ran in Function() constructor.");
+
+    </script>
+
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
+
+</body>
+</html>

content-security-policy/script-src/script-src-1_4_2.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}

content-security-policy/support/checkReport.sub.js

@@ -31,7 +31,7 @@
     }
   }
 
-  var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=take&timeout=3&reportID=" + reportID;
+  var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=take&timeout=1&reportID=" + reportID;
 
   var reportTest = async_test("Violation report status OK.");
   reportTest.step(function () {

content-security-policy/support/siblingPath.js

@@ -0,0 +1,5 @@
+ buildSiblingPath = function(hostPrefix, relativePath, newPort) {
+  var port = newPort ? newPort : document.location.port;
+  var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1);
+  return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath);
+};