WebKit Bugzilla
Attachment 371793 Details for
Bug 198676
: Import Content Security Policy Web Platform Tests
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198676-20190610163022.patch (text/plain), 1.56 MB, created by
Daniel Bates
on 2019-06-10 16:30:23 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2019-06-10 16:30:23 PDT
Size:
1.56 MB
patch
obsolete
>Subversion Revision: 246069 >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 5bbf9c0b97d1ee2ceca59c88a1f13a501bbf9e89..55797d7acd7f19e94725887b7f9d3ff50de57780 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,20 @@ >+2019-06-07 Daniel Bates <dabates@apple.com> >+ >+ Import Content Security Policy Web Platform Tests >+ https://bugs.webkit.org/show_bug.cgi?id=198676 >+ <rdar://problem/51533785> >+ >+ Reviewed by Youenn Fablet. >+ >+ Import tests as of 3840f46213d9a991acc9288e3863530f7502c05e (origin/master). >+ >+ * TestExpectations: Skip some tests for features we do not support. >+ * platform/mac-wk1/TestExpectations: Skip Beacon and Service Worker tests as we do not support >+ these features in Legacy WebKit. >+ * platform/win/TestExpectations: Ditto. Also skip WebSocket tests as we skip all other such >+ tests on Windows. >+ * tests-options.json: >+ > 2019-06-10 Daniel Bates <dabates@apple.com> > > [CSP] Blob URLs should inherit their CSP policy >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 8f1b42aff84ccdceb514f664b8eb595aae989312..39bbd8a2f3d1083296dc42a9f48c8495bf7dbfad 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,75 @@ >+2019-06-07 Daniel Bates <dabates@apple.com> >+ >+ [CSP] Blob URLs should inherit their CSP policy >+ https://bugs.webkit.org/show_bug.cgi?id=198579 >+ <rdar://problem/51366878> >+ >+ Update some test results. >+ >+ * web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub-expected.txt: >+ * web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub-expected.txt: >+ >+2019-06-07 Daniel Bates <dabates@apple.com> >+ >+ Import Content Security Policy Web Platform Tests >+ https://bugs.webkit.org/show_bug.cgi?id=198676 >+ <rdar://problem/51533785> >+ >+ Reviewed by Youenn Fablet. >+ >+ Import tests as of 3840f46213d9a991acc9288e3863530f7502c05e (origin/master). >+ >+ * resources/import-expectations.json: >+ * resources/resource-files.json: >+ * web-platform-tests/content-security-policy/META.yml: Added. >+ * web-platform-tests/content-security-policy/README.css: Added. >+ (.code): >+ (.codeTitle): >+ (.highlight1): >+ (.highlight2): >+ (body): >+ * web-platform-tests/content-security-policy/README.html: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub.html: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub.html: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html: Added. >+ * web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html: Added. >+ * web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers: Added. >+ * web-platform-tests/content-security-policy/base-uri/w3c-import.log: Added. >+ * web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html: Added. >+ * web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub.html: Added. >+ * web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub.html: Added. >+ * web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub.html: Added. >+ * web-platform-tests/content-security-policy/blob/w3c-import.log: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-allowed.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/child-src/child-src-allowed.sub.html: Added. >+ [...] >+ * web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub-expected.txt: Added. >+ * web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-child.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-list.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-none.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-self.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html: Added. >+ * web-platform-tests/content-security-policy/worker-src/w3c-import.log: Added. >+ > 2019-06-03 Rob Buis <rbuis@igalia.com> > > Implement imagesrcset and imagesizes attributes on link rel=preload >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index 9febe3dc3d495f2568fe5d711e603c2a7f623041..b1c442ad450c4fe11f6593e45b071f2283592464 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -334,6 +334,207 @@ imported/w3c/web-platform-tests/css/css-ui/caret-color-018.html [ Skip ] > imported/w3c/web-platform-tests/css/css-ui/caret-color-019.html [ Skip ] > imported/w3c/web-platform-tests/css/css-ui/caret-color-020.html [ Skip ] > >+# Dump console messages to stderr for all the imported Content Security Policy tests to avoid flakiness. >+imported/w3c/web-platform-tests/content-security-policy [ DumpJSConsoleLogInStdErr ] >+ >+# FIXME: Skip Content Security Policy tests that are dumping the render tree instead of text: >+imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html >+ >+# Skip Content Security Policy tests that time out >+imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html [ Skip ] >+ >+# FIXME: Skip Content Security Policy tests whose output is non-deterministic >+imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html [ Skip ] >+ >+# Content Security Policy: Embedded Enforcement is not supported >+imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement >+ >+# Skip Content Security Policy script-dynamic tests as we do not support this directive >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html >+imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html >+imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html >+ >+# Skip Content Security Policy shared workers tests as we do not support shared workers >+imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html >+imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-child.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-list.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-none.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-self.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html >+imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html >+ > # Only relevant on macOS > css3/color-filters/punch-out-white-backgrounds.html [ Skip ] > >diff --git a/LayoutTests/imported/w3c/resources/import-expectations.json b/LayoutTests/imported/w3c/resources/import-expectations.json >index 270cbe18a435fe6f2550f6b5875428b3b0765b54..22a538a9227d0dee4bda3f166914533224e28420 100644 >--- a/LayoutTests/imported/w3c/resources/import-expectations.json >+++ b/LayoutTests/imported/w3c/resources/import-expectations.json >@@ -44,7 +44,7 @@ > "web-platform-tests/common": "import", > "web-platform-tests/compat": "skip", > "web-platform-tests/console": "skip", >- "web-platform-tests/content-security-policy": "skip", >+ "web-platform-tests/content-security-policy": "import", > "web-platform-tests/cookies": "skip", > "web-platform-tests/core-aam": "skip", > "web-platform-tests/cors": "import", >diff --git a/LayoutTests/imported/w3c/resources/resource-files.json b/LayoutTests/imported/w3c/resources/resource-files.json >index 1d4396ac1a398db5fe3c3257e073e130f5117af0..e942698df654dc1bf2e92ef01aa49390644da155 100644 >--- a/LayoutTests/imported/w3c/resources/resource-files.json >+++ b/LayoutTests/imported/w3c/resources/resource-files.json >@@ -29,6 +29,35 @@ > "web-platform-tests/acid/acid3/svg.xml", > "web-platform-tests/beacon/fetch-keepalive-navigate.iFrame.html", > "web-platform-tests/beacon/navigate.iFrame.sub.html", >+ "web-platform-tests/content-security-policy/README.html", >+ "web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html", >+ "web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html", >+ "web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html", >+ "web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html", >+ "web-platform-tests/content-security-policy/frame-src/support/frame.html", >+ "web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html", >+ "web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html", >+ "web-platform-tests/content-security-policy/generic/support/log-pass.html", >+ "web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html", >+ "web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html", >+ "web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html", >+ "web-platform-tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html", >+ "web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html", >+ "web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html", >+ "web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html", >+ "web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html", >+ "web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html", >+ "web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html", >+ "web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html", >+ "web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html", >+ "web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html", >+ "web-platform-tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html", >+ "web-platform-tests/content-security-policy/support/fail.html", >+ "web-platform-tests/content-security-policy/support/file-prefetch-allowed.html", >+ "web-platform-tests/content-security-policy/support/postmessage-fail.html", >+ "web-platform-tests/content-security-policy/support/postmessage-pass-to-opener.html", >+ "web-platform-tests/content-security-policy/support/postmessage-pass.html", >+ "web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html", > "web-platform-tests/credential-management/support/echoing-nester.html", > "web-platform-tests/credential-management/support/federatedcredential-get.html", > "web-platform-tests/credential-management/support/passwordcredential-get.html", >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/META.yml b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/META.yml >new file mode 100644 >index 0000000000000000000000000000000000000000..ee8f1ea7e07b94711ddc65e43a6c32dbc5983612 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/META.yml >@@ -0,0 +1,4 @@ >+spec: https://w3c.github.io/webappsec-csp/ >+suggested_reviewers: >+ - andypaicu >+ - hillbrad >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.css >new file mode 100644 >index 0000000000000000000000000000000000000000..d47a5034ba08a5bc59f4b01b2619d82cd9a99d2a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.css >@@ -0,0 +1,27 @@ >+ >+.code { >+ font-family: monospace; >+ color: darkorange; >+} >+ >+.codeTitle { >+ font-family: sans-serif; >+ padding: .3em; >+ margin-bottom: -1em; >+ background: #ffe; >+ border-color: #ccc; >+ border-width: 1px; >+ border-style: groove; >+} >+ >+.highlight1 { >+ background: yellow; >+} >+ >+.highlight2 { >+ background: pink; >+} >+ >+body { >+ font-family: sans-serif; >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.html >new file mode 100644 >index 0000000000000000000000000000000000000000..98fd5c4bf789b99b959bab3fbdadb1ad408db5a0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.html >@@ -0,0 +1,118 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>Introduction to Writing Content Security Policy Tests</title> >+ <link rel="stylesheet" type="text/css" href="README.css"> >+ <link rel="stylesheet" type="text/css" href="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/styles/default.min.css"> >+ <script src="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/8.1/highlight.min.js"></script> >+ <script> >+ hljs.initHighlightingOnLoad(); >+ </script> >+</head> >+ >+<body> >+ <h1>Introduction to Writing Content Security Policy Tests</h1> >+ <p>The CSP test suite uses the standard W3C testharness.js framework, but there are a few additional things you'll need to do because of the unique way CSP works, even if you're already an expert at writing W3C tests. These tests require the use of the >+ <a href="https://github.com/w3c/wptserve">wptserve</a> server (included in the <a href="https://github.com/web-platform-tests/wpt">web-platform-tests repository</a>) to operate correctly.</p> >+ >+ <h2>What's different about writing CSP tests?</h2> >+ >+ <h3>Headers</h3> >+ <p>Content Security Policy is preferentially set through an HTTP header. This means we can't do our tests just as a simple set of HTML+CSS+JS files. Luckily the wptserver framework provides an easy method to add headers to a file.</p> >+ <p>If my file is named <span class=code>example.html</span> then I can create a file >+ <span class=code>example.html.headers</span> to define the headers that will be served with it. If I need to do template substitutions in the headers, I can instead create a file named <span class=code>example.html.sub.headers</span>.</p> >+ >+ <h3>Negative Test Cases and Blocked Script Execution</h3> >+ <p>Another interesting feature of CSP is that it <em>prevents</em> things from happening. It even can and prevent script from running. How do we write tests that detect something didn't happen?</p> >+ >+ <h3>Checking Reports</h3> >+ <p>CSP also has a feature to send a report. We ideally want to check that whenever a policy is enforced, a report is sent. This also helps us with the previous problem - if it is difficult to observe something not happening, we can still check that a report fired.</p> >+ >+ <h2>Putting it Together</h2> >+ <p>Here's an example of a simple test. (ignore the highlights for now...) This file lives in the >+ <span class=code>/content-security-policy/script-src/</span> directory.</p> >+ >+ <p class=codeTitle>script-src-1_1.html</p> >+ <pre><code class="html"><!DOCTYPE HTML> >+<html> >+<head> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Inline script should not run without 'unsafe-inline' script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script> >+ test(function() { >+ asset_unreached('Unsafe inline script ran.')}, >+ 'Inline script in a script tag should not run without an unsafe-inline directive' >+ ); >+ </script> >+ >+ <img src='doesnotexist.jpg' onerror='test(function() { assert_false(true, "Unsafe inline event handler ran.") }, "Inline event handlers should not run without an unsafe-inline directive");'> >+ >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=<span class=highlight1>script-src%20%27self%27</span>'></script> >+ >+</body> >+</html> >+ </code></pre> >+ >+ >+ <p>This code includes three tests. The first one in the script block will generate a failure if it runs. The second one, in the onerror handler for the img which does not exist should also generate a failure if it runs. But for a successful CSP implementation, neither of these tests does run. The final test is run by the link to <span class=code>../support/checkReport.sub.js</span>. It will load some script in the page (make sure its not blocked by your policy!) which contacts the server asynchronously and sees if the expected report was sent. This should always run an generate a positive or negative result even if the inline tests are blocked as we expect.</p> >+ >+ <p>Now, to actually exercise these tests against a policy, we'll need to set headers. In the same directory we'll place this file:</p> >+ >+ <p class=codeTitle>script-src-1_1.html.sub.headers</p> >+ <pre><code class="html"> >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: <span class=highlight2>script-src-1_1</span>={{$id:uuid()}}; Path=<span class=highlight2>/content-security-policy/script-src/</span> >+Content-Security-Policy: <span class=highlight1>script-src 'self'</span>; report-uri <span class=highlight2>..</span>/support/report.py?op=put&reportID={{$id}} >+ </code></pre> >+ <p>This sets some headers to prevent caching (just so we are more likely to see our latest changes if we're actively developing this test) sets a cookie (more on that later) and sets the relevant <span class=code>Content-Security-Policy</span> header for our test case.</p> >+ >+ <h4>What about those highlights?</h4> >+ <p>In production code we don't like to repeat ourselves. For this test suite, we'll relax that rule a little bit. Why? It's easier to have many people contributing "safe" files using some template substitutions than require every file to be executable content like Python or PHP which would require much more careful code review. The highlights show where you have to be careful as you repeat yourself in more limited static files. >+ </p> >+ >+ <p>The <span class=highlight1>YELLOW</span> highlighted text is information that must be the same between both files for report checking to work correctly. In the html file, we're telling >+ <span class=code>checkReport.sub.js</span> to check the value of the <span class=code> >+ violated-directive</span> key in the report JSON. So it needs to match (after URL encoding) the directive we set in the header.</p> >+ >+ <p>The <span class=highlight2>PINK</span> highlighted text is information that must be repeated from the path and filename of your test file into the headers file. The name of the cookie must match the name of the test file without its extension, the path for the cookie must be correct, and the relative path component to the report-uri must also be corrected if you nest your tests more than one directory deep.</p> >+ >+ <h2>Check Your Effects!</h2> >+ <p>A good test case should also verify the state of the DOM in addition to checking the report - after all, a browser might send a report without actually blocking the banned content. Note that in a browser without CSP support there will be three failures on the example page as the inline script executes.</p> >+ <p>How exactly you check your effects will depend on the directive, but don't hesitate to use script for testing to see if computed styles are as expected, if layouts changed or if certain elements were added to the DOM. Checking that the report also fired is just the final step of verifing correct behavior.</p> >+ >+ <p>Note that avoiding inline script is good style and good habits, but not 100% necessary for every test case. Go ahead and specify 'unsafe-inline' if it makes your life easier.</p> >+ >+ <h2>Report Existence Only and Double-Negative Tests</h2> >+ <p>If you want to check that a report exists, or verify that a report <em>wasn't</em> sent for a double-negative test case, >+ you can pass <strong>?reportExists=</strong><em>[true|false]</em> to <span class=code>checkReport.sub.js</span> instead of <strong>reportField</strong> and <strong>reportValue</strong>.</p> >+ >+ <h2>How does the magic happen?</h2> >+ <p>Behind the scenes, a few things are going on in the framework.</p> >+ <ol> >+ <li>The {{$id:uuid}} templating marker in the headers file tells the wptserve HTTP server to create a new unique id and assign it to a variable, which we can re-use as {{$id}}.</li> >+ <li>We'll use this UUID in two places: >+ <ol> >+ <li>As a GET parameter to our reporting script, to uniquely identify this instance of the test case so our report can be stored and retrieved. >+ </li> >+ <li>As a cookie value associated with the filename, so script in the page context can learn what UUID the report was sent under.</li> >+ </ol> >+ </li> >+ <li>The report listener is a simple python file that stashes the report value under its UUID and allows it to be retrieved again, exactly once.</li> >+ <li><span class=code>checkReport.sub.js</span> then grabs the current path information and uses that to find the cookie holding the report UUID. It deletes that cookie (otherwise the test suite would overrun the maximum size of a cookie header allowed) then makes an XMLHttpRequest to the report listener to retrieve the report, parse it and verify the contents as per the parameters it was loaded with.</li> >+ </ol> >+ >+ <p>Why all these gymnastics? CSP reports are delivered by an <em>anonymous fetch</em>. This means that the browser does not process the response headers, body, or allow any state changes as a result. So we can't pull a trick like just echoing the report contents back in a Set-Cookie header or writing them to local storage.</p> >+ >+ <p>Luckily, you shouldn't have to worry about this magic much, as long as you get the incantation correct.</p> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..23c79144747da5a6ed5b8cb3bdd80cbb2e1a97ae >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Check that base URIs can be set if they do not violate the page's policy. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cda0c2db44faa685679152ddfd9f85fb0450dad6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Check that base URIs can be set if they do not violate the page's policy."); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(t) { >+ assert_unreached('No CSP violation report should have been fired.'); >+ })); >+ </script> >+ >+ <base href="{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/"> >+ <script> >+ t.step(function() { >+ assert_equals(document.baseURI, "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/"); >+ t.done(); >+ }); >+ </script> >+</head> >+<body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a48bd7e44a7f11bdc0ae951c66bc727b33dbbd38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive >+PASS Check that the baseURI is not set when it does not match the csp directive >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a5a78ae1a347930b759afbc1ec1ceac953eb9df7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Check that baseURI fires a securitypolicyviolation event when it does not match the csp directive"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/") >+ assert_equals(e.violatedDirective, "base-uri"); >+ })); >+ </script> >+ >+ <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/"> >+ <script> >+ test(function() { >+ assert_equals(document.baseURI, window.location.href); >+ t.done(); >+ }, "Check that the baseURI is not set when it does not match the csp directive"); >+ </script> >+</head> >+<body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0c78243a2b7fc01cb466cfbc1f3832b266f088fd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub-expected.txt >@@ -0,0 +1,6 @@ >+base-uri works correctly inside a sandboxed iframe. >+ >+ >+PASS base-uri 'self' works with same-origin sandboxed iframes. >+PASS base-uri 'self' blocks foreign-origin sandboxed iframes. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..299383c4690ba4a236f443f2b7d8e545b1fa2940 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html >@@ -0,0 +1,79 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/"> >+ >+ <title>base-uri works correctly inside a sandboxed iframe.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+ >+<body> >+ <h1>base-uri works correctly inside a sandboxed iframe.</h1> >+ <div id='log'></div> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report should have been fired.'); >+ }); >+ >+ async_test(function(t) { >+ var i = document.createElement('iframe'); >+ i.sandbox = 'allow-scripts'; >+ i.style.display = 'none'; >+ i.srcdoc = ` >+ <script> >+ window.addEventListener('securitypolicyviolation', function() { >+ top.postMessage('FAIL', '*'); >+ }); >+ </sc` + `ript> >+ <base href="{{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/"> >+ <script> >+ top.postMessage(document.baseURI, '*'); >+ </sc` + `ript>`; >+ >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.source === i.contentWindow) { >+ assert_equals(e.data, location.origin + '/base/'); >+ t.done(); >+ } >+ })); >+ >+ document.body.appendChild(i); >+ }, 'base-uri \'self\' works with same-origin sandboxed iframes.'); >+ >+ async_test(function(t) { >+ var i = document.createElement('iframe'); >+ i.sandbox = 'allow-scripts'; >+ i.style.display = 'none'; >+ i.srcdoc = ` >+ <script> >+ window.addEventListener('securitypolicyviolation', >+ function(violation) { >+ if (violation.blockedURI !== '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/' || violation.effectiveDirective !== 'base-uri') { >+ top.postMessage('FAIL'); >+ return; >+ } >+ top.postMessage(document.baseURI, '*'); >+ }); >+ </sc` + `ript> >+ <base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/"> >+ <script> >+ top.postMessage(document.baseURI, '*'); >+ </sc` + `ript>`; >+ >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.source === i.contentWindow) { >+ assert_equals(e.data, location.href); >+ t.done(); >+ } >+ })); >+ >+ document.body.appendChild(i); >+ }, 'base-uri \'self\' blocks foreign-origin sandboxed iframes.'); >+ </script> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8cd1db38ea491b0cb6688e36b02760c01730ef53 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub-expected.txt >@@ -0,0 +1,8 @@ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+TIMEOUT Event is fired Test timed out >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..408c0116eb9db039f6d128445c0b86ed1be5d590 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that base does not affect report-uri</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <!-- if base is used for resolving the URL to report to then we will not get a report --> >+ <base href="http://nonexistent.{{domains[]}}"> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image does not load"); >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ </script> >+ <img src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png' >+ onload='t1.unreached_func("The image should not have loaded");' >+ onerror='t1.done();'> >+ >+ <script async defer src='{{location[scheme]}}://{{location[host]}}/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..1e3f163730f7b530b4a86848165f227bb28b18c3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: report-uri-does-not-respect-base-uri={{$id:uuid()}}; Path=/content-security-policy/base-uri >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..6ed774abaa2cbfde9d26be2f907f69bf8473f9ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/w3c-import.log >@@ -0,0 +1,21 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-allow.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri-deny.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/base-uri/report-uri-does-not-respect-base-uri.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..96f763b126c146175d8b19ccf57e182022633090 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt >@@ -0,0 +1,5 @@ >+blob: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content. >+ >+ >+FAIL Expecting logs: ["violated-directive=script-src-elem"] assert_unreached: Logging timeout, expected logs violated-directive=script-src-elem not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cafa1e366026c2b079aff2ef7b4e34541f8349b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; child-src 'self';"> >+ <title>blob-urls-do-not-match-self</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <p> >+ blob: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content. >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ function fail() { >+ alert_assert("FAIL!"); >+ } >+ var b = new Blob(['fail();'], { >+ type: 'application/javascript' >+ }); >+ var script = document.createElement('script'); >+ script.src = URL.createObjectURL(b); >+ document.body.appendChild(script); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..dea4647ef2944ed6b97b7505e15dc7868b697791 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub-expected.txt >@@ -0,0 +1,5 @@ >+blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified. >+ >+ >+PASS Expecting logs: ["PASS (1/1)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..41b06b302479e739b8b001eed3c5e1456c01059a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub.html >@@ -0,0 +1,37 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' blob:; connect-src 'self';"> >+ <title>blob-urls-match-blob</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <p> >+ blob: URLs are same-origin with the page in which they were created, but match only if the blob: scheme is specified. >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("FAIL"); >+ }); >+ >+ function pass() { >+ log("PASS (1/1)"); >+ } >+ var b = new Blob(['pass();'], { >+ type: 'application/javascript' >+ }); >+ var script = document.createElement('script'); >+ script.src = URL.createObjectURL(b); >+ document.body.appendChild(script); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b87787ce5ccc330637e9def77bca172e8e7a0558 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, from a guid. The worker should be blocked from loading with a child-src policy of 'self' as the blob: scheme must be specified explicitly. A report should be sent to the report-uri specified with this resource. >+ >+ >+FAIL Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=worker-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..48ad34dbe886214c30b9ee68a3e5ef3d2ccaff38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src 'self';"> >+ <title>worker-connect-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=worker-src","TEST COMPLETE"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<p>This test loads a worker, from a guid. >+ The worker should be blocked from loading with a child-src policy of 'self' >+ as the blob: scheme must be specified explicitly. >+ A report should be sent to the report-uri specified >+ with this resource.</p> >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var blob = new Blob([ >+ "postMessage('FAIL');" + >+ "postMessage('TEST COMPLETE');" >+ ], >+ {type : 'application/javascript'}); >+ var url = URL.createObjectURL(blob); >+ var worker = new Worker(url); >+ worker.onmessage = function(event) { >+ alert_assert(event.data); >+ }; >+ worker.onerror = function(event) { >+ log('TEST COMPLETE'); >+ event.preventDefault(); >+ } >+ } catch (e) { >+ log('TEST COMPLETE'); >+ } >+ function timeout() { >+ log('TEST COMPLETE'); >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f589a761f880a0bed373690fe1d8a09e2a4163e5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, from a guid. The worker should be blocked from loading with a child-src policy of * as the blob: scheme must be specified explicitly. A report should be sent to the report-uri specified with this resource. >+ >+ >+FAIL Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=worker-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0a184a84974e0c734c70df24c8dfe0d16d20c506 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline'; child-src *;"> >+ <title>worker-connect-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=worker-src","TEST COMPLETE"]'></script> >+ >+</head> >+<p>This test loads a worker, from a guid. >+ The worker should be blocked from loading with a child-src policy of * >+ as the blob: scheme must be specified explicitly. >+ A report should be sent to the report-uri specified >+ with this resource.</p> >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var blob = new Blob([ >+ "postMessage('FAIL');" + >+ "postMessage('TEST COMPLETE');" >+ ], >+ {type : 'application/javascript'}); >+ var url = URL.createObjectURL(blob); >+ var worker = new Worker(url); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ worker.onerror = function(event) { >+ event.preventDefault(); >+ log('TEST COMPLETE'); >+ } >+ } catch (e) { >+ log('TEST COMPLETE'); >+ } >+ function timeout() { >+ log('TEST COMPLETE'); >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8134fce6a3e7b68bf4efde70492da677b5383be6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-match-blob.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/star-doesnt-match-blob.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c5d921864dd187b8e235a34bf9e59d750d32bdab >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub-expected.txt >@@ -0,0 +1,6 @@ >+These frames should not be blocked by Content-Security-Policy. It's pointless to block about:blank iframes because blocking a frame just results in displaying about:blank anyway! >+ >+ >+ >+PASS Check that frames load without throwing any violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0e48be6732003b928d897af8953ff145fb7a0e73 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>child-src-about-blank-allowed-by-default</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <p>These frames should not be blocked by Content-Security-Policy. >+ It's pointless to block about:blank iframes because >+ blocking a frame just results in displaying about:blank anyway! >+ </p> >+ <script> >+ var t = async_test("Check that frames load without throwing any violation events"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events")); >+ </script> >+ >+ <iframe src="about:blank"></iframe> >+ <object type="text/html" data="about:blank"></object> >+ >+ <div id="log"></div> >+ >+ <script> >+ t.done(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6043e4102e375558c3c10998cd9b50e906702fb6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub-expected.txt >@@ -0,0 +1,6 @@ >+This frame should not be blocked by Content-Security-Policy. >+ >+ >+ >+PASS Check that frames load without throwing any violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..89e8529c1720cde5901ff43d3427b1a7e2ffb35a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="child-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>child-src-about-blank-allowed-by-scheme</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <p>This frame should not be blocked by Content-Security-Policy. >+ </p> >+ <script> >+ var t = async_test("Check that frames load without throwing any violation events"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired any events")); >+ </script> >+ >+ <iframe src="about:blank"></iframe> >+ <div id="log"></div> >+ >+ <script> >+ t.done(); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..798395ee6d91a29501ed9eb0df286ddfebb8dd6a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub-expected.txt >@@ -0,0 +1,7 @@ >+This iframe should be allowed. >+ >+ >+ >+PASS Expecting logs: ["PASS IFrame #1 generated a load event."] >+PASS Expecting alerts: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..29ded4c486e3fb2a76a3df0d8c1965424394e877 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub.html >@@ -0,0 +1,64 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>child-src-allowed</title> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ window.addEventListener("securitypolicyviolation", function(e) { >+ alert_assert("Fail"); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS"]'); >+ var expected_alerts = ["PASS"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_alert.done(); >+ }); >+ } >+ >+ </script> >+ <p> >+ This iframe should be allowed. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7a494bc6fbd9fd556ce1211ea6b48f1c4f838f15 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ >+ >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6306539393132c076bede55d317308b54e41facd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub.html >@@ -0,0 +1,62 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>child-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ window.addEventListener("securitypolicyviolation", function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ function alert_assert(msg) { >+ t_log.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_log.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_log.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <p> >+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f735fa9aa4bddedbf7e52df78f456dcee24fe35c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub-expected.txt >@@ -0,0 +1,6 @@ >+A more permissive child-src should not relax restrictions from a less- permissive frame-src. Directives still combine for least privilege, even when one obsoletes another. >+ >+ >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..153caa0242201c6aa092f775440d4ac7ccf1db10 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html >@@ -0,0 +1,65 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>child-src-blocked</title> >+ <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ window.addEventListener("securitypolicyviolation", function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ function alert_assert(msg) { >+ t_log.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_log.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_log.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; >+--> >+ <p> >+ A more permissive child-src should not relax restrictions from a less- >+ permissive frame-src. Directives still combine for least privilege, even when >+ one obsoletes another. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..79413678d71ec6dd7e254ff86a3c31b0ada4f119 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt >@@ -0,0 +1,10 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/postmessage-pass.html >+IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"] assert_unreached: unexpected log: TEST COMPLETE Reached unreachable code >+TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c67ec67385b9106013d8fce07b4f882cb50448eb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html >@@ -0,0 +1,72 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>child-src-cross-origin-load</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event.", "violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ window.addEventListener("securitypolicyviolation", function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]'); >+ var expected_alerts = ["PASS", "PASS"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_alert.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self'; >+--> >+ <p> >+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ if (loads == 3) >+ log("TEST COMPLETE"); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <iframe src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <iframe src="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7a494bc6fbd9fd556ce1211ea6b48f1c4f838f15 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ >+ >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6a39213290ce41df5879d8cc4655a6d2c510a97e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html >@@ -0,0 +1,65 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>child-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ window.addEventListener("securitypolicyviolation", function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ function alert_assert(msg) { >+ t_log.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_log.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_log.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+child-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; >+--> >+ <p> >+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a3fd2b48c659fd6779bcd63ab2871c34043788f7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' does not affect the result in any way (for instance by allowing 'self'). >+ >+ >+PASS Worker is allowed because of deprecated 'child-src' directive >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d02abaef1934a826d4fa04b28cb0bb5a0d399c4e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>child-src-worker-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'unsafe-inline'; connect-src 'self';"> >+</head> >+ >+<body> >+ <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported >+ until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' >+ does not affect the result in any way (for instance by allowing 'self'). >+ </p> >+ <script> >+ async_test(function(t) { >+ document.addEventListener("securitypolicyviolation", t.step_func(function(e) { >+ if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js") >+ return; >+ >+ assert_unreached("Should not throw a securitypolicyviolation"); >+ })); >+ >+ try { >+ var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js'); >+ foo.onmessage = function(event) { >+ t.done(); >+ }; >+ } catch (e) { >+ assert_unreached("Should not throw exception"); >+ } >+ }, "Worker is allowed because of deprecated 'child-src' directive"); >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a264ff831c0c4a4a0461b68496b1d622f4378d69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' does not affect the result in any way (for instance by allowing 'self'). >+ >+ >+FAIL Should throw a securitypolicyviolation event assert_equals: expected "worker-src" but got "child-src 'none'" >+PASS Should block worker because it does not match any directive including the deprecated 'child-src' >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..675cd95ea4f9fd375268ca614a85dd68740b2620 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub.html >@@ -0,0 +1,44 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>child-src-worker-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'unsafe-inline'; connect-src 'self';"> >+</head> >+ >+<body> >+ <p> This test used to check the child-src csp controlling worker creation. This behaviour has been deprecated but it's still supported >+ until the transition is done. This still tests that behaviour but we need to go through extra hoops to make sure 'script-src' >+ does not affect the result in any way (for instance by allowing 'self'). >+ </p> >+ <script> >+ async_test(function(t) { >+ document.addEventListener("securitypolicyviolation", t.step_func(function(e) { >+ if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js") >+ return; >+ >+ assert_equals(e.violatedDirective, "worker-src"); >+ t.done(); >+ })); >+ }, "Should throw a securitypolicyviolation event"); >+ >+ async_test(function(t) { >+ try { >+ var foo = new Worker('{{location[scheme]}}://{{location[host]}}/content-security-policy/support/post-message.js'); >+ foo.onerror = function(event) { >+ event.preventDefault(); >+ t.done(); >+ } >+ foo.onmessage = function(event) { >+ assert_unreached("Should not be able to start worker"); >+ }; >+ } catch (e) { >+ t.done(); >+ } >+ }, "Should block worker because it does not match any directive including the deprecated 'child-src'"); >+ </script> >+ <div id="log"></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..d4e89d37edfb3eaa851070a905f31365775e0564 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/w3c-import.log >@@ -0,0 +1,25 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-default.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-about-blank-allowed-by-scheme.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-conflicting-frame-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-worker-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c2c230a410ae7d8bd5a632cbb75b06b13c4ac2d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["Pass"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a32913dd3e27b6c4df0f322f2ed5c600eac4f322 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-beacon-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <!-- enforcing policy: >+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; >+--> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("FAIL"); >+ }); >+ >+ if (typeof navigator.sendBeacon != 'function') { >+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ } else { >+ try { >+ var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py"); >+ log("Pass"); >+ } catch (e) { >+ log("Fail"); >+ } >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0da9edbed8ba1539b4fa6e9fd75b3b25bcb791c9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["Pass", "violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..95b4ce9a19116479a8840517dcfabeaf168729b2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-beacon-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Pass", "violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <!-- enforcing policy: >+connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; >+--> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ if (typeof navigator.sendBeacon != 'function') { >+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ } else { >+ try { >+ var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php"); >+ log("Pass"); >+ } catch (e) { >+ log("Fail"); >+ } >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..03e291165470abf1ab257d98e6ef6706f28f1e0f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub-expected.txt >@@ -0,0 +1,7 @@ >+The beacon should not follow the redirect to http://www1.localhost:8800/content-security-policy/support/fail.png and send a CSP violation report. >+ >+Verify that a CSP connect-src directive blocks redirects. >+ >+ >+FAIL Expecting logs: ["violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7328d7a704a3bc803e2497293f61af1d32746fae >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-beacon-redirect-to-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script></script> >+</head> >+ >+<body> >+ <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p> >+ <p>Verify that a CSP connect-src directive blocks redirects.</p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ if (typeof navigator.sendBeacon != 'function') { >+ t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ } else { >+ navigator.sendBeacon( >+ "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", >+ "ping"); >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..724e098bbc6dfe9ce22e8d137f37a5636c92c3f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["allowed"] assert_unreached: unexpected log: blocked Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8922d99e0392fa6a4ecd30663981208d88e33d1f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-eventsource-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["allowed"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("allowed"); >+ }); >+ >+ try { >+ var es = new EventSource("http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream"); >+ // Firefox and Chrome don't throw an exception and takes some time to close async >+ if (es.readyState == EventSource.CONNECTING) { >+ setTimeout( function() { >+ es.readyState != EventSource.CLOSED ? log("allowed") : log("blocked"); >+ }, 1000); >+ } else if (es.readyState == EventSource.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a0d8be4095eda379db36ffdb6750e8be50b31a6d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["blocked","violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..df8a9a1e3db136aaa43c62e8629ff46b1c230dfa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-eventsource-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var es = new EventSource("http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream"); >+ // Firefox and Chrome don't throw an exception and takes some time to close async >+ if (es.readyState == EventSource.CONNECTING) { >+ setTimeout( function() { >+ es.readyState != EventSource.CLOSED ? log("allowed") : log("blocked"); >+ }, 1000); >+ } else if (es.readyState == EventSource.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..82864ee3b44345a5f4462c0e21bb81878b3612d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..32709cd2d4acc8dee18f6d4aa8d4e1a9547f82a3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/resources/redir.php; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-eventsource-redirect-to-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS EventSource() did not follow the disallowed redirect.","TEST COMPLETE", "violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var es; >+ try { >+ es = new EventSource("/common/redirect.py?location= http://www.{{host}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream"); >+ } catch (e) { >+ log("FAIL " + "EventSource() should not throw an exception."); >+ } >+ es.onload = function() { >+ log("FAIL " + "EventSource() should fail to follow the disallowed redirect."); >+ log("TEST COMPLETE"); >+ }; >+ es.onerror = function() { >+ log("PASS " + "EventSource() did not follow the disallowed redirect."); >+ log("TEST COMPLETE"); >+ }; >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7581220d512ff0aaabab8dc3a63459d9e01d1ffb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["allowed"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4263d97fe2dfbb9e2a0f0851c07798d40a5671a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' ws://{{domains[www1]}}:{{ports[http][0]}}/echo; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-websocket-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["allowed"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo"); >+ >+ if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a0d8be4095eda379db36ffdb6750e8be50b31a6d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["blocked","violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..02c52837bb8bd5cbc26f54f899fe25b5d68bd561 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-websocket-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo"); >+ >+ if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5aeec0506616cfa022b432f448d6820269efc733 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["allowed", "allowed"] assert_unreached: unexpected log: blocked Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6db324ea0e70350b1781b036afc14cc37f588dfc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html >@@ -0,0 +1,47 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-websocket-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["allowed", "allowed"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var ws = new WebSocket("ws://{{host}}:{{location[port]}}/echo"); >+ >+ if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ >+ try { >+ var wss = new WebSocket("wss://{{host}}:{{location[port]}}/echo"); >+ >+ if (wss.readyState == WebSocket.CLOSING || wss.readyState == WebSocket.CLOSED) { >+ log("blocked"); >+ } else { >+ log("allowed"); >+ } >+ } catch (e) { >+ log("blocked"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c2c230a410ae7d8bd5a632cbb75b06b13c4ac2d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["Pass"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bde5eeea10acb7117dcf8bb1656cb0b520c5b3c7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-xmlhttprequest-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Pass"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ try { >+ var xhr = new XMLHttpRequest; >+ xhr.open("GET", "http://{{host}}:{{ports[http][0]}}/xmlhttprequest/resources/get.txt", true); >+ log("Pass"); >+ } catch (e) { >+ log("Fail"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9d92956c65f9bc36c71c4901c4e31364a510686e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["Pass","violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f4215909d9f505627eb0211b490f69a80eefbc37 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-xmlhttprequest-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Pass","violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ var xhr = new XMLHttpRequest; >+ xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true); >+ xhr.send(); >+ xhr.onload = function() { >+ log("Fail"); >+ } >+ xhr.onerror = function() { >+ log("Pass"); >+ } >+ } catch (e) { >+ log("Pass"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bc84c4a24c0be88b967251f20dea5125ff79e229 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..429e463c5314f19a982163099aa02d97b14b7fc2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html >@@ -0,0 +1,46 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>connect-src-xmlhttprequest-redirect-to-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script id="inject_here"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var xhr = new XMLHttpRequest; >+ try { >+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); >+ } catch (e) { >+ log("FAIL " + "XMLHttpRequest.open() should not throw an exception."); >+ } >+ xhr.onload = function() { >+ //cons/**/ole.log(xhr.responseText); >+ if(xhr.responseText == "FAIL") { >+ log("FAIL " + "XMLHttpRequest.send() should fail to follow the disallowed redirect."); >+ } else { >+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect."); >+ } >+ log("TEST COMPLETE"); >+ }; >+ xhr.onerror = function() { >+ log("PASS " + "XMLHttpRequest.send() did not follow the disallowed redirect."); >+ log("TEST COMPLETE"); >+ }; >+ xhr.send(); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream >new file mode 100644 >index 0000000000000000000000000000000000000000..bdd2d486c2679c36ba464892039ca6b89afeaed0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream >@@ -0,0 +1 @@ >+data: hello >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..450c9f2d2381bf7319040387263da1e4fc518671 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream.headers >@@ -0,0 +1 @@ >+Content-Type: text/event-stream >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..60be1d0667fa01d01d6655919779cac4f19a806d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/w3c-import.log >@@ -0,0 +1,18 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/resources/simple-event-stream.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d8cec9ff13abf2ce8de95ef7cb8a69a7917c0157 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://{{domains[www1]}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline';"> >+ <title>shared-worker-connect-src-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["xhr allowed","TEST COMPLETE"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ if(typeof SharedWorker != 'function') { >+ t_log.set_status(t_alert.NOTRUN, "No SharedWorker, cannot run test."); >+ t_log.phase = t_alert.phases.HAS_RESULT; >+ t_log.done(); >+ } else { >+ try { >+ var worker = new SharedWorker('/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js'); >+ worker.port.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2157bbc97799d2444a3f237ea4e707909b59b868 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html >@@ -0,0 +1,44 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src *; script-src 'self' 'unsafe-inline';"> >+ <title>shared-worker-connect-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["xhr blocked","TEST COMPLETE"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <p>This test loads a shared worker, delivered with its own >+ policy. The worker should be blocked from making an XHR >+ as that policy specifies a connect-src 'none', though >+ this resource's policy is connect-src *. No report >+ should be sent since the worker's policy doesn't specify >+ a report-uri.</p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ if(typeof SharedWorker != 'function') { >+ t_log.set_status(t_log.NOTRUN, "No SharedWorker, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ } else { >+ try { >+ var worker = new SharedWorker('/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js'); >+ worker.port.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ } >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1e9700832d0e9b4d50e85df655bc1720e576d346 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js >@@ -0,0 +1,23 @@ >+onconnect = function (event) { >+ var port = event.ports[0]; >+ var xhr = new XMLHttpRequest; >+ xhr.onerror = function () { >+ port.postMessage("xhr blocked"); >+ port.postMessage("TEST COMPLETE"); >+ }; >+ xhr.onload = function () { >+ if (xhr.responseText == "FAIL") { >+ port.postMessage("xhr allowed"); >+ } else { >+ port.postMessage("xhr blocked"); >+ } >+ port.postMessage("TEST COMPLETE"); >+ }; >+ try { >+ xhr.open("GET", "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); >+ xhr.send(); >+ } catch (e) { >+ port.postMessage("xhr blocked"); >+ port.postMessage("TEST COMPLETE"); >+ } >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1e9700832d0e9b4d50e85df655bc1720e576d346 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js >@@ -0,0 +1,23 @@ >+onconnect = function (event) { >+ var port = event.ports[0]; >+ var xhr = new XMLHttpRequest; >+ xhr.onerror = function () { >+ port.postMessage("xhr blocked"); >+ port.postMessage("TEST COMPLETE"); >+ }; >+ xhr.onload = function () { >+ if (xhr.responseText == "FAIL") { >+ port.postMessage("xhr allowed"); >+ } else { >+ port.postMessage("xhr blocked"); >+ } >+ port.postMessage("TEST COMPLETE"); >+ }; >+ try { >+ xhr.open("GET", "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); >+ xhr.send(); >+ } catch (e) { >+ port.postMessage("xhr blocked"); >+ port.postMessage("TEST COMPLETE"); >+ } >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ac7368c32ee2b6aa2615ffc198c652137b1a1450 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: connect-src 'none' >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..2ea8bbae1ea9695fd5a4ab6393320569e6dc33f5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/w3c-import.log >@@ -0,0 +1,22 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-allowed.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/shared-worker-make-xhr-blocked.sub.js.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..22819d57a207a875a827655cc8ecd1faa22b2acf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js >@@ -0,0 +1,21 @@ >+var xhr = new XMLHttpRequest; >+xhr.onerror = function () { >+ postMessage("xhr blocked"); >+ postMessage("TEST COMPLETE"); >+}; >+xhr.onload = function () { >+ //cons/**/ole.log(xhr.responseText); >+ if (xhr.responseText == "FAIL") { >+ postMessage("xhr allowed"); >+ } else { >+ postMessage("xhr blocked"); >+ } >+ postMessage("TEST COMPLETE"); >+}; >+try { >+ xhr.open("GET", "/common/redirect.py?location=http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); >+ xhr.send(); >+} catch (e) { >+ postMessage("xhr blocked"); >+ postMessage("TEST COMPLETE"); >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ac7368c32ee2b6aa2615ffc198c652137b1a1450 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: connect-src 'none' >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..73359a39ead5d84b6663ae5a79e735c22ed9cba8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/support/worker-make-xhr.sub.js >@@ -0,0 +1,21 @@ >+var xhr = new XMLHttpRequest; >+xhr.onerror = function () { >+ postMessage("xhr blocked"); >+ postMessage("TEST COMPLETE"); >+}; >+xhr.onload = function () { >+ //cons/**/ole.log(xhr.responseText); >+ if (xhr.responseText == "FAIL") { >+ postMessage("xhr allowed"); >+ } else { >+ postMessage("xhr blocked"); >+ } >+ postMessage("TEST COMPLETE"); >+}; >+try { >+ xhr.open("GET", "/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.asis", true); >+ xhr.send(); >+} catch (e) { >+ postMessage("xhr blocked"); >+ postMessage("TEST COMPLETE"); >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..d2e269a347b23adeffd20822ae69fcd3c7af9878 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/w3c-import.log >@@ -0,0 +1,33 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/shared-worker-connect-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..96464295be1e7f5b6641a7f24589a570c230432c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["xhr allowed"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a5e29f6684aacd532135fe8ab2d7bc9c00d7664 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-allowed.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <title>worker-connect-src-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["xhr allowed"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+ >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ >+ try { >+ var worker = new Worker('/content-security-policy/connect-src/support/worker-make-xhr.sub.js'); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0316724d177dde19b54bd232874a43d5c3830f92 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, which is delivered with its own policy. The worker should be blocked from making an XHR as that policy specifies a connect-src 'none', though this resource's policy is connect-src *. No report should be sent since the worker's policy doesn't specify a report-uri. >+ >+ >+PASS Expecting logs: ["xhr blocked","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a0ff32b2d4ced30353b19775c4dc647a574a96be >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-connect-src-blocked.sub.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src *; script-src 'self' 'unsafe-inline';"> >+ <title>worker-connect-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["xhr blocked","TEST COMPLETE"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<p>This test loads a worker, which is delivered with its own >+ policy. The worker should be blocked from making an XHR >+ as that policy specifies a connect-src 'none', though >+ this resource's policy is connect-src *. No report >+ should be sent since the worker's policy doesn't specify >+ a report-uri.</p> >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ >+ try { >+ var worker = new Worker('/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js'); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..43f36c789e223c9b0274361965b01d80cf03fe69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, from a guid. The worker should be blocked from making an XHR to www1 as this resource's policy is connect-src 'self and a guid Worker should inherit is parent's policy. A report should be sent to the report-uri specified with this resource. >+ >+ >+FAIL Expecting logs: ["violated-directive=connect-src","xhr blocked","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=connect-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6f74e4ff3bf15dfcf8b050ef8649afc1d66f1a5f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/worker-from-guid.sub.html >@@ -0,0 +1,64 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline' blob:;"> >+ <title>worker-connect-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=connect-src","xhr blocked","TEST COMPLETE"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<p>This test loads a worker, from a guid. >+ The worker should be blocked from making an XHR >+ to www1 as this resource's policy is connect-src 'self >+ and a guid Worker should inherit is parent's policy. >+ A report should be sent to the report-uri specified >+ with this resource.</p> >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ try { >+ var blob = new Blob([ >+ "var xhr = new XMLHttpRequest;" + >+ "xhr.onerror = function () {" + >+ " postMessage('xhr blocked');" + >+ " postMessage('TEST COMPLETE');" + >+ "};" + >+ "xhr.onload = function () {" + >+ " if (xhr.responseText == 'FAIL') {" + >+ " postMessage('xhr allowed');" + >+ " } else {" + >+ " postMessage('xhr blocked');" + >+ " }" + >+ " postMessage('TEST COMPLETE');" + >+ "};" + >+ "try { " + >+ " xhr.open(" + >+ " 'GET'," + >+ " 'http:///content-security-policy/support/fail.asis'," + >+ " true" + >+ " );" + >+ " xhr.send();" + >+ "} catch (e) {" + >+ " postMessage('xhr blocked');" + >+ " postMessage('TEST COMPLETE');" + >+ "}"], >+ {type : 'application/javascript'}); >+ var url = URL.createObjectURL(blob); >+ var worker = new Worker(url); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3b300ed811f87eb75d9cd805c49cfdb6879c9543 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting alerts: ["PASS 1 of 2","PASS 2 of 2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8f9bd81d39574e19ef0eebafb0e5c7a4a40c22a8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("FAIL"); >+ }); >+ </script> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' about: 'unsafe-inline'; connect-src 'self';"> >+ <title>default-src-inline-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["PASS 1 of 2","PASS 2 of 2"]'></script> >+</head> >+ >+<body onload="alert_assert('PASS 2 of 2')"> >+ <script> >+ alert_assert('PASS 1 of 2'); >+ >+ </script> >+ <!--iframe src="javascript:alert_assert('Fail')"></iframe--> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..40157499f9cb50fa23ee8f8bb203d2798d3f6b5a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test passes if the inline scripts don't create failing tests and a CSP report is sent. >+ >+ >+FAIL Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"] assert_unreached: Logging timeout, expected logs violated-directive=script-src-elem,violated-directive=script-src-elem not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0cb4ca55387990c0631f29c3b56712e8c540b3b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self';"> >+ <title>default-src-inline-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","violated-directive=script-src-elem"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <p>This test passes if the inline scripts don't create failing tests and a CSP report is sent.</p> >+ <script> >+ test(function() { >+ assert_unreached('FAIL inline script ran') >+ }); >+ >+ </script> >+ <script src="../support/document-write-alert-fail.js"></script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8cc9982ac91f2404a677f48288e4097a7344c685 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/w3c-import.log >@@ -0,0 +1,18 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a806caf456ff894ec14000ab7e0ae9c2a15e3382 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html >@@ -0,0 +1,88 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Allow-CSP-From header.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Same origin iframes are always allowed.", >+ "origin": Host.SAME_ORIGIN, >+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", >+ "allow_csp_from": "¢¥§", >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.", >+ "origin": Host.SAME_ORIGIN, >+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", >+ "allow_csp_from": "", >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.", >+ "origin": Host.SAME_ORIGIN, >+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", >+ "allow_csp_from": null, >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.", >+ "origin": Host.SAME_ORIGIN, >+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", >+ "allow_csp_from": "http://example.com:888", >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "script-src 'unsafe-inline'", >+ "allow_csp_from": "", >+ "expected": IframeLoad.EXPECT_BLOCK, >+ "blockedURI": null}, >+ { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "script-src 'unsafe-inline'", >+ "allow_csp_from": null, >+ "expected": IframeLoad.EXPECT_BLOCK, >+ "blockedURI": null}, >+ { "name": "iframe from cross origin does not load without Allow-CSP-From header.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", >+ "allow_csp_from": getOrigin(), >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Iframe with improper Allow-CSP-From header gets blocked.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "script-src 'unsafe-inline'", >+ "allow_csp_from": "* ¢¥§", >+ "expected": IframeLoad.EXPECT_BLOCK, >+ "blockedURI": null}, >+ { "name": "Allow-CSP-From header with a star value can be returned.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "script-src 'unsafe-inline'", >+ "allow_csp_from": "*", >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": null}, >+ { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "script-src 'nonce-123'", >+ "allow_csp_from": "*", >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": "inline"}, >+ { "name": "Allow-CSP-From header enforces EmbeddingCSP.", >+ "origin": Host.CROSS_ORIGIN, >+ "csp": "style-src 'none'; script-src 'nonce-123'", >+ "allow_csp_from": getOrigin(), >+ "expected": IframeLoad.EXPECT_LOAD, >+ "blockedURI": "inline"}, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from); >+ assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2382913528e693b3a5d56c660a45060980b548c3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.html >@@ -0,0 +1 @@ >+<!-- This file is required for WebKit test infrastructure to run the templated test --> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js >new file mode 100644 >index 0000000000000000000000000000000000000000..2845f82c955139e5a5640195af49ece555fe3faa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js >@@ -0,0 +1,16 @@ >+// META: script=/resources/WebIDLParser.js >+// META: script=/resources/idlharness.js >+ >+// https://w3c.github.io/webappsec-csp/embedded/ >+ >+'use strict'; >+ >+idl_test( >+ ['csp-embedded-enforcement'], >+ ['html', 'dom'], >+ idl_array => { >+ idl_array.add_objects({ >+ HTMLIFrameElement: ['document.createElement("iframe")'], >+ }); >+ } >+); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f23be1d0e9238209db6507e76dc50e45dd93ad9e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html >@@ -0,0 +1,35 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+ <script> >+ test(t => { >+ var i = document.createElement('iframe'); >+ assert_equals('', i.csp); >+ assert_true('csp' in i); >+ assert_equals('string', typeof i.csp); >+ }, "<iframe> has a 'csp' attibute which is an empty string if undefined."); >+ >+ test(t => { >+ var i = document.createElement('iframe'); >+ i.setAttribute('csp', 123456); >+ assert_equals('123456', i.csp); >+ }, "<iframe>'s csp attribute is always a string."); >+ >+ test(t => { >+ var i = document.createElement('iframe'); >+ i.csp = 'value'; >+ assert_equals('value', i.getAttribute('csp')); >+ }, "<iframe>'s 'csp content attribute reflects the IDL attribute."); >+ >+ test(t => { >+ var i = document.createElement('iframe'); >+ i.setAttribute('csp', 'value'); >+ assert_equals('value', i.csp); >+ }, "<iframe>'s IDL attribute reflects the DOM attribute."); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f130b1714e73cc4bfb5174732529c3ee49e4797e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html >@@ -0,0 +1,67 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Sec-Required-CSP header.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Test same policy for both iframes", >+ "csp1": "script-src 'unsafe-inline';", >+ "csp2": "script-src 'unsafe-inline';", >+ "expected1": "script-src 'unsafe-inline';", >+ "expected2": "script-src 'unsafe-inline';"}, >+ { "name": "Test more restrictive policy on second iframe", >+ "csp1": "script-src 'unsafe-inline';", >+ "csp2": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected1": "script-src 'unsafe-inline';", >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test less restrictive policy on second iframe", >+ "csp1": "script-src 'unsafe-inline'; style-src 'self';", >+ "csp2": "script-src 'unsafe-inline';", >+ "expected1": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test no policy on second iframe", >+ "csp1": "script-src 'unsafe-inline'; style-src 'self';", >+ "csp2": "", >+ "expected1": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test no policy on first iframe", >+ "csp1": "", >+ "csp2": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected1": null, >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test invalid policy on first iframe (bad directive)", >+ "csp1": "default-src http://example.com; invalid-policy-name http://example.com", >+ "csp2": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected1": null, >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test invalid policy on first iframe (report directive)", >+ "csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", >+ "csp2": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected1": null, >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test invalid policy on second iframe (bad directive)", >+ "csp1": "script-src 'unsafe-inline'; style-src 'self';", >+ "csp2": "default-src http://example.com; invalid-policy-name http://example.com", >+ "expected1": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ { "name": "Test invalid policy on second iframe (report directive)", >+ "csp1": "script-src 'unsafe-inline'; style-src 'self';", >+ "csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", >+ "expected1": "script-src 'unsafe-inline'; style-src 'self';", >+ "expected2": "script-src 'unsafe-inline'; style-src 'self';"}, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2); >+ assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]); >+ }, "Test same origin: " + test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html >new file mode 100644 >index 0000000000000000000000000000000000000000..87bda1bf502d25f20f8245bd4c89fa1bdedf8803 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html >@@ -0,0 +1,144 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Sec-Required-CSP header.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ // CRLF characters >+ { "name": "\\r\\n character after directive name", >+ "csp": "script-src\r\n'unsafe-inline'", >+ "expected": null }, >+ { "name": "\\r\\n character in directive value", >+ "csp": "script-src 'unsafe-inline'\r\n'unsafe-eval'", >+ "expected": null }, >+ { "name": "\\n character after directive name", >+ "csp": "script-src\n'unsafe-inline'", >+ "expected": null }, >+ { "name": "\\n character in directive value", >+ "csp": "script-src 'unsafe-inline'\n'unsafe-eval'", >+ "expected": null }, >+ { "name": "\\r character after directive name", >+ "csp": "script-src\r'unsafe-inline'", >+ "expected": null }, >+ { "name": "\\r character in directive value", >+ "csp": "script-src 'unsafe-inline'\r'unsafe-eval'", >+ "expected": null }, >+ >+ // HTML encoded CRLF characters >+ { "name": "%0D%0A character after directive name", >+ "csp": "script-src%0D%0A'unsafe-inline'", >+ "expected": null }, >+ { "name": "%0D%0A character in directive value", >+ "csp": "script-src 'unsafe-inline'%0D%0A'unsafe-eval'", >+ "expected": null }, >+ { "name": "%0A character after directive name", >+ "csp": "script-src%0A'unsafe-inline'", >+ "expected": null }, >+ { "name": "%0A character in directive value", >+ "csp": "script-src 'unsafe-inline'%0A'unsafe-eval'", >+ "expected": null }, >+ { "name": "%0D character after directive name", >+ "csp": "script-src%0D'unsafe-inline'", >+ "expected": null }, >+ { "name": "%0D character in directive value", >+ "csp": "script-src 'unsafe-inline'%0D'unsafe-eval'", >+ "expected": null }, >+ >+ // Attempt HTTP Header injection >+ { "name": "Attempt injecting after directive name using \\r\\n", >+ "csp": "script-src\r\nTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive name using \\r", >+ "csp": "script-src\rTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive name using \\n", >+ "csp": "script-src\nTest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after directive value using \\r\\n", >+ "csp": "script-src example.com\r\nTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive value using \\r", >+ "csp": "script-src example.com\rTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive value using \\n", >+ "csp": "script-src example.com\nTest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after semicolon using \\r\\n", >+ "csp": "script-src example.com;\r\nTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after semicolon using \\r", >+ "csp": "script-src example.com;\rTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after semicolon using \\n", >+ "csp": "script-src example.com;\nTest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after space between name and value using \\r\\n", >+ "csp": "script-src \r\nTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after space between name and value using \\r", >+ "csp": "script-src \rTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after space between name and value using \\n", >+ "csp": "script-src \nTest-Header-Injection: dummy", >+ "expected": null }, >+ >+ // Attempt HTTP Header injection using URL encoded characters >+ { "name": "Attempt injecting after directive name using %0D%0A", >+ "csp": "script-src%0D%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive name using %0D", >+ "csp": "script-src%0DTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive name using %0A", >+ "csp": "script-src%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after directive value using %0D%0A", >+ "csp": "script-src example.com%0D%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive value using %0D", >+ "csp": "script-src example.com%0DTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after directive value using %0A", >+ "csp": "script-src example.com%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after semicolon using %0D%0A", >+ "csp": "script-src example.com;%0D%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after semicolon using %0D", >+ "csp": "script-src example.com;%0DTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after semicolon using %0A", >+ "csp": "script-src example.com;%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ >+ { "name": "Attempt injecting after space between name and value using %0D%0A", >+ "csp": "script-src %0D%0ATest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after space between name and value using %0D", >+ "csp": "script-src %0DTest-Header-Injection: dummy", >+ "expected": null }, >+ { "name": "Attempt injecting after space between name and value using %0A", >+ "csp": "script-src %0ATest-Header-Injection: dummy", >+ "expected": null }, >+ >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ assert_required_csp(t, url, test.csp, [test.expected]); >+ }, "Test CRLF: " + test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html >new file mode 100644 >index 0000000000000000000000000000000000000000..510c25b0b0045546b6e0c0b2981d8b78555c8ef5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html >@@ -0,0 +1,110 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Sec-Required-CSP header.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.", >+ "csp": null, >+ "expected": null }, >+ { "name": "Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.", >+ "csp": "script-src 'unsafe-inline'", >+ "expected": "script-src 'unsafe-inline'" }, >+ { "name": "Send Sec-Required-CSP Header on change of `src` attribute on iframe.", >+ "csp": "script-src 'unsafe-inline'", >+ "expected": "script-src 'unsafe-inline'" }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - gibberish csp", >+ "csp": "completely wrong csp", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name", >+ "csp": "invalid-policy-name http://example.com", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives", >+ "csp": "default-src http://example.com; invalid-policy-name http://example.com", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - misspeled 'none'", >+ "csp": "default-src 'non'", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - query values in path", >+ "csp": "script-src 127.0.0.1:8000/path?query=string", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - missing semicolon", >+ "csp": "script-src 'self' object-src 'self' style-src *", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated", >+ "csp": "script-src 'none', object-src 'none'", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - html encoded string", >+ // script-src 127.0.0.1:8000 >+ "csp": "script-src 127.0.0.1:8000", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - url encoded string", >+ // script-src 127.0.0.1:8000 >+ "csp": "script-src%20127.0.0.1%3A8000", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present", >+ "csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", >+ "expected": null }, >+ { "name": "Wrong value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present", >+ "csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php", >+ "expected": null }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ assert_required_csp(t, url, test.csp, [test.expected]); >+ }, "Test same origin: " + test.name); >+ >+ async_test(t => { >+ var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); >+ assert_required_csp(t, redirect_url, test.csp, [test.expected]); >+ }, "Test same origin redirect: " + test.name); >+ >+ async_test(t => { >+ var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); >+ assert_required_csp(t, redirect_url, test.csp, [test.expected]); >+ }, "Test cross origin redirect: " + test.name); >+ >+ async_test(t => { >+ var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); >+ assert_required_csp(t, redirect_url, test.csp, [test.expected]); >+ }, "Test cross origin redirect of cross origin iframe: " + test.name); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ if (test.csp) >+ i.csp = test.csp; >+ i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ var loaded = false; >+ >+ window.addEventListener('message', t.step_func(e => { >+ if (e.source != i.contentWindow || !('required_csp' in e.data)) >+ return; >+ if (!loaded) { >+ assert_equals(e.data['required_csp'], test.expected); >+ loaded = true; >+ i.csp = "default-src 'unsafe-inline'"; >+ i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP); >+ } else { >+ // Once iframe has loaded, check that on change of `src` attribute >+ // Required-CSP value is based on latest `csp` attribute value. >+ assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'"); >+ t.done(); >+ } >+ })); >+ >+ document.body.appendChild(i); >+ }, "Test Required-CSP value on `csp` change: " + test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f8e6b0bd0f83f98a403676f4b2e1b04730941da2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html >@@ -0,0 +1,54 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Basic implementation.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "If there is no required csp, iframe should load.", >+ "required_csp": null, >+ "returned_csp": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Iframe with empty returned CSP should be blocked.", >+ "required_csp": "style-src 'none';", >+ "returned_csp": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Iframe with matching CSP should load.", >+ "required_csp": "style-src 'none'; script-src 'unsafe-inline'", >+ "returned_csp": "style-src 'none'; script-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Iframe with more restricting CSP should load.", >+ "required_csp": "script-src 'nonce-abc' 'nonce-123'", >+ "returned_csp": "script-src 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Iframe with less restricting CSP should be blocked.", >+ "required_csp": "style-src 'none'; script-src 'none'", >+ "returned_csp": "style-src 'none'; script-src 'self'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Iframe with a different CSP should be blocked.", >+ "required_csp": "script-src 'nonce-abc' 'nonce-123'", >+ "returned_csp": "style-src 'none'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Iframe with a matching and more restrictive ports should load.", >+ "required_csp": "frame-src http://c.com:443 http://b.com", >+ "returned_csp": "frame-src http://b.com:80 http://c.com:443", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Iframe should load even if the ports are different but are default for the protocols.", >+ "required_csp": "frame-src http://b.com:80", >+ "returned_csp": "child-src https://b.com:443", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c4990b518c8d52b3bcaaf55e145f07f28756ed9c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html >@@ -0,0 +1,80 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Hashes.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'sha256-abc123' is properly subsumed.", >+ "required_csp": "style-src 'sha256-abc123'", >+ "returned_csp_1": "style-src 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned should not include hashes not present in required csp.", >+ "required_csp": "style-src http://example.com", >+ "returned_csp_1": "style-src 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "'sha256-abc123' is properly subsumed with other sources.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/bar.html 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Hashes do not have to be present in returned csp.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Hashes do not have to be present in returned csp but must not allow all inline behavior.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Other expressions have to be subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Other expressions have to be subsumed but 'unsafe-inline' gets ignored.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Effective policy is properly found.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'sha256-abc123'", >+ "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required csp must allow 'sha256-abc123'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'self' 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found where 'sha256-abc123' is not subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'", >+ "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "'sha256-abc123' is not subsumed by 'sha256-abc456'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123'", >+ "returned_csp_2": "style-src 'sha256-abc123' 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy now does not allow 'sha256-abc123'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'sha256-abc456'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'sha256-abc123' 'sha256-abc456'", >+ "returned_csp_2": "style-src 'sha256-abc456' 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Effective policy is properly found where 'sha256-abc123' is not part of it.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'", >+ "returned_csp_2": "style-src 'sha256-abc123' 'self'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html >new file mode 100644 >index 0000000000000000000000000000000000000000..096c565062f661a766af8cf4f008900b932338a6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html >@@ -0,0 +1,42 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Host parts in host source expressions.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Host must match.", >+ "required_csp": "img-src http://c.com", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Hosts without wildcards must match.", >+ "required_csp": "img-src http://c.com:* http://inner.b.com", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "More specific subdomain should not match.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src http://inner.b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Specified host should not match a wildcard host.", >+ "required_csp": "img-src http://c.com:* http://inner.b.com", >+ "returned_csp": "img-src http://*.b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "A wildcard host should match a more specific host.", >+ "required_csp": "img-src http://c.com:* http://*.b.com", >+ "returned_csp": "img-src https://inner.b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6a3320875f71fe21dba6628a4a76066c24911dbc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html >@@ -0,0 +1,58 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Path parts in host source expressions.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Returned CSP must specify a path.", >+ "required_csp": "img-src http://c.com:* http://b.com/example.html", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned CSP has a more specific path.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src http://b.com/example.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Matching paths.", >+ "required_csp": "img-src http://c.com:* http://b.com/example.html", >+ "returned_csp": "img-src http://b.com/example.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Empty path is not subsumed by specified paths.", >+ "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html", >+ "returned_csp": "img-src http://b.com/", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "All specific paths match except the order.", >+ "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html", >+ "returned_csp": "img-src http://b.com/page2.html http://b.com/page3.html http://b.com/page1.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP allows only one path.", >+ "required_csp": "img-src http://b.com/page1.html http://b.com/page2.html http://b.com/page3.html", >+ "returned_csp": "img-src http://b.com/page2.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "`/` path should be subsumed by an empty path.", >+ "required_csp": "img-src http://b.com", >+ "returned_csp": "img-src http://b.com/", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Unspecified path should be subsumed by `/`.", >+ "required_csp": "img-src http://b.com/", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "That should not be true when required csp specifies a specific page.", >+ "required_csp": "img-src http://b.com/path.html", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1b72b30387a431e726a230f0c62af0da993e4aec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html >@@ -0,0 +1,82 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Port parts in host source expressions.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Specified ports must match.", >+ "required_csp": "img-src http://c.com:* http://b.com:80", >+ "returned_csp": "img-src http://b.com:36", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned CSP should be subsumed even if the port is not specified but is a default port for a scheme.", >+ "required_csp": "img-src http://c.com:* http://b.com:80", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP should be subsumed even if the port is not specified but is a default port for a more secure scheme.", >+ "required_csp": "img-src http://c.com:* http://b.com:80", >+ "returned_csp": "img-src https://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "The same should hold for `ws` case.", >+ "required_csp": "img-src http://c.com:* ws://b.com:80", >+ "returned_csp": "img-src wss://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Unspecified ports must match if schemes match.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src https://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP should be subsumed if the port is specified.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src http://b.com:80", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP should be subsumed if the port is specified but the scheme is more secure.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src https://b.com:443", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src https://b.com:36", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned CSP should be subsumed if the ports match but schemes are not identical.", >+ "required_csp": "img-src http://c.com:* http://b.com:36", >+ "returned_csp": "img-src https://b.com:36", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP should be subsumed if the ports match but schemes are not identical for `ws`.", >+ "required_csp": "img-src http://c.com:* ws://b.com:36", >+ "returned_csp": "img-src wss://b.com:36", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Wildcard port should match unspecified port.", >+ "required_csp": "img-src http://c.com:* ws://b.com:*", >+ "returned_csp": "img-src wss://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Wildcard port should match any specific port.", >+ "required_csp": "img-src http://c.com:* ws://b.com:*", >+ "returned_csp": "img-src wss://b.com:36", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Wildcard port should match a wildcard.", >+ "required_csp": "img-src http://c.com:* ws://b.com:*", >+ "returned_csp": "img-src wss://b.com:*", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Wildcard port should not be subsumed by a default port.", >+ "required_csp": "img-src http://c.com:* ws://b.com", >+ "returned_csp": "img-src ws://b.com:*", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Wildcard port should not be subsumed by a spcified port.", >+ "required_csp": "img-src http://c.com:* ws://b.com:80", >+ "returned_csp": "img-src ws://b.com:*", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cb4f686043b488df3be86816f929336afa7fc059 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html >@@ -0,0 +1,66 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Scheme parts in host source expressions.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "`https` is more restrictive than `http`.", >+ "required_csp": "img-src http://c.com:* https://b.com", >+ "returned_csp": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "The reverse allows iframe be to be loaded.", >+ "required_csp": "img-src http://c.com:* http://b.com", >+ "returned_csp": "img-src https://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Matching `https` protocols.", >+ "required_csp": "img-src http://c.com:* https://b.com", >+ "returned_csp": "img-src https://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "`http:` should subsume all host source expressions with this protocol.", >+ "required_csp": "img-src http:", >+ "returned_csp": "img-src http://c.com:* https://b.com http://c.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "`http:` should subsume all host source expressions with `https:`.", >+ "required_csp": "img-src http:", >+ "returned_csp": "img-src https://c.com:* https://b.com http://c.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "`http:` does not subsume other protocols.", >+ "required_csp": "img-src http:", >+ "returned_csp": "img-src https://c.com:* wss://b.com http://c.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "If scheme source is present in returned csp, it must be specified in required csp too.", >+ "required_csp": "img-src https://c.com:* wss://b.com http://c.com", >+ "returned_csp": "img-src http:", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "`http:` subsumes other `http:` source expression.", >+ "required_csp": "img-src http:", >+ "returned_csp": "img-src http: https://c.com:* https://b.com http://c.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "`http:` subsumes other `https:` source expression and expressions with `http:`.", >+ "required_csp": "img-src http:", >+ "returned_csp": "img-src https: https://c.com:* http://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "All scheme sources must be subsumed.", >+ "required_csp": "img-src http: wss:", >+ "returned_csp": "img-src https: ws:", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "All scheme sources are subsumed by their stronger variants.", >+ "required_csp": "img-src http: wss:", >+ "returned_csp": "img-src https: wss:", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4bd182e368c0d6e6821b7690683bef254ac5a224 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html >@@ -0,0 +1,59 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - Nonces.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Exact nonce subsumes.", >+ "required_csp": "script-src 'nonce-abc'", >+ "returned_csp_1": "script-src 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Any nonce subsumes.", >+ "required_csp": "style-src 'nonce-abc'", >+ "returned_csp_1": "style-src 'nonce-xyz'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "A nonce has to be returned if required by the embedder.", >+ "required_csp": "script-src 'nonce-abc'", >+ "returned_csp_1": "script-src http://example1.com/foo", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Multiples nonces returned subsume.", >+ "required_csp": "style-src 'nonce-abc'", >+ "returned_csp_1": "style-src 'nonce-xyz' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ // nonce intersection >+ { "name": "Nonce intersection is still done on exact match - non-matching nonces.", >+ "required_csp": "script-src 'nonce-abc'", >+ "returned_csp_1": "script-src 'nonce-def'", >+ "returned_csp_2": "script-src 'nonce-xyz'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Nonce intersection is still done on exact match - matching nonces.", >+ "required_csp": "style-src 'nonce-abc'", >+ "returned_csp_1": "style-src 'nonce-def'", >+ "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ // other expressions still have to work >+ { "name": "Other expressions still have to be subsumed - positive test.", >+ "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'nonce-xyz'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Other expressions still have to be subsumed - negative test", >+ "required_csp": "script-src http://example1.com/foo/ 'nonce-abc'", >+ "returned_csp_1": "script-src http://not-example1.com/foo/ 'nonce-xyz'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html >new file mode 100644 >index 0000000000000000000000000000000000000000..98abe7d8355b36bf1ff4d330bce5fc078b0faa13 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html >@@ -0,0 +1,113 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'none' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "Empty required csp subsumes empty list of returned policies.", >+ "required_csp": "", >+ "returned_csp_1": "", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Empty required csp subsumes any list of policies.", >+ "required_csp": "", >+ "returned_csp_1": "img-src http://example.com", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Empty required csp subsumes a policy with `none`.", >+ "required_csp": "", >+ "returned_csp_1": "img-src 'none'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required policy that allows `none` does not subsume empty list of policies.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with effective `none` does not subsume a host source expression.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "img-src http://example.com", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with `none` does not subsume a host source expression.", >+ "required_csp": "img-src 'none'", >+ "returned_csp_1": "img-src http://example.com", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with effective `none` does not subsume `none` of another directive.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "frame-src 'none'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with `none` does not subsume `none` of another directive.", >+ "required_csp": "img-src 'none'", >+ "returned_csp_1": "frame-src 'none'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with `none` does not subsume `none` of different directives.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "img-src http://*.one.com", >+ "returned_csp_2": "frame-src https://two.com", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp with `none` subsumes effective list of `none`.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "img-src http://*.one.com", >+ "returned_csp_2": "img-src https://two.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required csp with `none` subsumes effective list of `none` despite other keywords.", >+ "required_csp": "img-src 'none'", >+ "returned_csp_1": "img-src http://*.one.com", >+ "returned_csp_2": "img-src 'self'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Source list with exprssions other than `none` make `none` ineffective.", >+ "required_csp": "img-src http://example.com 'none'", >+ "returned_csp_1": "img-src http://example.com", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned csp with `none` is subsumed by any required csp.", >+ "required_csp": "img-src http://example.com", >+ "returned_csp_1": "img-src 'none'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned csp with effective `none` is subsumed by any required csp.", >+ "required_csp": "img-src http://example.com", >+ "returned_csp_1": "img-src http://example.com", >+ "returned_csp_2": "img-src http://non-example.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Both required and returned csp are `none`.", >+ "required_csp": "img-src 'none'", >+ "returned_csp_1": "img-src 'none'", >+ "returned_csp_2": "img-src http://non-example.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Both required and returned csp are `none` for only one directive.", >+ "required_csp": "default-src 'none'", >+ "returned_csp_1": "img-src 'none'", >+ "returned_csp_2": "script-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Both required and returned csp are empty.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "img-src ", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Both required and returned csp are effectively 'none'.", >+ "required_csp": "img-src ", >+ "returned_csp_1": "img-src http://a.com", >+ "returned_csp_2": "img-src http://b.com", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9d08d24daba19beedaea55b320a5e7eb2f34f689 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'self' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'self' keywords should match.", >+ "required_csp": "img-src 'self' http://b.com:*", >+ "returned_csp": "img-src 'self' http://b.com:*", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP does not have to specify 'self'.", >+ "required_csp": "img-src 'self' http://b.com:*", >+ "returned_csp": "img-src http://b.com:*", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned CSP must not allow 'self' if required CSP does not.", >+ "required_csp": "img-src http://b.com:*", >+ "returned_csp": "img-src 'self' http://b.com:*", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned 'self' should match to an origin's url.", >+ "required_csp": "img-src 'self' http://b.com:*", >+ "returned_csp": "img-src " + getCrossOrigin(), >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required 'self' should match to a origin's url.", >+ "required_csp": "img-src " + getCrossOrigin() + " http://b.com:*", >+ "returned_csp": "img-src 'self'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required 'self' should subsume a more secure version of origin's url.", >+ "required_csp": "img-src 'self' http://b.com:*", >+ "returned_csp": "img-src " + getSecureCrossOrigin(), >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned 'self' should not be subsumed by a more secure version of origin's url.", >+ "required_csp": "img-src " + getSecureCrossOrigin() + " http://b.com:*", >+ "returned_csp": "img-src 'self'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b3e0ea15bdc66e35bcea5ed09f3ad47571c8c45e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html >@@ -0,0 +1,68 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'strict-dynamic' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'strict-dynamic' is ineffective for `style-src`.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' is ineffective for `img-src`.", >+ "required_csp": "img-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "img-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' is ineffective for `frame-src`.", >+ "required_csp": "frame-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "frame-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' is ineffective for `child-src`.", >+ "required_csp": "child-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "child-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' is effective only for `script-src`.", >+ "required_csp": "script-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "'strict-dynamic' is proper handled for finding effective policy.", >+ "required_csp": "script-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html", >+ "returned_csp_2": "script-src 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "'strict-dynamic' makes host source expressions ineffective.", >+ "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", >+ "returned_csp_1": "script-src http://example.com 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' makes scheme source expressions ineffective.", >+ "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", >+ "returned_csp_1": "script-src http: 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' makes 'self' ineffective.", >+ "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", >+ "returned_csp_1": "script-src 'self' 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' makes 'unsafe-inline' ineffective.", >+ "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", >+ "returned_csp_1": "script-src 'unsafe-inline' 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'strict-dynamic' has to be allowed by required csp if it is present in returned csp.", >+ "required_csp": "script-src 'nonce-abc'", >+ "returned_csp_1": "script-src 'strict-dynamic' 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e111f152f807a79e79d2c8866d8b62683deec689 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html >@@ -0,0 +1,54 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-eval' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'unsafe-eval' is properly subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashed-attributes' 'strict-dynamic' 'unsafe-eval'", >+ "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-eval'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "No other keyword has the same effect as 'unsafe-eval'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Other expressions have to be subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-hashed-attributes' 'unsafe-eval'", >+ "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required csp must allow 'unsafe-eval'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'self' 'unsafe-eval'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found where 'unsafe-eval' is not subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'unsafe-eval'", >+ "returned_csp_2": "style-src 'unsafe-eval' 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found where 'unsafe-eval' is not part of it.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-hashed-attributes' 'self'", >+ "returned_csp_2": "style-src 'unsafe-eval' 'self'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2d5fa1574a16795fb283c24002d3bf6d072ac7d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html >@@ -0,0 +1,54 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-hashes' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'unsafe-hashes' is properly subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic' 'unsafe-hashes'", >+ "returned_csp_1": "style-src http://example1.com/foo/bar.html 'unsafe-hashes'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "No other keyword has the same effect as 'unsafe-hashes'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Other expressions have to be subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashes'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashes'", >+ "returned_csp_2": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required csp must allow 'unsafe-hashes'.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'self' 'unsafe-hashes'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found where 'unsafe-hashes' is not subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-eval' 'unsafe-hashes'", >+ "returned_csp_2": "style-src 'unsafe-hashes' 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective policy is properly found where 'unsafe-hashes' is not part of it.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-eval' 'self'", >+ "returned_csp_2": "style-src 'unsafe-hashes' 'self'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html >new file mode 100644 >index 0000000000000000000000000000000000000000..96f0e38699ba4b00aabb93dc7d7dda1a3589ec4e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html >@@ -0,0 +1,103 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-inline' keyword.</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/testharness-helper.sub.js"></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ { "name": "'strict-dynamic' is ineffective for `style-src`.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", >+ "returned_csp_1": "style-src 'unsafe-inline' http://example1.com/foo/bar.html", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is properly subsumed in `style-src`.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src 'unsafe-inline' 'nonce-yay'", >+ "returned_csp_2": "style-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", >+ "returned_csp_2": "style-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src 'self'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' does not matter if returned csp is effectively `none`.", >+ "required_csp": "style-src 'unsafe-inline'", >+ "returned_csp_1": "style-src ", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is properly subsumed in `script-src`.", >+ "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "script-src http://example1.com/foo/ 'unsafe-inline'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'.", >+ "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "script-src 'nonce-abc'", >+ "returned_csp_2": "script-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is ineffective when nonces are present.", >+ "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "script-src 'unsafe-inline' 'nonce-abc'", >+ "returned_csp_2": "script-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`.", >+ "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "script-src 'unsafe-inline' 'sha256-abc123' 'nonce-abc'", >+ "returned_csp_2": "script-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ { "name": "Required csp allows `strict-dynamic`, but retuned csp does.", >+ "required_csp": "script-src http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", >+ "returned_csp_1": "script-src 'unsafe-inline' http://example1.com/foo/bar.html", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Required csp does not allow `unsafe-inline`, but retuned csp does.", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-inline'", >+ "returned_csp_2": null, >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned csp whitelists a nonce.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'", >+ "returned_csp_2": "style-src 'nonce-abc'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Returned csp whitelists a hash.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", >+ "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", >+ "returned_csp_2": "style-src 'sha256-abc123'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective returned csp allows 'unsafe-inline'", >+ "required_csp": "style-src http://example1.com/foo/ 'self'", >+ "returned_csp_1": "style-src 'unsafe-inline' https://example.test/", >+ "returned_csp_2": "style-src 'unsafe-inline'", >+ "expected": IframeLoad.EXPECT_BLOCK }, >+ { "name": "Effective returned csp does not allow 'sha512-321cba' hash.", >+ "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", >+ "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'", >+ "returned_csp_2": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'", >+ "expected": IframeLoad.EXPECT_LOAD }, >+ ]; >+ tests.forEach(test => { >+ async_test(t => { >+ var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); >+ if (test.returned_csp_2) >+ url.searchParams.append("policy2", test.returned_csp_2); >+ assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); >+ }, test.name); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py >new file mode 100644 >index 0000000000000000000000000000000000000000..fa1064adc84a21029fa2cc8c1afa887018da44ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py >@@ -0,0 +1,37 @@ >+import json >+def main(request, response): >+ headers = [("Content-Type", "text/html")] >+ if "allow_csp_from" in request.GET: >+ headers.append(("Allow-CSP-From", request.GET["allow_csp_from"])) >+ message = request.GET["id"] >+ return headers, ''' >+<!DOCTYPE html> >+<html> >+<head> >+ <title>This page enforces embedder's policies</title> >+ <script nonce="123"> >+ document.addEventListener("securitypolicyviolation", function(e) { >+ var response = {}; >+ response["id"] = "%s"; >+ response["securitypolicyviolation"] = true; >+ response["blockedURI"] = e.blockedURI; >+ response["lineNumber"] = e.lineNumber; >+ window.top.postMessage(response, '*'); >+ }); >+ </script> >+</head> >+<body> >+ <style> >+ body { >+ background-color: maroon; >+ } >+ </style> >+ <script nonce="abc"> >+ var response = {}; >+ response["id"] = "%s"; >+ response["loaded"] = true; >+ window.top.postMessage(response, '*'); >+ </script> >+</body> >+</html> >+''' % (message, message) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py >new file mode 100644 >index 0000000000000000000000000000000000000000..8100086a3d849c6c7d4cf4f4c0c85f9a89a0e40e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py >@@ -0,0 +1,25 @@ >+def main(request, response): >+ headers = [("Content-Type", "text/html")] >+ if "policy" in request.GET: >+ headers.append(("Content-Security-Policy", request.GET["policy"])) >+ if "policy2" in request.GET: >+ headers.append(("Content-Security-Policy", request.GET["policy2"])) >+ if "policy3" in request.GET: >+ headers.append(("Content-Security-Policy", request.GET["policy3"])) >+ message = request.GET["id"] >+ return headers, ''' >+<!DOCTYPE html> >+<html> >+<head> >+ <title>This page sets given CSP upon itself.</title> >+</head> >+<body> >+ <script nonce="abc"> >+ var response = {}; >+ response["id"] = "%s"; >+ response["loaded"] = true; >+ window.top.postMessage(response, '*'); >+ </script> >+</body> >+</html> >+''' % (message) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py >new file mode 100644 >index 0000000000000000000000000000000000000000..6063cc046ba7a22f7a5eaad35715106df8b09a55 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py >@@ -0,0 +1,44 @@ >+import json >+def main(request, response): >+ message = {} >+ >+ header = request.headers.get("Test-Header-Injection"); >+ message['test_header_injection'] = header if header else None >+ >+ header = request.headers.get("Sec-Required-CSP"); >+ message['required_csp'] = header if header else None >+ >+ second_level_iframe_code = "" >+ if "include_second_level_iframe" in request.GET: >+ if "second_level_iframe_csp" in request.GET and request.GET["second_level_iframe_csp"] <> "": >+ second_level_iframe_code = '''<script> >+ var i2 = document.createElement('iframe'); >+ i2.src = 'echo-required-csp.py'; >+ i2.csp = "{0}"; >+ document.body.appendChild(i2); >+ </script>'''.format(request.GET["second_level_iframe_csp"]) >+ else: >+ second_level_iframe_code = '''<script> >+ var i2 = document.createElement('iframe'); >+ i2.src = 'echo-required-csp.py'; >+ document.body.appendChild(i2); >+ </script>''' >+ >+ return [("Content-Type", "text/html"), ("Allow-CSP-From", "*")], ''' >+<!DOCTYPE html> >+<html> >+<head> >+ <!--{2}--> >+ <script> >+ window.addEventListener('message', function(e) {{ >+ window.parent.postMessage(e.data, '*'); >+ }}); >+ >+ window.parent.postMessage({0}, '*'); >+ </script> >+</head> >+<body> >+{1} >+</body> >+</html> >+'''.format(json.dumps(message), second_level_iframe_code, str(request.headers)) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..3b84db0852249ef0ed38ef6053086561cf83bde8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js >@@ -0,0 +1,160 @@ >+const Host = { >+ SAME_ORIGIN: "same-origin", >+ CROSS_ORIGIN: "cross-origin", >+}; >+ >+const PolicyHeader = { >+ CSP: "echo-policy.py?policy=", >+ CSP_MULTIPLE: "echo-policy-multiple.py", >+ REQUIRED_CSP: "echo-required-csp.py", >+ ALLOW_CSP_FROM: "echo-allow-csp-from.py", >+}; >+ >+const IframeLoad = { >+ EXPECT_BLOCK: true, >+ EXPECT_LOAD: false, >+}; >+ >+function getOrigin() { >+ var url = new URL("http://{{host}}:{{ports[http][0]}}/"); >+ return url.toString(); >+} >+ >+function getCrossOrigin() { >+ var url = new URL("http://{{domains[天æ°ã®è¯ãæ¥]}}:{{ports[http][0]}}/"); >+ return url.toString(); >+} >+ >+function getSecureCrossOrigin() { >+ // Since wptserve spins up servers on non-default port, 'self' matches >+ // http://[host]:[specified-port] and https://[host]:[specified-port], but not >+ // https://[host]:[https-port]. So, we use the http port for this https origin >+ // in order to verify that a secure variant of a non-secure URL matches 'self'. >+ var url = new URL("https://{{domains[天æ°ã®è¯ãæ¥]}}:{{ports[http][0]}}"); >+ return url.toString(); >+} >+ >+function generateURL(host, path, include_second_level_iframe, second_level_iframe_csp) { >+ var url = new URL("http://{{host}}:{{ports[http][0]}}/content-security-policy/embedded-enforcement/support/"); >+ url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天æ°ã®è¯ãæ¥]}}"; >+ url.pathname += path; >+ if (include_second_level_iframe) { >+ url.searchParams.append("include_second_level_iframe", ""); >+ if (second_level_iframe_csp) >+ url.searchParams.append("second_level_iframe_csp", second_level_iframe_csp); >+ } >+ >+ return url; >+} >+ >+function generateURLString(host, path) { >+ return generateURL(host, path, false, "").toString(); >+} >+ >+function generateURLStringWithSecondIframeParams(host, path, second_level_iframe_csp) { >+ return generateURL(host, path, true, second_level_iframe_csp).toString(); >+} >+ >+function generateRedirect(host, target) { >+ var url = new URL("http://{{host}}:{{ports[http][0]}}/common/redirect.py?location=" + >+ encodeURIComponent(target)); >+ url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天æ°ã®è¯ãæ¥]}}"; >+ >+ return url.toString(); >+} >+ >+function generateUrlWithPolicies(host, policy) { >+ var url = generateURL(host, PolicyHeader.CSP_MULTIPLE); >+ if (policy != null) >+ url.searchParams.append("policy", policy); >+ return url; >+} >+ >+function generateUrlWithAllowCSPFrom(host, allowCspFrom) { >+ var url = generateURL(host, PolicyHeader.ALLOW_CSP_FROM); >+ if (allowCspFrom != null) >+ url.searchParams.append("allow_csp_from", allowCspFrom); >+ return url; >+} >+ >+function assert_required_csp(t, url, csp, expected) { >+ var i = document.createElement('iframe'); >+ if(csp) >+ i.csp = csp; >+ i.src = url; >+ >+ window.addEventListener('message', t.step_func(e => { >+ if (e.source != i.contentWindow || !('required_csp' in e.data)) >+ return; >+ >+ if (expected.indexOf(e.data['required_csp']) == -1) >+ assert_unreached('Child iframes have unexpected csp:"' + e.data['required_csp'] + '"'); >+ >+ expected.splice(expected.indexOf(e.data['required_csp']), 1); >+ >+ if (e.data['test_header_injection'] != null) >+ assert_unreached('HTTP header injection was successful'); >+ >+ if (expected.length == 0) >+ t.done(); >+ })); >+ >+ document.body.appendChild(i); >+} >+ >+function assert_iframe_with_csp(t, url, csp, shouldBlock, urlId, blockedURI) { >+ var i = document.createElement('iframe'); >+ url.searchParams.append("id", urlId); >+ i.src = url.toString(); >+ if (csp != null) >+ i.csp = csp; >+ >+ var loaded = {}; >+ window.addEventListener("message", function (e) { >+ if (e.source != i.contentWindow) >+ return; >+ if (e.data["loaded"]) >+ loaded[e.data["id"]] = true; >+ }); >+ >+ if (shouldBlock) { >+ // Assert iframe does not load and is inaccessible. >+ window.onmessage = t.step_func(function(e) { >+ if (e.source != i.contentWindow) >+ return; >+ assert_unreached('No message should be sent from the frame.'); >+ }); >+ i.onload = t.step_func(function () { >+ // Delay the check until after the postMessage has a chance to execute. >+ setTimeout(t.step_func_done(function () { >+ assert_equals(loaded[urlId], undefined); >+ }), 500); >+ assert_throws("SecurityError", () => { >+ var x = i.contentWindow.location.href; >+ }); >+ }); >+ } else if (blockedURI) { >+ // Assert iframe loads with an expected violation. >+ window.addEventListener('message', t.step_func(e => { >+ if (e.source != i.contentWindow) >+ return; >+ assert_equals(e.data["blockedURI"], blockedURI); >+ t.done(); >+ })); >+ } else { >+ // Assert iframe loads. Wait for both the load event and the postMessage. >+ window.addEventListener('message', t.step_func(e => { >+ if (e.source != i.contentWindow) >+ return; >+ assert_true(loaded[urlId]); >+ if (i.onloadReceived) >+ t.done(); >+ })); >+ i.onload = t.step_func(function () { >+ if (loaded[urlId]) >+ t.done(); >+ i.onloadReceived = true; >+ }); >+ } >+ document.body.appendChild(i); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8a786f38c3ef6bce8188961559fbc8dd0b6e1a5f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-allow-csp-from.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..b67536b9fd811f0e197a88873325497859844afd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log >@@ -0,0 +1,35 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required-csp-header-cascade.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header-crlf.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..14608fe3a777859b20eaed3f793805a3f47c0f14 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub-expected.txt >@@ -0,0 +1,4 @@ >+Blocked access to external URL http://www1.localhost:8800/fonts/Ahem.ttf?font-match-allowed >+ >+FAIL Test font loads if it matches font-src. assert_unreached: Should have loaded the font. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ebba1e0096ca077dea9de0d92756d5ab56d6fb93 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub.html >@@ -0,0 +1,23 @@ >+<!doctype html> >+<meta charset=utf-8> >+<meta http-equiv="Content-Security-Policy" content="font-src {{domains[www1]}}:{{ports[http][0]}}"> >+<head> >+ <title>Test font loads if it matches font-src.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id="log"/> >+ <script> >+ async_test(function(t) { >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Loading allowed fonts should not trigger a violation.")); >+ var link = document.createElement('link'); >+ link.rel="preload"; >+ link.as="font"; >+ link.href="http://{{domains[www1]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-match-allowed"; >+ link.onload = t.step_func_done(); >+ link.onerror = t.unreached_func("Should have loaded the font."); >+ document.getElementsByTagName('head')[0].appendChild(link); >+ }, "Test font loads if it matches font-src."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..04901c54e0e390771d7725c4794bad1deeca072b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Test font does not load if it does not match font-src. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b164cf0f172c97540d96a25fad239b67ccaaff16 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub.html >@@ -0,0 +1,22 @@ >+<!doctype html> >+<meta charset=utf-8> >+<meta http-equiv="Content-Security-Policy" content="font-src {{domains[www1]}}:{{ports[http][0]}}"> >+<head> >+ <title>Test font does not load if it does not match font-src.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id="log"/> >+ <script> >+ async_test(function(t) { >+ var link = document.createElement('link'); >+ link.rel="preload"; >+ link.as="font"; >+ link.href="http://{{domains[www2]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-mismatch-blocked"; >+ link.onload = t.unreached_func("Should not have loaded the font."); >+ link.onerror = t.step_func_done(); >+ document.getElementsByTagName('head')[0].appendChild(link); >+ }, "Test font does not load if it does not match font-src."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..04901c54e0e390771d7725c4794bad1deeca072b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Test font does not load if it does not match font-src. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..eae1b4986d9e58d5eeae595398a6ef5169ed5d47 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html >@@ -0,0 +1,22 @@ >+<!doctype html> >+<meta charset=utf-8> >+<meta http-equiv="Content-Security-Policy" content="font-src 'none'"> >+<head> >+ <title>Test font does not load if it does not match font-src.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id="log"/> >+ <script> >+ async_test(function(t) { >+ var link = document.createElement('link'); >+ link.rel="preload"; >+ link.as="font"; >+ link.href="http://{{domains[www]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-none-blocked"; >+ link.onload = t.unreached_func("Should not have loaded the font."); >+ link.onerror = t.step_func_done(); >+ document.getElementsByTagName('head')[0].appendChild(link); >+ }, "Test font does not load if it does not match font-src."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4a520911e7298c3c0927379b2c3fcaf7916ceae1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Test font loads if it matches font-src. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b8d46e5c9877d3845270bf1e0a686dbd8735aecc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed.html >@@ -0,0 +1,23 @@ >+<!doctype html> >+<meta charset=utf-8> >+<meta http-equiv="Content-Security-Policy" content="font-src 'self'"> >+<head> >+ <title>Test font loads if it matches font-src.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id="log"/> >+ <script> >+ async_test(function(t) { >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Loading allowed fonts should not trigger a violation.")); >+ var link = document.createElement('link'); >+ link.rel="preload"; >+ link.as="font"; >+ link.href="/fonts/Ahem.ttf?font-self-allowed"; >+ link.onload = t.step_func_done(); >+ link.onerror = t.unreached_func("Should have loaded the font."); >+ document.getElementsByTagName('head')[0].appendChild(link); >+ }, "Test font loads if it matches font-src."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..791e21795a4882894d436067d139db217aa26185 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Test font does not load if it does not match font-src. assert_equals: expected "font-src" but got "font-src 'none'" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3b47d0b2e22f72bb39cce8f3f98f21b97d4f7004 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html >@@ -0,0 +1,25 @@ >+<!doctype html> >+<meta charset=utf-8> >+<meta http-equiv="Content-Security-Policy" content="font-src 'none'"> >+<head> >+ <title>Test font does not load if it does not match font-src.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id="log"/> >+ <script> >+ async_test(function(t) { >+ var link = document.createElement('link'); >+ link.rel="stylesheet"; >+ link.type="text/css"; >+ link.href="/content-security-policy/support/fonts.css"; >+ // The stylesheet should stil load, even though the font contained does not >+ link.onerror = t.unreached_func("Should have loaded the stylesheet."); >+ document.addEventListener("securitypolicyviolation", t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "font-src"); >+ })); >+ document.getElementsByTagName('head')[0].appendChild(link); >+ }, "Test font does not load if it does not match font-src."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..bac54e372893d2746fc095e13d216990da1ed40d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/w3c-import.log >@@ -0,0 +1,21 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-match-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-mismatch-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-self-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-stylesheet-font-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bce5cb86ed1641d41f096b8cf4637de9c2854fb9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank-expected.txt >@@ -0,0 +1,5 @@ >+Test that "form-action 'self'" works correctly when the form uses target="_blank". If this test passes, a new window must open after pressing "submit". >+ >+ >+PASS The form submission should not be blocked by the iframe's CSP. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html >new file mode 100644 >index 0000000000000000000000000000000000000000..673174c1f03564e53e02a7c67d1661751e74f162 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<meta http-equiv="Content-Security-Policy" content="form-action 'self'"> >+</head> >+ >+<body> >+ <form action='/content-security-policy/support/postmessage-pass-to-opener.html' >+ id='form_id' >+ target="_blank"> >+ </form> >+ >+ <p> >+ Test that "form-action 'self'" works correctly when the form uses >+ target="_blank". If this test passes, a new window must open after pressing >+ "submit". >+ </p> >+</body> >+ >+<script> >+ async_test(t => { >+ document.addEventListener('securitypolicyviolation', function(e) { >+ t.unreached_func("Form submission was blocked."); >+ }); >+ >+ window.addEventListener('message', function(event) { >+ t.done(); >+ }) >+ >+ window.addEventListener("load", function() { >+ document.getElementById("form_id").submit(); >+ }); >+ }, "The form submission should not be blocked by the iframe's CSP."); >+</script> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..de92939ccf8d655cb500a8ecbe55d500385aa6cd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS form submission targetting _blank allowed after a redirect >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..46747b76885d67a5663f6a5946d0b3f31fff2e4a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>form-action-src-redirect-allowed-target-blank</title> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ function OnDocumentLoaded() { >+ let test = async_test("form submission targetting _blank allowed after a redirect"); >+ window.addEventListener("message", function(event) { >+ if (event.data == "DocumentNotBlocked") { >+ event.source.close(); >+ test.done(); >+ } >+ }); >+ >+ let form = document.getElementById("form"); >+ form.action = >+ "/content-security-policy/form-action/support/post-message-to-opener.sub.html"; >+ >+ let submit = document.getElementById("submit"); >+ submit.click(); >+ } >+ </script> >+</head> >+<body onload="OnDocumentLoaded();"> >+ <form id="form" method="GET" target="_blank"> >+ <input type="hidden" name="message" value="DocumentNotBlocked"> >+ <input type="submit" id="submit"> >+ </form> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..93f68f6788748aa2031d631e5da4761118b73f4a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+ >+PASS form submission targetting a frame allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..81921d395e312f2e0958c266a638aa4d5e1ce2f6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>form-action-src-allowed-target-frame</title> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ function OnDocumentLoaded() { >+ let test = async_test("form submission targetting a frame allowed"); >+ window.addEventListener("message", function(event) { >+ if (event.data == "DocumentNotBlocked") { >+ test.done(); >+ } >+ }); >+ >+ let form = document.getElementById("form"); >+ form.action = >+ "/content-security-policy/form-action/support/post-message-to-parent.sub.html"; >+ >+ let submit = document.getElementById("submit"); >+ submit.click(); >+ } >+ </script> >+</head> >+<body onload="OnDocumentLoaded();"> >+ <form id="form" method="GET" target="frame"> >+ <input type="hidden" name="message" value="DocumentNotBlocked"> >+ <input type="submit" id="submit"> >+ </form> >+ <iframe name="frame"></iframe> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a9d8acd7cfe389658b3868468d7e45f41cde56cc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub-expected.txt >@@ -0,0 +1,7 @@ >+ >+ >+Tests that allowed form actions work correctly. >+ >+ >+PASS Expecting logs: ["PASS","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..418d6f51b0f4fc651b169a4b50c745d73c316d1e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>form-action-src-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ window.addEventListener("message", function(event) { >+ log(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ >+ <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that allowed form actions work correctly.</p> >+ <div id="log"></div> >+ </body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e8bd7d5c8e2cb61653c84e4880b3f6e4c0c4b9f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt >@@ -0,0 +1,8 @@ >+ >+ >+Tests that blocking form actions works correctly. >+ >+ >+FAIL Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=form-action not sent. Reached unreachable code >+FAIL form-action-src-blocked assert_unreached: FAIL Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a113d9a2643ba2f9cbbc005d981e04cbfaf7e1c0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>form-action-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('violated-directive=' + e.violatedDirective); >+ }); >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ }, 0); >+ }); >+ setTimeout(function() {log("TEST COMPLETE");}, 1); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="post" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that blocking form actions works correctly.</p> >+ <div id="log"></div> >+ >+ </body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2b5d733fbf2945a1eb56785b82ddc1c8436e2bd8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub-expected.txt >@@ -0,0 +1,7 @@ >+ >+ >+Tests that default-src does not cascade to form-action. >+ >+ >+PASS Expecting logs: ["PASS","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..58db5bf7355b3c6d62a4a9c138300ab8e82e07ab >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; frame-src 'self';"> >+ <title>form-action-src-default-ignored</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ window.addEventListener("message", function(event) { >+ log(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ >+ <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-pass.html" id="theform" method="post" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that default-src does not cascade to form-action.</p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d34080cccfc8302d8f1f26ee4a79d0c799d960c3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub-expected.txt >@@ -0,0 +1,7 @@ >+ >+ >+Tests that allowed form actions work correctly with GET and a redirect. >+ >+ >+PASS Expecting logs: ["PASS","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1dd7fbcd41bbfcbeec5242f4a808830158ebcc02 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html >@@ -0,0 +1,41 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>form-action-src-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ window.addEventListener("message", function(event) { >+ log(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ >+ <form action="/content-security-policy/support/postmessage-pass.html" id="theform" method="get" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that allowed form actions work correctly >+ with GET and a redirect.</p> >+ <div id="log"></div> >+ </body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d9634d6c818775b6fb2afa1f19c3be37bb5a153b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub-expected.txt >@@ -0,0 +1,7 @@ >+ >+ >+Tests that disallowed form actions are blocked with GET and redirects. >+ >+ >+FAIL Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=form-action not sent. Reached unreachable code >+"> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..638badc73a47899975bfe905177ec9a4596e22e1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html >@@ -0,0 +1,42 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>form-action-src-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('violated-directive=' + e.violatedDirective); >+ }); >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ >+ <form action="/common/redirect.py?location=/content-security-policy/support/postmessage-fail.html" id="theform" method="get" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that disallowed form actions are blocked >+ with GET and redirects.</p> >+ <div id="log"></div> >+"></script> >+ </body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ca9a7e96203d48649f249f3d74aa2bcb2ad5c74d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+ >+Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert. >+ >+ >+FAIL Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=form-action not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6997ef6e86036a33dbfd3c95f22d26f6b5f9cc98 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> >+ <title>form-action-src-javascript-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script nonce='noncynonce'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('violated-directive=' + e.violatedDirective); >+ }); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ </script> >+</head> >+ >+<body> >+ <form action="javascript:log("FAIL!")" id="theform" method="post"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..dc92bc3bba2f728d8e892032cbcc7e105ddc0afe >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented-expected.txt >@@ -0,0 +1,6 @@ >+ >+Test that "form-action 'none'" doesn't create a violation report if the event was prevented. >+ >+ >+PASS The form submission should not be blocked by when javascript prevents the load. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented.html >new file mode 100644 >index 0000000000000000000000000000000000000000..feae47ee796fd78124a0c021d347662f0bc6ee19 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented.html >@@ -0,0 +1,46 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> >+</head> >+ >+<body> >+ <form action='/content-security-policy/support/postmessage-pass-to-opener.html' >+ id='form_id' >+ target="_blank"> >+ <input type="submit" /> >+ </form> >+ >+ <p> >+ Test that "form-action 'none'" doesn't create a violation report if the event was prevented. >+ </p> >+</body> >+ >+<script nonce='noncynonce'> >+ async_test(t => { >+ document.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('Form submission was blocked.'); >+ }); >+ >+ window.addEventListener('message', function(event) { >+ assert_unreached('Form submission was blocked.'); >+ }) >+ >+ window.addEventListener("load", function() { >+ let form = document.getElementById("form_id"); >+ form.addEventListener("submit", e => { >+ e.preventDefault(); >+ setTimeout(() => { >+ t.done(); >+ }, 0); >+ }); >+ // clicking the input is used here as form.submit() will submit a form without an event and should also be blocked. >+ form.querySelector("input").click(); >+ }); >+ }, "The form submission should not be blocked by when javascript prevents the load."); >+</script> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..de92939ccf8d655cb500a8ecbe55d500385aa6cd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS form submission targetting _blank allowed after a redirect >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..41c68b68f9e661ebe9eb56aae2c04d7127880a3c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>form-action-src-redirect-allowed-target-blank</title> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ function OnDocumentLoaded() { >+ let test = async_test("form submission targetting _blank allowed after a redirect"); >+ window.addEventListener("message", function(event) { >+ if (event.data == "DocumentNotBlocked") { >+ event.source.close(); >+ test.done(); >+ } >+ }); >+ >+ let form = document.getElementById("form"); >+ let final_url = "/content-security-policy/form-action/support/post-message-to-opener.sub.html?message=DocumentNotBlocked"; >+ let redirect_url = "/common/redirect.py?location="; >+ form.action = redirect_url + encodeURIComponent(final_url); >+ >+ let submit = document.getElementById("submit"); >+ submit.click(); >+ } >+ </script> >+</head> >+<body onload="OnDocumentLoaded();"> >+ <form id="form" method="POST" target="_blank"> >+ <input type="submit" id="submit"> >+ </form> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..862506f95e64b72ccc34c9dab2f54e06b888a437 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+ >+PASS form submission targetting a frame allowed after a redirect >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6afd4459b0f19e32e22e807e317332090ce5efcc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>form-action-src-redirect-allowed-target-frame</title> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ function OnDocumentLoaded() { >+ let test = async_test("form submission targetting a frame allowed after a redirect"); >+ window.addEventListener("message", function(event) { >+ if (event.data == "DocumentNotBlocked") { >+ test.done(); >+ } >+ }); >+ >+ let form = document.getElementById("form"); >+ let final_url = "/content-security-policy/form-action/support/post-message-to-parent.sub.html?message=DocumentNotBlocked"; >+ let redirect_url = "/common/redirect.py?location="; >+ form.action = redirect_url + encodeURIComponent(final_url); >+ >+ let submit = document.getElementById("submit"); >+ submit.click(); >+ } >+ </script> >+</head> >+<body onload="OnDocumentLoaded();"> >+ <form id="form" method="POST" target="frame"> >+ <input type="submit" id="submit"> >+ </form> >+ <iframe name="frame"></iframe> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7ac635d272447a019e09c75a95dd2e6b8b3b0868 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub-expected.txt >@@ -0,0 +1,8 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/postmessage-fail.html >+ >+ >+Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated. >+ >+ >+FAIL Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=form-action not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..86dfe7a03d2c9d56feaf298acc61dc803fd3a436 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html >@@ -0,0 +1,41 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="form-action 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>form-action-src-redirect-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('violated-directive=' + e.violatedDirective); >+ }); >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ document.getElementById('submit').click(); >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ setTimeout(function() {}, 1000); >+ >+ </script> >+</head> >+ >+<body> >+ <iframe name="test_target" id="test_iframe"></iframe> >+ >+ <form id="form1" action="/common/redirect.py?location=http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" method="post" target="test_target"> >+ <input type="text" name="fieldname" value="fieldvalue"> >+ <input type="submit" id="submit" value="submit"> >+ </form> >+ <p>Tests that blocking a POST form with a redirect works correctly. If this test passes, a CSP violation will be generated.</p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0348139057dc89336e83f008cf7a782d5bc2033b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html >@@ -0,0 +1,3 @@ >+<script> >+ opener.postMessage("{{GET[message]}}", "*"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..63e464be21a0fea5fb1d2ae6b4df45cd29c0f2dd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html >@@ -0,0 +1,3 @@ >+<script> >+ parent.postMessage("{{GET[message]}}", "*"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..91322ab78ffc6ce94e5cbe8881d4641f958adc6a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/w3c-import.log >@@ -0,0 +1,18 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..958c910027dcdbd917076a6f6bc7af6340fda99a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/w3c-import.log >@@ -0,0 +1,30 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-frame.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-default-ignored.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-get-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-blocked.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-javascript-prevented.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-frame.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a5437827d4a3db3be8528c9a71d1609379cf0ef8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=%27none%27&parent=cross&child=cross&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..674deb655a75c07ec9c06cc608bbb5e523bbea18 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); >+ >+ testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2baaf3fafa5bc3df5511f28568ae0541936cca40 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=%27self%27&parent=cross&child=cross&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..85b7f0efdc82d15a6fcca24c56cb3075bb377301 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); >+ >+ testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..cd907e692bc730f98c306937026e106b211355f0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=*&parent=cross&child=cross&expectation=allowed >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7f5a867de94b056ceb21891768ada1ce299f1095 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); >+ >+ testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..648d9bbe43dea3f01570c4315a39ea0fcb4a8a8d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=http://localhost:8800%20http://www1.localhost:8801&parent=cross&child=cross&expectation=allowed >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..99ab0718e8dbe69595482c17ac5841b792334cf2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..72e9ae76b232b2c06a27b5ab56c757540f672955 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=http://www1.localhost:8801&parent=cross&child=cross&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9bcf63735e75d4d9aa359af6a928a11b147360f5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a0b8f467f16473fe69a907839c4e846af3177cf3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=%27none%27 >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1cdd540149f4cd522607f2739db745294279c1cf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html >@@ -0,0 +1,16 @@ >+ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); >+ >+ testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bae86a991c07cb1218a29068ffec5593ad8e2703 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=%27self%27 >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..da973397114103c3c9139533d38f0798fe15d4fb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); >+ >+ testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0ab3610aff0dba0aa8258cabbee3ada97769bb4a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=* >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c523b9ef10a7832cc21dbe90902dec16431c0651 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); >+ >+ // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked. >+ testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d8d9b3a3e131b6fbc84bfe638b2af4e4941ac2a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=http://localhost:8800%20http://www1.localhost:8801 >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1f1ffb9f894ba31810d29f0e9ecefbf1a4ae0494 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked. >+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a0f73c14b731d5dfaa840cbc18646dbcaebc0e61 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=http://www1.localhost:8801 >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..62dd1c1ef6656e2a10cc18ae58274093f4bb9588 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0fb72e7dcf0c70a291296c2d50346423a2c83873 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=http://localhost:8800%20http://www1.localhost:8801&parent=cross&child=cross&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..654e90e0b82da301dfa655b8fd48d5e74a7327a8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, " + >+ "so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin."); >+ >+ testNestedSandboxedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1d7bb5d8e2be3306dd46ebeb72dfaa151c6122dc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=%27none%27&parent=cross&child=same&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f01c6d766fc1cef3fbea0603480bbba50cef8fba >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); >+ >+ testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0439c04c113d5e4e08c6291ab01f97ade70cc91f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=%27self%27&parent=cross&child=same&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bae5992e860943ef3e0d7c08d5522c31256e344c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); >+ >+ testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..76878551a925b23abc50237d1a6aff80b222fbb5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=*&parent=cross&child=same&expectation=allowed >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..85d66f660ab8c4d1150868d75d1c7d981a4f0819 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); >+ >+ testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ccd552023b646422cfa7d8b133f3528bd9ab9ee6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=http://localhost:8800%20http://www1.localhost:8801&parent=cross&child=same&expectation=allowed >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..dff041be9a39c7a3f47df1eb0336179bf07f25d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..518b8ac84164154379f5ea5fdf0d97bb3eb789c2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt >@@ -0,0 +1,7 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html?policy=http://localhost:8800&parent=cross&child=same&expectation=blocked >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5d2fc57ac14e52f27c8e2afe14108930e26d0003 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7c23a35c1f05c134a82e572ce788607c99521df8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..234cca82c8ce5f15f75cf4f6fb3aab9f42c4a58d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); >+ >+ testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ca353a847017abb69aa7e468c85ee799bf13b30f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..747c5636967eaac84bdce58c9ffe740af8d681ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); >+ >+ testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1cdbdbc042aa7e2a9f99db2a8765009586526336 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d7eaf73fd6cc56e3cc8daa64262e73bd31aa8c77 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); >+ >+ testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a06ac5b167fde8142025d5281c267908efd203b3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..432c25f0d2a66131ffb2ef2b3a9a5a0e42440653 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e5c1b69da8a7c39a2b8b1c53d04b8fec99e59180 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c02091bf4ff700ed25a20f9feae56214efcab533 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); >+ >+ testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a1f990f9eb47844e8083c15beefa00809aed08e0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering. assert_unreached: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..596d3e7bc3004a5cfa474f065ef56b48a63dcd46 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'none' should block rendering."); >+ >+ sameOriginFrameShouldBeBlocked("'none'"); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..38e1749512884edf33e497a41498e854949bb5ea >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page. >+PASS A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4b7b0994c001ea99846d8ca178c0034efb5f5718 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+ <script> >+ async_test(function (t) { >+ var i = document.createElement('iframe'); >+ i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy='self'&xfo=DENY"; >+ i.onload = t.step_func_done(function () { >+ assert_equals(i.contentWindow.origin, window.origin, "The same-origin page loaded."); >+ }); >+ document.body.appendChild(i); >+ }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would block the page."); >+ >+ async_test(function (t) { >+ var i = document.createElement('iframe'); >+ i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy=other-origin.com&xfo=SAMEORIGIN"; >+ i.onload = t.step_func_done(function () { >+ assert_equals(i.contentDocument, null); >+ }); >+ document.body.appendChild(i); >+ }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page."); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..84ee5507a00ef833e501478d03da40b5c15c824c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a8a295dfc40cb49f76b8b9aa3f2dd137910029ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering."); >+ >+ sameOriginFrameShouldBeAllowed("'self'"); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3d20bfd02ad82ddc148f2f81d9214657fca6804f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=%27self%27 >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a value 'self' should block rendering. assert_unreached: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..438f2b8eb218bed86344a2c07efd3cde8c22c0c1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a value 'self' should block rendering."); >+ >+ crossOriginFrameShouldBeBlocked("'self'"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c864643a7c0126ff5ff41c6d00e1e8b649b20238 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=* >+ >+ >+FAIL A 'frame-ancestors' CSP directive with '*' should allow rendering. assert_unreached: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html >new file mode 100644 >index 0000000000000000000000000000000000000000..09ee28bbeaf4486ff4e2ec3accf7ff2aa2c14caa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with '*' should allow rendering."); >+ >+ // Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked. >+ crossOriginFrameShouldBeBlocked("*"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9d3d490d6f7be133102c240266b22270724b1e65 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with '*' should allow rendering. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html >new file mode 100644 >index 0000000000000000000000000000000000000000..62bbe45b25807e1c94408c175d715404f529af56 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with '*' should allow rendering."); >+ >+ sameOriginFrameShouldBeAllowed("*"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..847e384c60bf09845bda34c93ec7c6cbe9304a34 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f4f42e475f88d1b27f3b0d52c2673c77700e8fb4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering."); >+ >+ sameOriginFrameShouldBeAllowed('{{location[scheme]}}://{{location[host]}}'); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a4f440fc522bc4fbbdf7446bd700db329ce7bdec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block-expected.txt >@@ -0,0 +1,5 @@ >+Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=http://example.com/ >+ >+ >+FAIL A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. assert_unreached: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c320370be515ee039fbc799ad088bf7a74779702 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="support/frame-ancestors-test.sub.js"></script> >+</head> >+<body> >+ <script> >+ test = async_test("A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked."); >+ >+ crossOriginFrameShouldBeBlocked("http://example.com/"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e22fea3ccd3607d770634b9dfddae36c1b6dd314 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<html> >+<body> >+ <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}".</p> >+ <script> >+ // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}". >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..636e0facde5953074042eea3a465700308b551e4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers >@@ -0,0 +1,3 @@ >+Content-Type: text/html; charset=UTF-8 >+Content-Security-Policy: frame-ancestors {{GET[policy]}} >+X-Frame-Options: {{GET[xfo]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..dde04f0627e1e24b7bbc1b6d49be90bd467cda68 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js >@@ -0,0 +1,134 @@ >+var SAME_ORIGIN = true; >+var CROSS_ORIGIN = false; >+ >+var EXPECT_BLOCK = true; >+var EXPECT_LOAD = false; >+ >+var SAMEORIGIN_ORIGIN = "{{location[scheme]}}://{{location[host]}}"; >+var CROSSORIGIN_ORIGIN = "http://{{domains[www1]}}:{{ports[http][1]}}"; >+ >+var test; >+ >+function endTest(failed, message) { >+ if (typeof test === 'undefined') return; >+ >+ if (failed) { >+ test.step(function() { >+ assert_unreached(message); >+ test.done(); >+ }); >+ } >+ else test.done({message: message}); >+} >+ >+window.addEventListener("message", function (e) { >+ if (window.parent != window) >+ window.parent.postMessage(e.data, "*"); >+ else >+ if (e.data.type === 'test_result') >+ endTest(e.data.failed, "Inner IFrame msg: " + e.data.msg); >+}); >+ >+function injectNestedIframe(policy, parent, child, expectation, isSandboxed) { >+ var iframe = document.createElement("iframe"); >+ >+ var url = "/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html" >+ + "?policy=" + policy >+ + "&parent=" + parent >+ + "&child=" + child >+ + "&expectation=" + expectation; >+ url = (parent == "same" ? SAMEORIGIN_ORIGIN : CROSSORIGIN_ORIGIN) + url; >+ >+ iframe.src = url; >+ >+ if (isSandboxed) >+ iframe.sandbox = 'allow-scripts'; >+ >+ document.body.appendChild(iframe); >+} >+ >+function injectIFrame(policy, sameOrigin, expectBlock) { >+ var iframe = document.createElement("iframe"); >+ iframe.addEventListener("load", iframeLoaded(expectBlock)); >+ iframe.addEventListener("error", iframeLoaded(expectBlock)); >+ >+ var url = "/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=" + policy; >+ if (sameOrigin) >+ url = SAMEORIGIN_ORIGIN + url; >+ else >+ url = CROSSORIGIN_ORIGIN + url; >+ >+ iframe.src = url; >+ document.body.appendChild(iframe); >+} >+ >+function iframeLoaded(expectBlock) { >+ return function(ev) { >+ var failed = true; >+ var message = ""; >+ try { >+ if (expectBlock) { >+ message = "The IFrame should have been blocked (or cross-origin). It wasn't."; >+ failed = true; >+ } else { >+ message = "The IFrame should not have been blocked. It wasn't."; >+ failed = false; >+ } >+ } catch (ex) { >+ if (expectBlock) { >+ message = "The IFrame should have been blocked (or cross-origin). It was."; >+ failed = false; >+ } else { >+ message = "The IFrame should not have been blocked. It was."; >+ failed = true; >+ } >+ } >+ if (window.parent != window) >+ window.parent.postMessage({type: 'test_result', failed: failed, message: message}, '*'); >+ else >+ endTest(failed, message); >+ }; >+} >+ >+function originFrameShouldBe(child, expectation, policy) { >+ if (child == "cross" && expectation == "blocked") crossOriginFrameShouldBeBlocked(policy); >+ if (child == "same" && expectation == "blocked") sameOriginFrameShouldBeBlocked(policy); >+ if (child == "cross" && expectation == "allowed") crossOriginFrameShouldBeAllowed(policy); >+ if (child == "same" && expectation == "allowed") sameOriginFrameShouldBeAllowed(policy); >+} >+ >+function crossOriginFrameShouldBeBlocked(policy) { >+ window.onload = function () { >+ injectIFrame(policy, CROSS_ORIGIN, EXPECT_BLOCK); >+ }; >+} >+ >+function crossOriginFrameShouldBeAllowed(policy) { >+ window.onload = function () { >+ injectIFrame(policy, CROSS_ORIGIN, EXPECT_LOAD); >+ }; >+} >+ >+function sameOriginFrameShouldBeBlocked(policy) { >+ window.onload = function () { >+ injectIFrame(policy, SAME_ORIGIN, EXPECT_BLOCK); >+ }; >+} >+ >+function sameOriginFrameShouldBeAllowed(policy) { >+ window.onload = function () { >+ injectIFrame(policy, SAME_ORIGIN, EXPECT_LOAD); >+ }; >+} >+ >+function testNestedIFrame(policy, parent, child, expectation) { >+ window.onload = function () { >+ injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", false /* isSandboxed */); >+ }; >+} >+ >+function testNestedSandboxedIFrame(policy, parent, child, expectation) { >+ window.onload = function () { >+ injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", true /* isSandboxed */); >+ }; >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..de652773437ffce693877700982c22ba04d42370 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<html> >+<body> >+ <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}".</p> >+ <script> >+ // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9369a4101fa101ca2fbab8f15ef022724d40e4ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers >@@ -0,0 +1,2 @@ >+Content-Type: text/html; charset=UTF-8 >+Content-Security-Policy: frame-ancestors {{GET[policy]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a60eb7f347c447e291150b6e0478f72b3581863 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html >@@ -0,0 +1,12 @@ >+<!DOCTYPE html> >+<html> >+<body> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js'></script> >+ <script> >+ test = async_test("Testing a {{GET[child]}}-origin child with a policy of {{GET[policy]}} nested in a {{GET[parent]}}-origin parent"); >+ originFrameShouldBe("{{GET[child]}}", "{{GET[expectation]}}", "{{GET[policy]]}}"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..e853d6cee5e0cb25824545284a7233497159a70c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=UTF-8 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..bca0dcf5e8f67a5710e2f28a3d1e6fb661f90bf2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log >@@ -0,0 +1,23 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..d420bb1437bca05b841a22f98b0b9570111ef4c7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log >@@ -0,0 +1,45 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-allow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-self-block.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-crossorigin.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a710add857fb8526a383127e1d855cd8aecf62aa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub-expected.txt >@@ -0,0 +1,6 @@ >+These frames should not be blocked by Content-Security-Policy. It's pointless to block about:blank iframes because blocking a frame just results in displaying about:blank anyway! >+ >+ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8211d0847a8ef97c0177353ab8308a8b0b0d9a60 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>frame-src-about-blank-allowed-by-default</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ >+ <p>These frames should not be blocked by Content-Security-Policy. >+ It's pointless to block about:blank iframes because >+ blocking a frame just results in displaying about:blank anyway! >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ >+ <iframe src="about:blank"></iframe> >+ <object type="text/html" data="about:blank"></object> >+ >+ <div id="log"></div> >+ <script> >+ log("PASS"); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..578db9255fd261db90d778b2dd0f0ad2b850c854 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub-expected.txt >@@ -0,0 +1,6 @@ >+This frame should not be blocked by Content-Security-Policy. >+ >+ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ffa8638f8dad727b4bbb1fbd5ab430d9e28abeea >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="frame-src about:; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>frame-src-about-blank-allowed-by-scheme</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ >+ <p>This frame should not be blocked by Content-Security-Policy. >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ >+ <iframe src="about:blank"></iframe> >+ <div id="log"></div> >+ <script> >+ log("PASS"); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..798395ee6d91a29501ed9eb0df286ddfebb8dd6a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub-expected.txt >@@ -0,0 +1,7 @@ >+This iframe should be allowed. >+ >+ >+ >+PASS Expecting logs: ["PASS IFrame #1 generated a load event."] >+PASS Expecting alerts: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..470850df72dcde7a0cd15f200c62ccb1a5c705ed >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub.html >@@ -0,0 +1,64 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>frame-src-allowed</title> >+ <meta http-equiv="Content-Security-Policy" content="frame-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event."]'></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS"]'); >+ var expected_alerts = ["PASS"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <p> >+ This iframe should be allowed. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..48721952fb877b452f8bf76a26426e7aeba02422 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ >+ >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7dbe87b347f28762c1373aefd797886bd4660226 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub.html >@@ -0,0 +1,62 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>frame-src-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <p> >+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a3f78bd6ba97994f960f64794101fc36d481eef0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt >@@ -0,0 +1,10 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/postmessage-pass.html >+IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code >+TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..341262d145607a49b49b4c1f91c516b0079b6154 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html >@@ -0,0 +1,68 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="frame-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>frame-src-cross-origin-load</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.","PASS IFrame %232 generated a load event.","PASS IFrame %233 generated a load event.","violated-directive=frame-src"]'></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS","PASS"]'); >+ var expected_alerts = ["PASS", "PASS"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_alert.done(); >+ }); >+ } >+ >+ </script> >+ >+ <p> >+ IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. >+ </p> >+ <script> >+ window.wasPostTestScriptParsed = true; >+ var loads = 0; >+ >+ function loadEvent() { >+ loads++; >+ log("PASS " + "IFrame #" + loads + " generated a load event."); >+ } >+ >+ </script> >+</head> >+ >+<body> >+ <iframe src="../support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <iframe src="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html" onload="loadEvent()"></iframe> >+ <iframe src="http://www2.{{host}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d3d97c665074f5305b0520121574c53c6c2b1845 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect-expected.txt >@@ -0,0 +1,6 @@ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f5ac88b0524229a080043cc011ee762b632bbafe >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html >@@ -0,0 +1,35 @@ >+<!doctype html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="./support/testharness-helper.sub.js"></script> >+<body></body> >+<script> >+ function waitForViolation(el, policy, blocked_origin) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => { >+ if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin) >+ resolve(e); >+ }); >+ }); >+ } >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ var redirect = generateCrossOriginRedirectFrame(); >+ i.src = redirect.url; >+ >+ // Report-only policy should trigger a violation on the original request. >+ var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin) >+ // Report-only policy should trigger a violation on the redirected request. >+ var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin) >+ // Enforced policy should trigger a violation on the redirected request. >+ var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin) >+ >+ Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => { >+ t.done(); >+ })); >+ >+ document.body.appendChild(i); >+ }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect"); >+</script> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..338bea13b84a2f5c4d95b778637409e2bf8d3263 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers >@@ -0,0 +1,2 @@ >+Content-Security-Policy: frame-src 'self' >+Content-Security-Policy-Report-Only: frame-src http://foo.test >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..67d32c913f6150e1f6bac3825853f88e728489e8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin-expected.txt >@@ -0,0 +1,8 @@ >+The origin of an URL is called "unique" when it is considered to be different from every origin, including itself. The origin of a data-url is unique. When the current origin is unique, the CSP source 'self' must not match any URL. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Iframe's url must not match with 'self'. It must be blocked. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html >new file mode 100644 >index 0000000000000000000000000000000000000000..947b11e063de776b4d9afffb91e1667460d9099f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>frame-src-self-unique-origin</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <p> >+ The origin of an URL is called "unique" when it is considered to be >+ different from every origin, including itself. The origin of a >+ data-url is unique. When the current origin is unique, the CSP source >+ 'self' must not match any URL. >+ </p> >+ <script> >+ var iframe = document.createElement("iframe"); >+ iframe.src = encodeURI(`data:text/html, >+ <script> >+ /* Add the CSP: frame-src: 'self'. */ >+ var meta = document.createElement('meta'); >+ meta.httpEquiv = 'Content-Security-Policy'; >+ meta.content = "frame-src 'self'"; >+ document.getElementsByTagName('head')[0].appendChild(meta); >+ >+ /* Notify the parent the iframe has been blocked. */ >+ window.addEventListener('securitypolicyviolation', e => { >+ if (e.originalPolicy == "frame-src 'self'") >+ window.parent.postMessage('Test PASS', '*'); >+ }); >+ </scr`+`ipt> >+ >+ This iframe should be blocked by CSP: >+ <iframe src='data:text/html,blocked_iframe'></iframe> >+ `); >+ if (window.async_test) { >+ async_test(t => { >+ window.addEventListener("message", e => { >+ if (e.data == "Test PASS") >+ t.done(); >+ }); >+ }, "Iframe's url must not match with 'self'. It must be blocked."); >+ } >+ document.body.appendChild(iframe); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/frame.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/frame.html >new file mode 100644 >index 0000000000000000000000000000000000000000..50be42958744b8a9213d84847fbf0413ae20f3b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/frame.html >@@ -0,0 +1,2 @@ >+<!doctype html> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..b9e9a6c856bfdba59caddc249c0f61b731ae6701 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js >@@ -0,0 +1,5 @@ >+function generateCrossOriginRedirectFrame() { >+ var target = "http://{{domains[天æ°ã®è¯ãæ¥]}}:" + document.location.port + "/content-security-policy/frame-src/support/frame.html"; >+ var url = "/common/redirect.py?location=" + encodeURIComponent(target); >+ return { url: url, target: target }; >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..4cbe08e0abaa42b65efd52c5396ac3c16da69f07 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/w3c-import.log >@@ -0,0 +1,18 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/frame.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8a03688146f496d5f1575ef40e2efe7fce8012ca >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-default.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-about-blank-allowed-by-scheme.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4e0370f700ac9c7e9a6473292a031bbc60e84ca4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt >@@ -0,0 +1,9 @@ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that the first frame uses nonce abc >+NOTRUN Test that the first frame does not use nonce def >+FAIL Test that the second frame uses nonce def assert_unreached: Unexpected message received Reached unreachable code >+FAIL Test that the second frame does not use nonce abc assert_unreached: Unexpected message received Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b16eadaedc07ca9dbc60310d850d49ded370d22a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html >@@ -0,0 +1,52 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <title>Test that a 304 response will update the CSP header</title> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that the first frame uses nonce abc"); >+ var t2 = async_test("Test that the first frame does not use nonce def"); >+ >+ var t3 = async_test("Test that the second frame uses nonce def"); >+ var t4 = async_test("Test that the second frame does not use nonce abc"); >+ >+ var i1 = document.createElement('iframe'); >+ // We add a random parameter to avoid previous tests cached requests. >+ // We want to make sure i1 gets a 200 code and i2 gets a 304 code. >+ i1.src = "support/304-response.py?{{$id:uuid()}}"; >+ >+ var i2 = document.createElement('iframe'); >+ i2.src = "support/304-response.py?{{$id}}"; >+ >+ var load_second_frame = function() { >+ document.body.appendChild(i2); >+ } >+ >+ window.onmessage = function(e) { >+ if (e.source == i1.contentWindow) { >+ if (e.data == "abc_executed") { t1.done(); return; } >+ if (e.data == "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t2.done(); return; } >+ >+ t1.step(function() { assert_unreached("Unexpected message received"); }); >+ t2.step(function() { assert_unreached("Unexpected message received"); }); >+ } >+ >+ if (e.source == i2.contentWindow) { >+ if (e.data == "def_executed") { t3.done(); return; } >+ if (e.data == "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';") { t4.done(); return; } >+ >+ t3.step(function() { assert_unreached("Unexpected message received"); }); >+ t4.step(function() { assert_unreached("Unexpected message received"); }); >+ } >+ >+ }; >+ >+ i1.onload = load_second_frame; >+ document.body.appendChild(i1); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3f9a6a880cb1a935fb4128e3fc7ffd8284008e9b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Check that inline is allowed since the inherited policy is report only >+PASS Check that eval is allowed since the inherited policy is report only >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html >new file mode 100644 >index 0000000000000000000000000000000000000000..784cdc88752f0c97226e59007c514d018f737aeb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <!-- This tests that a report only policy is not treated as enforcing when >+ inherited by a worker. This manifests in particular for `unsafe-eval` >+ in this bug crbug.com/777076 --> >+ <script nonce="abc"> >+ var t1 = async_test("Check that inline is allowed since the inherited policy is report only"); >+ var t2 = async_test("Check that eval is allowed since the inherited policy is report only"); >+ >+ var w = new Worker("support/eval.js"); >+ w.onmessage = function(e) { >+ if (e.data == "unsafe-inline allowed") t1.done(); >+ else if (e.data == "unsafe-eval allowed") t2.done(); >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..877e192bbff2204ddf56f83e411f17bfb6adab89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy-Report-Only: script-src 'self' 'nonce-abc'; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a807b20213992f5cb857449b946f78e02cd9d60b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub-expected.txt >@@ -0,0 +1,10 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/pass.png >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/pass.png >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL Test that the www1 image is allowed to load assert_unreached: www1 image should have loaded Reached unreachable code >+PASS Test that the www2 image is not allowed to load >+NOTRUN Test that the www2 image throws a violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c65c59fb23fdc6d21eefc090927c1cfd4cd6702a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content=" >+ IMg-sRC 'self' 'unsafe-inline' http://{{domains[www1]}}:{{ports[http][0]}}; >+ img-src 'self' 'unsafe-inline' http://{{domains[www2]}}:{{ports[http][0]}};"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t1 = async_test("Test that the www1 image is allowed to load"); >+ var t2 = async_test("Test that the www2 image is not allowed to load"); >+ var t_spv = async_test("Test that the www2 image throws a violation event"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "img-src"); >+ assert_equals(e.blockedURI, "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"); >+ })); >+ </script> >+ >+ <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png" >+ onload="t1.done();" >+ onerror="t1.step(function() { assert_unreached('www1 image should have loaded'); t1.done(); });"> >+ >+ <img src="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png" >+ onerror="t2.done();" >+ onload="t2.step(function() { assert_unreached('www2 image should not have loaded'); t2.done(); });"> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..96b2b16f8bc89280c369bd23beabab4cba5a072a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests the effect of duplicated directives. It passes if the alert_assert() is executed. >+ >+ >+PASS Expecting alerts: ["PASS (1/1)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7810533e455968eea8eb0bdf4d8edf62e495f956 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-inline'; script-src 'none'; connect-src 'self';"> >+ <title>duplicate-directive</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("FAIL"); >+ }); >+ alert_assert('PASS (1/1)'); >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of duplicated directives. It passes if the alert_assert() is executed. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c91c7b6a3e6c5d2cc3a1620f7110899afda788f0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS eval of a string should be checked by CSP >+PASS eval of a non-string should not be checked by CSP >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7b3c12e396445ff72480a1e9c7cc77550f93f75c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+ <title>Test for order of Type(evalInput) and host callout</title> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <script nonce='abc'> >+ test(function() { >+ assert_throws(new EvalError, function() { >+ eval("0"); >+ }, "eval of a string should reach host callout"); >+ }, "eval of a string should be checked by CSP"); >+ >+ test(function() { >+ let array = ["0"]; >+ assert_equals( >+ eval(array), >+ array, >+ "eval is identity when applied to non-strings"); >+ }, "eval of a non-string should not be checked by CSP"); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..85de8bd415def35ca45c0abf74590cdfa393d0f4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'nonce-abc' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/fail-0_1.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/fail-0_1.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5c580273dcfc94eff137a0ae65314bebc9b7b5c0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/fail-0_1.js >@@ -0,0 +1,3 @@ >+(function () { >+ scriptsrc1.step(function() { assert_unreached('Unsafe inline script ran.') }); >+})(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6b39f6d39939d33597a660182489d9f7f7989c7a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub-expected.txt >@@ -0,0 +1,8 @@ >+filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Expecting logs: ["violated-directive=script-src-elem"] >+NOTRUN filesystem-urls-do-not-match-self No filesystem:// support, cannot run test. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..afb272cf36adbf3af72a6882b9280f0c9443454b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html >@@ -0,0 +1,60 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>filesystem-urls-do-not-match-self</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <p> >+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content.. >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ if(!window.webkitRequestFileSystem) { >+ t_log = async_test(); >+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ log("violated-directive=script-src"); // simulate needed logs to pass test >+ } else { >+ function fail() { >+ alert_assert("FAIL!"); >+ } >+ window.webkitRequestFileSystem( >+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) { >+ fs.root.getFile('fail.js', { >+ create: true >+ }, function(fileEntry) { >+ fileEntry.createWriter(function(fileWriter) { >+ fileWriter.onwriteend = function(e) { >+ var script = document.createElement('script'); >+ script.src = fileEntry.toURL('application/javascript'); >+ document.body.appendChild(script); >+ }; >+ // Create a new Blob and write it to pass.js. >+ var b = new Blob(['fail();'], { >+ type: 'application/javascript' >+ }); >+ fileWriter.write(b); >+ }); >+ }); >+ }); >+ } >+ >+ >+ </script> >+ <div id="log"></div> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4d96b3f11dcf848416eb7e7487469eaabce7d403 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub-expected.txt >@@ -0,0 +1,5 @@ >+filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source. >+ >+ >+NOTRUN Expecting logs: ["PASS (1/1)"] No filesystem:// support, cannot run test. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..28cad3a89d95c514346f87c9b931324b27b3a418 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html >@@ -0,0 +1,57 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' filesystem:; connect-src 'self';"> >+ <title>filesystem-urls-match-filesystem</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <p> >+ filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content, but should match filesystem: source. >+ </p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ if(!window.webkitRequestFileSystem) { >+ t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test."); >+ t_log.phase = t_log.phases.HAS_RESULT; >+ t_log.done(); >+ log("PASS (1/1)"); // simulate needed logs to pass test >+ } else { >+ function pass() { >+ log("PASS (1/1)"); >+ } >+ window.webkitRequestFileSystem( >+ TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) { >+ fs.root.getFile('pass.js', { >+ create: true >+ }, function(fileEntry) { >+ fileEntry.createWriter(function(fileWriter) { >+ fileWriter.onwriteend = function(e) { >+ var script = document.createElement('script'); >+ script.src = fileEntry.toURL('application/javascript'); >+ document.body.appendChild(script); >+ }; >+ // Create a new Blob and write it to pass.js. >+ var b = new Blob(['pass();'], { >+ type: 'application/javascript' >+ }); >+ fileWriter.write(b); >+ }); >+ }); >+ }); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fcc40017d898c9cab732e9f5ce39c2b4de02a569 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt >@@ -0,0 +1,8 @@ >+default-src should cascade to img-src directive >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Verify cascading of default-src to img-src policy >+NOTRUN Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3644fe3faba51044847c0c00736ec1ea7ffdcea7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>default-src should cascade to img-src directive</title> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='../support/siblingPath.js'></script> >+</head> >+<body> >+ <h1>default-src should cascade to img-src directive</h1> >+ <div id='log'></div> >+ >+ <script> >+ var imgsrc = async_test("Verify cascading of default-src to img-src policy"); >+ var onerrorFired = false; >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "img-src"); >+ })); >+ </script> >+ >+ <img id='imgfail' src='' >+ onload='imgsrc.step(function() { assert_unreached("Image load was not blocked."); });' >+ onerror='onerrorFired = true;'> >+ <img src='../support/pass.png' >+ onload='imgsrc.step(function() { assert_true(true, "Image load was blocked."); });'> >+ >+ <script> >+ document.getElementById('imgfail').src = buildSiblingPath('www1', '../support/fail.png'); >+ onload = function() { >+ imgsrc.step(function() { assert_true(onerrorFired, "onerror handler for blocked img didn't fire");}); >+ imgsrc.done(); >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8c233175dd9548fe6a0686ecb5b3f233d874145c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt >@@ -0,0 +1,9 @@ >+default-src should cascade to script-src directive >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Verify cascading of default-src to script-src policy: block >+PASS Verify cascading of default-src to script-src policy: allow >+NOTRUN Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..35033c3899f78e1f176f34977e4e069d935ff1b3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>default-src should cascade to script-src directive</title> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='../support/siblingPath.js'></script> >+</head> >+<body> >+ <h1>default-src should cascade to script-src directive</h1> >+ <div id='log'></div> >+ >+ <script> >+ var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block"); >+ var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow"); >+ var allowedScriptRan = false; >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ </script> >+ >+ <script src='pass-0_1.js'></script> >+ >+ <script> >+ var inlineScript = document.createElement('script'); >+ inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js'); >+ document.getElementById('log').appendChild(inlineScript); >+ onload = function() { >+ scriptsrc1.done(); >+ scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") }); >+ scriptsrc2.done(); >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ec617eab3195c2a5dfb6b80961ea0ce2295e9a40 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www.localhost/content-security-policy/generic/positiveTest.js >+test implicit port number matching (requires port 80) >+ >+ >+PASS Test that script does not fire violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5dfd9d83c7ff3060fa30beb8e3cff1845ab1d7ca >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>test implicit port number matching (requires port 80)</title> >+ <meta http-equiv="Content-Security-Policy content="script-src 'self' www.{{host}} 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script> >+ var t = async_test("Test that script does not fire violation event"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event")); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://www." + location.hostname + "/content-security-policy/generic/positiveTest.js"; >+ head.appendChild(script); >+ </script> >+ >+ <script> >+ t.done(); >+ </script> >+</head> >+<body> >+ <h1>test implicit port number matching (requires port 80)</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c20bf0ce927c78c02bda491041ab10667933b823 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load http://www.localhost:8801/content-security-policy/generic/unreached.js because it does not appear in the script-src directive of the Content Security Policy. >+implicit port number matching fails with a different port >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Prevents access to external scripts. >+NOTRUN Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f48c1e3c56ffdeb5fceec5b392c384b9a67295db >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>implicit port number matching fails with a different port</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' www.{{host}} 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='negativeTests.js'></script> >+ <script> >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://www." + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js"; >+ head.appendChild(script); >+ </script> >+</head> >+<body> >+ <h1>implicit port number matching fails with a different port</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..68c0df5f2c068fe9116d2ee7791eb18b9bce76e9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt >@@ -0,0 +1,5 @@ >+'self' keyword positive test >+ >+ >+PASS Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ecfeaf66cb590ed0e882ef23280d3907a56a1be3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>'self' keyword positive test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script nonce='abc'> >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src"); >+ })); >+ </script> >+ <script src='positiveTest.js'></script> >+ <script nonce='abc'>t_spv.done();</script> >+</head> >+<body> >+ <h1>'self' keyword positive test</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2732c6e4f6c1c684d0f5b1dd7388e57ed0608e2f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt >@@ -0,0 +1,8 @@ >+'self' fails with a different port >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Prevents access to external scripts. >+NOTRUN Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6cb75e31ae3138e02ed409ebd5a8d1998331f1eb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>'self' fails with a different port</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='negativeTests.js'></script> >+ <script> >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/unreached.js"; >+ head.appendChild(script); >+ </script> >+</head> >+<body> >+ <h1>'self' fails with a different port</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..65f2d9de31870a6e0d6b544cad732e0b1c7e4638 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt >@@ -0,0 +1,8 @@ >+'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com) >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Prevents access to external scripts. >+NOTRUN Should fire violation events for every failed violation >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d9c230d2a5c16c86d746f62bc340fb3df3ca4302 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='negativeTests.js'></script> >+ <script> >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/unreached.js"; >+ head.appendChild(script); >+ </script> >+</head> >+<body> >+ <h1>'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..01b3fec7611cf335032a609402b6d48c58a36ebb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www.localhost:8800/content-security-policy/generic/wildcardHostTestSuceeds.js >+test wildcard host name matching (asterisk as a subdomain of the current domain) >+ >+ >+PASS Test that script does not fire violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..79edff25e31a40a0bc9e262416c606712380a59b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>test wildcard host name matching (asterisk as a subdomain of the current domain)</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' *.{{host}}:{{ports[http][0]}} 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='wildcardHostTest.js'></script> >+ <script> >+ var t = async_test("Test that script does not fire violation event"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event")); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js"; >+ head.appendChild(script); >+ </script> >+ >+ <script> >+ t.done(); >+ </script> >+</head> >+<body> >+ <h1>test wildcard host name matching (asterisk as a subdomain of the current domain)</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4915979ed751d47add01fa25e186b768623a0ab9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '*w.localhost:8800'. It will be ignored. >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'w*.localhost:8800'. It will be ignored. >+CONSOLE MESSAGE: Refused to load http://www.localhost:8800/content-security-policy/generic/wildcardHostTestSuceeds.js because it does not appear in the script-src directive of the Content Security Policy. >+test wildcard host name matching (asterisk as part of a subdomain is not accepted) >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire violation events for every failed violation >+PASS Wildcard host matching works. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e8ce23415f7aca1a3b5ccfc6fc637730eee8d835 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' *w.{{host}}:{{ports[http][0]}} w*.{{host}}:{{ports[http][0]}} 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='wildcardHostTestFailure.js'></script> >+ <script> >+ var t_spv = async_test("Should fire violation events for every failed violation"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js"; >+ head.appendChild(script); >+ </script> >+</head> >+<body> >+ <h1>test wildcard host name matching (asterisk as part of a subdomain is not accepted)</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3daf7ed2a4ce00f862cd375357049f0e1826a9d2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt >@@ -0,0 +1,5 @@ >+test wildcard port number matching >+ >+ >+PASS Test that script does not fire violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..150876c917d4b1db47e8cc7faefee6d7ad709aa6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>test wildcard port number matching</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' {{host}}:* 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='wildcardPortTest.js'></script> >+ <script> >+ var t = async_test("Test that script does not fire violation event"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event")); >+ >+ var head = document.getElementsByTagName('head')[0]; >+ var script = document.createElement('script'); >+ script.type = 'text/javascript'; >+ script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js"; >+ head.appendChild(script); >+ </script> >+ >+ <script> >+ t.done(); >+ </script> >+</head> >+<body> >+ <h1>test wildcard port number matching</h1> >+ <div id='log'></div> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/negativeTests.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/negativeTests.js >new file mode 100644 >index 0000000000000000000000000000000000000000..44b4d7f683d8fb674a3c2b5d22eb8ea9d7b31ada >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/negativeTests.js >@@ -0,0 +1,3 @@ >+var t1 = async_test("Prevents access to external scripts."); >+ >+onload = function() {t1.done();} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7d361d2effd7c1f9b981c83d279a3dd4bc5f5b08 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt >@@ -0,0 +1,8 @@ >+no default src doesn't behave exactly like * >+ >+This page has a CSP header but an unknown directive. This should have no impact on an img loaded from a data: uri, or an inline script, although that would be blocked by a default-src policy of *. >+ >+ >+PASS Violation report status OK. >+PASS Allows scripts from the same host. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5f5c8cb369b41fcdffb1c199608d5c36404ba4d3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>no default src doesn't behave exactly like *</title> >+ <meta name="timeout" content="long"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"> </script> >+ <script src='positiveTest.js'></script> >+ <!-- enforcing policy: foobar; report-uri ... >+ --> >+</head> >+<body> >+ <h1>no default src doesn't behave exactly like *</h1> >+ This page has a CSP header but an unknown directive. >+ This should have no impact on an img loaded from a data: >+ uri, or an inline script, although that would be blocked by a default-src policy of *. >+ <br> >+ <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'> >+ <script> >+ var allowedScriptRan = true; >+ </script> >+ >+ <div id='log'></div> >+ >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..a7337acceb93238bb5105f335e5b25323d99619b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: no-default-src={{$id:uuid()}}; Path=/content-security-policy/generic/ >+Content-Security-Policy: foobar; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..77fcd72726cdbf7496e04c510c96979aa4e1455c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed-expected.txt >@@ -0,0 +1,47 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/pass.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Should load image without any CSP - meta tag >+PASS Should load image without any CSP - HTTP header >+PASS Should not load image with 'none' CSP - meta tag >+PASS Should not load image with 'none' CSP - HTTP header >+PASS U+0009 TAB should be properly parsed between directive name and value - meta tag >+PASS U+0009 TAB should be properly parsed between directive name and value - HTTP header >+PASS U+000C FF should be properly parsed between directive name and value - meta tag >+PASS U+000C FF should be properly parsed between directive name and value - HTTP header >+PASS U+000A LF should be properly parsed between directive name and value - meta tag >+PASS U+000D CR should be properly parsed between directive name and value - meta tag >+PASS U+0020 SPACE should be properly parsed between directive name and value - meta tag >+PASS U+0020 SPACE should be properly parsed between directive name and value - HTTP header >+PASS U+0009 TAB should be properly parsed inside directive value - meta tag >+PASS U+0009 TAB should be properly parsed inside directive value - HTTP header >+PASS U+000C FF should be properly parsed inside directive value - meta tag >+PASS U+000C FF should be properly parsed inside directive value - HTTP header >+PASS U+000A LF should be properly parsed inside directive value - meta tag >+PASS U+000D CR should be properly parsed inside directive value - meta tag >+PASS U+0020 SPACE should be properly parsed inside directive value - meta tag >+PASS U+0020 SPACE should be properly parsed inside directive value - HTTP header >+TIMEOUT U+00A0 NBSP should not be parsed between directive name and value - meta tag Test timed out >+TIMEOUT U+00A0 NBSP should not be parsed between directive name and value - HTTP header Test timed out >+TIMEOUT U+00A0 NBSP should not be parsed inside directive value - meta tag Test timed out >+TIMEOUT U+00A0 NBSP should not be parsed inside directive value - HTTP header Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d7567a93a377b2ec3c360d2ef030618a4046c8aa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html >@@ -0,0 +1,67 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var tests = [ >+ // Make sure that csp works properly in normal situations >+ { "csp": "", "expected": true, "name": "Should load image without any CSP" }, >+ { "csp": "img-src 'none';", "expected": false, "name": "Should not load image with 'none' CSP" }, >+ // Ensure ASCII whitespaces are properly parsed >+ // ASCII whitespace is U+0009 TAB, U+000A LF, U+000C FF, U+000D CR, or U+0020 SPACE. >+ >+ // between directive name and value >+ { "csp": "img-src\u0009'none';", "expected": false, "name": "U+0009 TAB should be properly parsed between directive name and value" }, >+ { "csp": "img-src\u000C'none';", "expected": false, "name": "U+000C FF should be properly parsed between directive name and value" }, >+ { "csp": "img-src\u000A'none';", "expected": false, "name": "U+000A LF should be properly parsed between directive name and value" }, >+ { "csp": "img-src\u000D'none';", "expected": false, "name": "U+000D CR should be properly parsed between directive name and value" }, >+ { "csp": "img-src\u0020'none';", "expected": false, "name": "U+0020 SPACE should be properly parsed between directive name and value" }, >+ >+ // inside directive value >+ { "csp": "img-src http://example.com\u0009http://example2.com;", "expected": false, "name": "U+0009 TAB should be properly parsed inside directive value" }, >+ { "csp": "img-src http://example.com\u000Chttp://example2.com;", "expected": false, "name": "U+000C FF should be properly parsed inside directive value" }, >+ { "csp": "img-src http://example.com\u000Ahttp://example2.com;", "expected": false, "name": "U+000A LF should be properly parsed inside directive value" }, >+ { "csp": "img-src http://example.com\u000Dhttp://example2.com;", "expected": false, "name": "U+000D CR should be properly parsed inside directive value" }, >+ { "csp": "img-src http://example.com\u0020http://example2.com;", "expected": false, "name": "U+0020 SPACE should be properly parsed inside directive value" }, >+ >+ // Ensure nbsp (U+00A0) is not considered a valid whitespace >+ // https://github.com/webcompat/web-bugs/issues/18902 has more details about why this particularly relevant >+ { "csp": "img-src\u00A0'none';", "expected": true, "name": "U+00A0 NBSP should not be parsed between directive name and value" }, >+ { "csp": "img-src http://example.com\u00A0http://example2.com;", "expected": true, "name": "U+00A0 NBSP should not be parsed inside directive value" }, >+ ]; >+ >+ tests.forEach(test => { >+ async_test(t => { >+ var url = "support/load_img_and_post_result_meta.sub.html?csp=" + encodeURIComponent(test.csp); >+ test_image_loads_as_expected(test, t, url); >+ }, test.name + " - meta tag"); >+ >+ // We can't test csp delivered in an HTTP header if we're testing CR/LF characters >+ if (test.csp.indexOf("\u000A") == -1 && test.csp.indexOf("\u000D") == -1) { >+ async_test(t => { >+ var url = "support/load_img_and_post_result_meta.sub.html?csp=" + encodeURIComponent(test.csp); >+ test_image_loads_as_expected(test, t, url); >+ }, test.name + " - HTTP header"); >+ } >+ }); >+ >+ function test_image_loads_as_expected(test, t, url) { >+ var i = document.createElement('iframe'); >+ i.src = url; >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.source != i.contentWindow) return; >+ if (test.expected) { >+ assert_equals(e.data, "img loaded"); >+ } else { >+ assert_equals(e.data, "img not loaded"); >+ } >+ t.done(); >+ })); >+ document.body.appendChild(i); >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/pass-0_1.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/pass-0_1.js >new file mode 100644 >index 0000000000000000000000000000000000000000..3a08dd5621ff4150fc0c974398df81bfc033eaeb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/pass-0_1.js >@@ -0,0 +1,3 @@ >+(function () { >+ allowedScriptRan = true; >+})(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..33e31b806f0e88a167d57e96ad2a3837b56181ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e36ca477b5aa4fb3bc53ed0507e5c5684f6f1e67 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc';"> >+ <title>object-src-url-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ <iframe src="support/log-pass.html"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..db11e10b188b33e2f0f1a8447774ce973bba8f79 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.html because it does not appear in the frame-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN iframe still inherits correct CSP >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e21bede418c3f90c1ca1771a96819c401c05f8f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html >@@ -0,0 +1,43 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <!-- This tests a bug that can occur when content layer CSP is not told >+ about the CSP inherited from the parent document which leads to it not >+ applying it to content layer CSP checks (such as frame-src with >+ PlzNavigate on). >+ Also see crbug.com/778658. --> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t = async_test("iframe still inherits correct CSP"); >+ >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data, "frame-src"); >+ }); >+ >+ function doDocWrite() { >+ x = document.getElementById('x'); >+ x.location = ""; >+ >+ // While document.write is deprecated I did not find another way to reproduce >+ // the original exploit. >+ x.contentDocument.write( >+ '<script>window.addEventListener("securitypolicyviolation", function(e) {' + >+ ' window.top.postMessage(e.violatedDirective, "*");' + >+ '});</scr' + 'ipt>' + >+ '<iframe src="../support/fail.html"></iframe>' >+ ); >+ x.contentDocument.close(); >+ >+ var s = document.createElement('script'); >+ s.async = true; >+ s.defer = true; >+ s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27'; >+ document.lastChild.appendChild(s); >+ } >+ </script> >+ <iframe id="x" onload="doDocWrite()" srcdoc="<a href='about:blank'>123</a>"></iframe> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..64653e3bf1a1a40e3c88e9b628fa94d5bf22403e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: policy-inherited-correctly-by-plznavigate={{$id:uuid()}}; Path=/content-security-policy/generic/ >+Content-Security-Policy: frame-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/positiveTest.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/positiveTest.js >new file mode 100644 >index 0000000000000000000000000000000000000000..63c99919623e396a41870273e35e3e8999a712f0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/positiveTest.js >@@ -0,0 +1,6 @@ >+onload = function() { >+ test(function() { >+ assert_true(true, 'Script ran.')}, >+ "Allows scripts from the same host." >+ ); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/304-response.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/304-response.py >new file mode 100644 >index 0000000000000000000000000000000000000000..4980937eab7f7d07c80104fa2e73371781366c76 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/304-response.py >@@ -0,0 +1,33 @@ >+def main(request, response): >+ if request.headers.get("If-None-Match"): >+ # we are now receing the second request, we will send back a different CSP >+ # with the 304 response >+ response.status = 304 >+ headers = [("Content-Type", "text/html"), >+ ("Content-Security-Policy", "script-src 'nonce-def' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"), >+ ("Cache-Control", "private, max-age=0, must-revalidate"), >+ ("ETag", "123456")] >+ return headers, "" >+ else: >+ headers = [("Content-Type", "text/html"), >+ ("Content-Security-Policy", "script-src 'nonce-abc' 'sha256-IIB78ZS1RMMrAWpsLg/RrDbVPhI14rKm3sFOeKPYulw=';"), >+ ("Cache-Control", "private, max-age=0, must-revalidate"), >+ ("Etag", "123456")] >+ return headers, ''' >+<!DOCTYPE html> >+<html> >+<head> >+ <script> >+ window.addEventListener("securitypolicyviolation", function(e) { >+ top.postMessage(e.originalPolicy, '*'); >+ }); >+ </script> >+ <script nonce="abc"> >+ top.postMessage('abc_executed', '*'); >+ </script> >+ <script nonce="def"> >+ top.postMessage('def_executed', '*'); >+ </script> >+</head> >+</html> >+''' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/eval.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/eval.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d8ba2a5589a1a98abee73dab586414f601aaf6f3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/eval.js >@@ -0,0 +1,2 @@ >+postMessage('unsafe-inline allowed'); >+eval("postMessage('unsafe-eval allowed')"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c7a2e75dba37c85ae1710d92a2a8071ea229bf85 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html >@@ -0,0 +1,11 @@ >+<html> >+<body> >+ <script> >+ var img = document.createElement("img"); >+ img.src = "/content-security-policy/support/pass.png"; >+ img.onload = function() { parent.postMessage('img loaded', '*'); } >+ img.onerror = function() { parent.postMessage('img not loaded', '*'); } >+ document.body.appendChild(img); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..e9bf21bab413b87e0c936ad93d26629b3a6bf59b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: {{GET[csp]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ac0cf39dd038626d111d842f4e24ac5446154eed >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html >@@ -0,0 +1,14 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}"> >+</head> >+<body> >+ <script> >+ var img = document.createElement("img"); >+ img.src = "/content-security-policy/support/pass.png"; >+ img.onload = function() { parent.postMessage('img loaded', '*'); } >+ img.onerror = function() { parent.postMessage('img not loaded', '*'); } >+ document.body.appendChild(img); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/log-pass.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/log-pass.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4334ea4c66b53bc02382189839feaf261fa504d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/log-pass.html >@@ -0,0 +1,3 @@ >+<script> >+ window.parent.postMessage('PASS', '*'); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9480e521de21ef930674721de943f96e1fd1219a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html >@@ -0,0 +1,4 @@ >+<script> >+ window.parent.postMessage('PASS (1/2): Script can execute', '*'); >+ eval("window.parent.postMessage('PASS (2/2): Eval works', '*')"); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..c7e4e7cc5bd3fa25851c1e26c3c04eb95050d94b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: sandbox allow-scripts >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7c193ecc19be9bc9863591e66a4fb2d472c19dd3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/304-response.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/eval.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_header.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/load_img_and_post_result_meta.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/log-pass.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/unreached.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/unreached.js >new file mode 100644 >index 0000000000000000000000000000000000000000..893fb5eba10c4bc6330ac3a09b6240e450460de2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/unreached.js >@@ -0,0 +1,3 @@ >+onload = function() { >+ t1.step(function() {assert_unreached("Script should not have ran.");}); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..ac4fa3848937b4b97a27050812c27d6ea1c4278b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/w3c-import.log >@@ -0,0 +1,51 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/cspro-not-enforced-in-worker.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/directive-name-case-insensitive.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/duplicate-directive.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/fail-0_1.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-do-not-match-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/negativeTests.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/only-valid-whitespaces-are-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/pass-0_1.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-does-not-affect-child.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/positiveTest.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/unreached.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTest.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestFailure.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestSuceeds.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTest.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTestSuceeds.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTest.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTest.js >new file mode 100644 >index 0000000000000000000000000000000000000000..da3e2790f53e8152e8ce2476da228a22a1046905 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTest.js >@@ -0,0 +1,8 @@ >+wildcardHostTestRan = false; >+ >+onload = function() { >+ test(function() { >+ assert_true(wildcardHostTestRan, 'Script should have ran.')}, >+ "Wildcard host matching works." >+ ); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestFailure.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestFailure.js >new file mode 100644 >index 0000000000000000000000000000000000000000..75ec8cf80e0e56b31616c228855419260bca66c0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestFailure.js >@@ -0,0 +1,8 @@ >+wildcardHostTestRan = false; >+ >+onload = function() { >+ test(function() { >+ assert_false(wildcardHostTestRan, 'Script should not have ran.')}, >+ "Wildcard host matching works." >+ ); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestSuceeds.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestSuceeds.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8b115d7fc459fcb97cf615fc0a770ae208da501f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardHostTestSuceeds.js >@@ -0,0 +1 @@ >+wildcardHostTestRan = true; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTest.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTest.js >new file mode 100644 >index 0000000000000000000000000000000000000000..3cd1d2eaedf8878b3e6be5e5fdb90d0589ba4e16 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTest.js >@@ -0,0 +1,8 @@ >+wildcardPortTestRan = false; >+ >+onload = function() { >+ test(function() { >+ assert_true(wildcardPortTestRan, 'Script should have ran.')}, >+ "Wildcard port matching works." >+ ); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTestSuceeds.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTestSuceeds.js >new file mode 100644 >index 0000000000000000000000000000000000000000..0138deb2eef29cc27592ac02fbfbc4efc4d17b21 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcardPortTestSuceeds.js >@@ -0,0 +1 @@ >+wildcardPortTestRan = true; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c3b912edb7ec50a4d50b480be5aec55016328c44 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub-expected.txt >@@ -0,0 +1,5 @@ >+Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page. >+ >+ >+PASS Test that image loads >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7358944f476291bce643d89d03a35d54ab714780 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <p>Use callbacks to show that favicons are loaded as allowed by CSP when link tags are dynamically added to the page.</p> >+ <script> >+ var t = async_test("Test that image loads"); >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered any violation events")); >+ >+ function createLink(rel, src) { >+ var link = document.createElement('link'); >+ link.rel = rel; >+ link.href = src; >+ link.onload = t.done(); >+ link.onerror = t.unreached_func('The image should have loaded'); >+ document.body.appendChild(link); >+ } >+ window.addEventListener('DOMContentLoaded', function() { >+ createLink('icon', '../support/pass.png'); >+ }); >+ >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ec34e3f77477a7b0f82a3ade548023d802a0c5ea >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub-expected.txt >@@ -0,0 +1,8 @@ >+Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+NOTRUN Test that spv event is fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..42500fc3ad2b1046c829eade4340bcfc1cd24d57 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+<p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p> >+ <script> >+ var t = async_test("Test that image does not load"); >+ var t_spv = async_test("Test that spv event is fired"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'img-src'); >+ assert_true(e.blockedURI.endsWith('/support/fail.png')); >+ })); >+ >+ function createLink(rel, src) { >+ var link = document.createElement('link'); >+ link.rel = rel; >+ link.href = src; >+ link.onerror = t.done(); >+ link.onload = t.unreached_func('The image should not have loaded'); >+ document.head.appendChild(link); >+ } >+ window.addEventListener('DOMContentLoaded', function() { >+ createLink('icon', '../support/fail.png'); >+ }); >+ >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8bd20f322da38132a5e4502269eee5677dd33a23 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png >+ >+PASS img-src for relative path should load >+PASS img-src from unapproved domains should not load >+FAIL img-src from approved domains should load assert_unreached: The img should have loaded Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9e4e345a1670bf951c4736978ad9e66da6496bed >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html >@@ -0,0 +1,35 @@ >+<!DOCTYPE HTML> >+<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{domains[www]}}:{{ports[http][0]}}"> >+<html> >+<head> >+ <title>img element src attribute must match src list.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ async_test(function(t) { >+ i = new Image(); >+ i.onload = t.step_func_done(); >+ i.onerror = t.unreached_func("The img should have loaded"); >+ i.src = '/content-security-policy/support/pass.png'; >+ }, "img-src for relative path should load"); >+ >+ async_test(function(t) { >+ i = new Image(); >+ i.onload = t.unreached_func("Image from unapproved domain was loaded."); >+ i.onerror = t.step_func_done(); >+ i.src = 'http://{{domains[www1]}}/content-security-policy/support/fail.png'; >+ }, "img-src from unapproved domains should not load"); >+ >+ async_test(function(t) { >+ i = new Image(); >+ i.onload = t.step_func_done(); >+ i.onerror = t.unreached_func("The img should have loaded"); >+ i.src = location.protocol + '//{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'; >+ }, "img-src from approved domains should load"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8e714320519f3e46127a31ca8f4e027bc5664816 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL img src does not match full host and wildcard csp directive assert_unreached: Image should have loaded Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..23c33d56553817384b0ab6928eb8939459562c48 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}"> >+<html> >+<head> >+ <title>img-src with full host and wildcard blocks correctly.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ var t1 = async_test("img src does not match full host and wildcard csp directive"); >+ </script> >+ <img src='http://{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png' >+ onload='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });' >+ onerror='t1.done();'> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..dde9fbbcff38b8187e863bb12ee946d1bc674983 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png >+Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png >+ >+ >+FAIL img src matches correctly partial wildcard host csp directive assert_unreached: Image should have loaded Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d2d36d1341c526d9ed8f83e92a376374563c9aa5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<meta http-equiv="Content-Security-Policy" content="img-src *.{{host}}:{{ports[http][0]}}"> >+<html> >+<head> >+ <title>img-src works correctly with partial host wildcard.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ var t1 = async_test("img src matches correctly partial wildcard host csp directive"); >+ </script> >+ <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png' >+ onload='t1.done();' >+ onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1c890b7672c539b5a6d23bdbe437b284a2f3f2b8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS img-src with 'none' source should not match >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9bc0326ef8a2d8ae8112de50e16f013f6a475e21 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<meta http-equiv="Content-Security-Policy" content="img-src 'none';"> >+<html> >+<head> >+ <title>img element src attribute must match src list.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ var t1 = async_test("img-src with 'none' source should not match"); >+ </script> >+ <img src='/content-security-policy/support/fail.png' >+ onload='t1.step(function() { assert_unreached("Image should not have loaded"); t1.done(); });' >+ onerror='t1.done();'> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..aae61b65afa311c891b1e9f6295c7fd3cc5081fe >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png >+Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png >+ >+ >+FAIL img-src with wildcard port should match any port assert_unreached: Image should have loaded. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..215c10089bb547645fe304f6d3345016ea2b99d5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<meta http-equiv="Content-Security-Policy" content="img-src http://www.{{host}}:*"> >+<html> >+<head> >+ <title>img-src works correctly with port wildcard source</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ var t1 = async_test("img-src with wildcard port should match any port"); >+ </script> >+ <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png' >+ onload='t1.done();' >+ onerror='t1.step(function() { assert_unreached("Image should have loaded."); t1.done()} );'> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1e26d5cc0e04996ee8e64fc2f7a654c1b96b6621 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7 because it does not appear in the img-src directive of the Content Security Policy. >+The origin of an URL is called "unique" when it is considered to be different from every origin, including itself. The origin of a data-url is unique. When the current origin is unique, the CSP source 'self' must not match any URL. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Image's url must not match with 'self'. Image must be blocked. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1fd2869b6c5588c14d39524443e2daa5fea0ba67 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <title>img-src-self-unique-origin</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <p> >+ The origin of an URL is called "unique" when it is considered to be >+ different from every origin, including itself. The origin of a >+ data-url is unique. When the current origin is unique, the CSP source >+ 'self' must not match any URL. >+ </p> >+ <script> >+ var iframe = document.createElement("iframe"); >+ iframe.src = encodeURI(`data:text/html, >+ <script> >+ /* Add the CSP: frame-src: 'self'. */ >+ var meta = document.createElement('meta'); >+ meta.httpEquiv = 'Content-Security-Policy'; >+ meta.content = "img-src 'self'"; >+ document.getElementsByTagName('head')[0].appendChild(meta); >+ >+ /* Notify the parent the image has been blocked. */ >+ window.addEventListener('securitypolicyviolation', e => { >+ if (e.originalPolicy == "img-src 'self'") >+ window.parent.postMessage('Test PASS', '*'); >+ }); >+ </scr`+`ipt> >+ >+ This image should be blocked by CSP: >+ <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img> >+ `); >+ if (window.async_test) { >+ async_test(t => { >+ window.addEventListener("message", e => { >+ if (e.data == "Test PASS") >+ t.done(); >+ }); >+ }, "Image's url must not match with 'self'. Image must be blocked."); >+ } >+ document.body.appendChild(iframe); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..94a51cd9d3d7a5dbb0afcabbaa50f8d9e594afcc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS img-src with wildcard should match all >+PASS img-src with wildcard should not match blob >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..72326ee6fc615ee15219c64b5f6a0a5d1bbe81c1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<meta http-equiv="Content-Security-Policy" content="img-src *;"> >+<html> >+<head> >+ <title>img element src attribute must match src list.</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <div id='log'/> >+ >+ <script> >+ var t1 = async_test("img-src with wildcard should match all"); >+ </script> >+ <img src='/content-security-policy/support/pass.png' >+ onload='t1.done();' >+ onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'> >+ >+ <script> >+ async_test(function(t) { >+ >+ var pngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAIAAAD/gAIDAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVR42u3QMQEAAAgDoGlyo1vBzwciUJlw1ApkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyZIlS5YsBbJkyZIlS5YCWbJkyZIlS4EsWbJkyZKlQJYsWbJkyVIgS5YsWbJkKZAlS5YsWbIUyJIlS5YsWQpkyfq2MosBSIeKONMAAAAASUVORK5CYII="; >+ >+ blobContents = [atob(pngBase64)]; >+ blob = new Blob(blobContents, {type: "image/png"}); >+ img = document.createElement("img"); >+ img.onerror = function (e) { >+ t.done(); >+ }; >+ img.onload = function () { >+ assert_unreached("Should not load blob img"); >+ t.done(); >+ }; >+ blobURL = window.URL.createObjectURL(blob); >+ img.src = blobURL; >+ >+ },"img-src with wildcard should not match blob"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..680a330a6d5c885c40e73d99a4fa79151982fe69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Expecting logs: ["violated-directive=img-src"] assert_unreached: Logging timeout, expected logs violated-directive=img-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7ef1e978fedc83e92b17384d7462793a83011791 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>report-blocked-data-uri</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=img-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ >+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..9c4ed4070a53d0cd4d22b986b98e4bfaca848cef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/w3c-import.log >@@ -0,0 +1,26 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/icon-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-full-host-wildcard-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-none-blocks.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-self-unique-origin.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-wildcard-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/report-blocked-data-uri.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f2b3d063e91fd344787f1208f96250381745c27e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<!-- This tests that navigating a main window to a local scheme preserves the current CSP. >+ We need to test this in a main window with no parent/opener so we use >+ a link with target=_blank and rel=noopener. --> >+<body> >+ <iframe src="support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}"></iframe> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8a37db491799923a6848234154872437c67af297 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3b54528d56a445e6ef723371f5bb7a858ee016c8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<!-- This tests that navigating a main window to a local scheme preserves the current CSP. >+ We need to test this in a main window with no parent/opener so we use >+ a link with target=_blank and rel=noopener. --> >+<body> >+ <script> >+ const a = document.createElement("a") >+ a.href = "support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}"; >+ a.target = "_blank" >+ a.rel = "noopener" >+ a.click() >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5a00fbb8b088ad257da7961fd743419d267a886c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Image loaded in srcdoc iframe using document.write is blocked >+NOTRUN Image loaded in normal iframe using document.write is blocked >+NOTRUN Image loaded directly in simple srcdoc iframe is blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a84e3a37031280ec33ccb98307f422e3ca468744 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html >@@ -0,0 +1,69 @@ >+<!DOCTYPE html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+</head> >+<body> >+ <script> >+ var t0 = async_test("Image loaded in srcdoc iframe using document.write is blocked"); >+ var t1 = async_test("Image loaded in normal iframe using document.write is blocked"); >+ var t2 = async_test("Image loaded directly in simple srcdoc iframe is blocked"); >+ >+ window.onmessage = function(e) { >+ var current_test; >+ if (e.data.type == "spv0") { >+ current_test = t0; >+ } else if (e.data.type == "spv1") { >+ current_test = t1; >+ } else if (e.data.type == "spv2") { >+ current_test = t2; >+ } else { >+ t0.step(function() {assert_true(false, "Unexpected message received from child frames")}); >+ t1.step(function() {assert_true(false, "Unexpected message received from child frames")}); >+ t2.step(function() {assert_true(false, "Unexpected message received from child frames")}); >+ } >+ >+ current_test.step(function() { >+ assert_equals(e.data.violatedDirective, 'img-src'); >+ current_test.done(); >+ }); >+ } >+ </script> >+ >+ <!--As discovered thanks to crbug.com/920531, there is a bug in CSP where the >+ CSP is not inherited when using document.open/document.write to edit a >+ document's contents. --> >+ <iframe id="frame1" srcdoc=""></iframe> >+ >+ <!-- This is speculatively correct https://github.com/whatwg/html/issues/4510 --> >+ <iframe id="frame2" src="/content-security-policy/common/blank.html"></iframe> >+ >+ <!--<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+ <img src='/content-security-policy/support/fail.png'> >+ --> >+ <iframe srcdoc="<script>window.addEventListener('securitypolicyviolation', function(e) {window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*');});</script><img src='/content-security-policy/support/fail.png'>"></iframe> >+ <script> >+ var frames = ['frame1', 'frame2']; >+ for (var i = 0; i < frames.length; i++) { >+ var body_text = ['<script>', >+ ' window.addEventListener("securitypolicyviolation", function(e) {', >+ ' window.top.postMessage({type: "spv'+ i + '", violatedDirective: e.violatedDirective}, "*");', >+ ' });', >+ '</scr' + 'ipt>', >+ '<img src="/content-security-policy/support/fail.png">'].join('\n'); >+ >+ var e = document.getElementById(frames[i]); >+ var n = e.contentWindow.document; >+ n.open(); >+ n.write("<html><body>" + body_text + "</body></html>"); >+ n.close(); >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c1172adf4f9cdd6f11f88a0c781b3ff167c2cb7a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub-expected.txt >@@ -0,0 +1,9 @@ >+ >+ >+PASS <iframe>'s about:blank inherits policy. >+PASS <iframe srcdoc>'s inherits policy. >+PASS <iframe src='blob:...'>'s inherits policy. >+FAIL <iframe src='data:...'>'s inherits policy. assert_equals: expected "load" but got "error" >+PASS <iframe src='javascript:...'>'s inherits policy. >+FAIL <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) assert_equals: expected "load" but got "error" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..73e974e51a87dc80eab797ad3a4ddee20759aa7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html >@@ -0,0 +1,102 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="img-src 'self'"> >+ >+<body> >+ >+<script> >+ function wait_for_error_from_frame(frame, test) { >+ window.addEventListener('message', test.step_func(e => { >+ if (e.source != frame.contentWindow) >+ return; >+ assert_equals(e.data, "load"); >+ frame.remove(); >+ test.done(); >+ })); >+ } >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ document.body.appendChild(i); >+ >+ var img = document.createElement('img'); >+ img.onload = t.step_func_done(_ => i.remove()); >+ img.onerror = t.unreached_func(); >+ i.contentDocument.body.appendChild(img); >+ img.src = "{{location[server]}}/images/red-16x16.png"; >+ }, "<iframe>'s about:blank inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.srcdoc = ` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe srcdoc>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ var b = new Blob( >+ [` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `], {type:"text/html"}); >+ i.src = URL.createObjectURL(b); >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='blob:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.src = `data:text/html,<img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ >`; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='data:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.src = `javascript:"<img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage(\\"load\\", \\"*\\");' >+ onerror='window.top.postMessage(\\"error\\", \\"*\\");' >+ >"`; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='javascript:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ var b = new Blob( >+ [` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `], {type:"text/html"}); >+ i.src = URL.createObjectURL(b); >+ i.sandbox = 'allow-scripts'; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)"); >+ >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..10df77fe72e2eaa7bf9bd664d0f73d931fc74662 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt >@@ -0,0 +1,8 @@ >+ >+PASS <iframe>'s about:blank inherits policy. >+PASS <iframe srcdoc>'s inherits policy. >+PASS <iframe src='blob:...'>'s inherits policy. >+PASS <iframe src='data:...'>'s inherits policy. >+PASS <iframe src='javascript:...'>'s inherits policy. >+PASS <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cd38c902f05f7871fdec0eafe5481e5eba1928ae >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html >@@ -0,0 +1,102 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ >+<body> >+ >+<script> >+ function wait_for_error_from_frame(frame, test) { >+ window.addEventListener('message', test.step_func(e => { >+ if (e.source != frame.contentWindow) >+ return; >+ assert_equals(e.data, "error"); >+ frame.remove(); >+ test.done(); >+ })); >+ } >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ document.body.appendChild(i); >+ >+ var img = document.createElement('img'); >+ img.onerror = t.step_func_done(_ => i.remove()); >+ img.onload = t.unreached_func(); >+ i.contentDocument.body.appendChild(img); >+ img.src = "{{location[server]}}/images/red-16x16.png"; >+ }, "<iframe>'s about:blank inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.srcdoc = ` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe srcdoc>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ var b = new Blob( >+ [` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `], {type:"text/html"}); >+ i.src = URL.createObjectURL(b); >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='blob:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.src = `data:text/html,<img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ >`; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='data:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ i.src = `javascript:"<img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage(\\"load\\", \\"*\\");' >+ onerror='window.top.postMessage(\\"error\\", \\"*\\");' >+ >"`; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='javascript:...'>'s inherits policy."); >+ >+ async_test(t => { >+ var i = document.createElement('iframe'); >+ var b = new Blob( >+ [` >+ <img src='{{location[server]}}/images/red-16x16.png' >+ onload='window.top.postMessage("load", "*");' >+ onerror='window.top.postMessage("error", "*");' >+ > >+ `], {type:"text/html"}); >+ i.src = URL.createObjectURL(b); >+ i.sandbox = 'allow-scripts'; >+ >+ wait_for_error_from_frame(i, t); >+ >+ document.body.appendChild(i); >+ }, "<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)"); >+ >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1b66a0ac2f10ca7eb578ba2d0819fbe8b2c36634 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN First image should be blocked >+NOTRUN Second image should be blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e05150762faa6affa644876961f004723ab2806a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("First image should be blocked"); >+ var t2 = async_test("Second image should be blocked"); >+ window.onmessage = t1.step_func_done(function(e) { >+ if (e.data == "img blocked") { >+ frames[0].frames[0].frameElement.srcdoc = >+ `<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ if (e.violatedDirective == 'img-src') { >+ top.postMessage('img blocked', '*'); >+ } >+ }) >+ </scr` + `ipt> >+ <img src='/content-security-policy/support/fail.png' >+ onload='top.postMessage("img loaded", "*")'/>`; >+ window.onmessage = t2.step_func_done(function(e) { >+ if (e.data != "img blocked") >+ assert_true(false, "The second image should have been blocked"); >+ }); >+ } else { >+ assert_true(false, "The first image should have been blocked"); >+ } >+ }); >+ </script> >+ <iframe src="support/srcdoc-child-frame.html"></iframe> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8660f550eadbc7032e4d06deda4182d86ba260e1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that parent document image loads >+PASS Test that embedded iframe document image does not load >+NOTRUN Test that spv event is fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c473b3f4262230f6e052d149d6461b7c0cabeff7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html >@@ -0,0 +1,49 @@ >+<!DOCTYPE html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Tests that mutations inside a context that inherits a copy of the CSP list >+ does not affect the parent context --> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that parent document image loads"); >+ var t2 = async_test("Test that embedded iframe document image does not load"); >+ var t3 = async_test("Test that spv event is fired"); >+ >+ window.onmessage = function(e) { >+ if (e.data.type == 'spv') { >+ t3.step(function() { >+ assert_equals(e.data.violatedDirective, "img-src"); >+ t3.done(); >+ }); >+ } else if (e.data.type == 'imgload') { >+ var img = document.createElement('img'); >+ img.src = "../support/pass.png"; >+ img.onload = function() { t1.done(); }; >+ img.onerror = t1.unreached_func('Should have loaded the image'); >+ document.body.appendChild(img); >+ >+ t2.step(function() { >+ assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP"); >+ t2.done(); >+ }); >+ } >+ } >+ >+ var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">', >+ '<script>', >+ ' window.addEventListener("securitypolicyviolation", function(e) {', >+ ' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");', >+ ' });', >+ '</scr' + 'ipt>', >+ '<img src="../support/fail.png"', >+ ' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"', >+ ' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n'); >+ var i = document.createElement('iframe'); >+ i.srcdoc = srcdoc; >+ document.body.appendChild(i); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html >new file mode 100644 >index 0000000000000000000000000000000000000000..590fa7ec1a9caafc6f18e6821f100629688bd300 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>"; >+ var blob = new Blob([blob_string], {type : 'text/html'}); >+ var url = URL.createObjectURL(blob); >+ >+ var i = document.createElement('iframe'); >+ i.src = url; >+ i.sandbox = "allow-scripts"; >+ document.body.appendChild(i); >+ </script> >+ <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..cd80b326ff7395bef1d84e9d90d857d2ef757612 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: sandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/ >+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b97bfb0c05aeb129fc35a5bdfa1f9346b33d6d21 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var url = "data:text/html,<script>alert(document.domain)<\/scr"+"ipt>"; >+ >+ var i = document.createElement('iframe'); >+ i.src = url; >+ i.sandbox = "allow-scripts"; >+ document.body.appendChild(i); >+ </script> >+ <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..766d3e0e050328a2365cc1660d62fbbc13b552e4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: sandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/ >+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9ea069969cafff022e94fef3de535feafaca1de7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html >@@ -0,0 +1,6 @@ >+<script nonce="abc"> >+ var blob_string = "<script>alert(document.domain)<\/script>"; >+ var blob = new Blob([blob_string], {type : 'text/html'}); >+ var url = URL.createObjectURL(blob); >+ location.href=url; >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..27aa5f4a1023ffd9c975acc42cf7b89b9fff2faf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9148be203d30ea043a56b38305877142735a4c49 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html >@@ -0,0 +1,19 @@ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+</head> >+<body> >+ <script> >+ var i = document.createElement('iframe'); >+ i.srcdoc=`<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ if (e.violatedDirective == 'img-src') { >+ top.postMessage('img blocked', '*'); >+ } >+ }) >+ </scr` + `ipt> >+ <img src='/content-security-policy/support/fail.png' >+ onload='top.postMessage("img loaded", "*")'/>`; >+ i.id = "srcdoc-frame"; >+ document.body.appendChild(i); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..3b742d65e7d9fd01401f07491c60d30415a98b26 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cab192f836831dbc6618726ea764249f2d835e0a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>"; >+ var blob = new Blob([blob_string], {type : 'text/html'}); >+ var url = URL.createObjectURL(blob); >+ >+ var i = document.createElement('iframe'); >+ i.src = url; >+ document.body.appendChild(i); >+ </script> >+ <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..4cf3e34ce9764ef79ce0cd041de822535678a8c6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: unsandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/ >+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a9d8e207dcec48a9ee34f2f294f440dd8ba6c233 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script nonce="abc" src="/resources/testharness.js"></script> >+ <script nonce="abc" src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var url = "data:text/html,<script>alert(document.domain)<\/scri"+"pt>"; >+ >+ var i = document.createElement('iframe'); >+ i.src = url; >+ document.body.appendChild(i); >+ </script> >+ <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9cfb8aaa819489c76ee612ba20d3aeccaec51c65 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: unsandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/ >+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..d1a3a7e1442fec10e2b07cdbf68cc1cae5e55e01 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log >@@ -0,0 +1,32 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..98cf8822b24d9cb9032c9c96469c5298b3d20df0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window-expected.txt >@@ -0,0 +1,6 @@ >+ >+PASS window.open() inherits policy. >+PASS `document.write` into `window.open()` inherits policy. >+FAIL window.open('blob:...') inherits policy. assert_equals: expected "error" but got "load" >+PASS window.open('javascript:...') inherits policy. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html >new file mode 100644 >index 0000000000000000000000000000000000000000..86f2e4bc13f7fe811810d74550174a6acba57c68 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html >@@ -0,0 +1,66 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ >+<body> >+ >+<script> >+ function wait_for_error_from_window(w, test) { >+ window.addEventListener('message', test.step_func(e => { >+ if (e.source != w) >+ return; >+ assert_equals(e.data, "error"); >+ w.close(); >+ test.done(); >+ })); >+ } >+ >+ async_test(t => { >+ var w = window.open(); >+ >+ var img = document.createElement('img'); >+ img.onerror = t.step_func_done(_ => w.close()); >+ img.onload = t.unreached_func(); >+ w.document.body.appendChild(img); >+ img.src = "/images/red-16x16.png"; >+ }, "window.open() inherits policy."); >+ >+ async_test(t => { >+ var w = window.open(); >+ >+ wait_for_error_from_window(w, t); >+ >+ w.document.write(` >+ <img src='/images/red-16x16.png' >+ onload='window.opener.postMessage("load", "*");' >+ onerror='window.opener.postMessage("error", "*");' >+ > >+ `); >+ }, "`document.write` into `window.open()` inherits policy."); >+ >+ async_test(t => { >+ var b = new Blob( >+ [` >+ <img src='${window.origin}/images/red-16x16.png' >+ onload='window.opener.postMessage("load", "*");' >+ onerror='window.opener.postMessage("error", "*");' >+ > >+ `], {type:"text/html"}); >+ >+ wait_for_error_from_window(window.open(URL.createObjectURL(b)), t); >+ }, "window.open('blob:...') inherits policy."); >+ >+ // Navigation to top-level `data:` is blocked. >+ >+ async_test(t => { >+ var url = >+ `javascript:"<img src='${window.origin}/images/red-16x16.png' >+ onload='window.opener.postMessage(\\"load\\", \\"*\\");' >+ onerror='window.opener.postMessage(\\"error\\", \\"*\\");' >+ >"`; >+ >+ wait_for_error_from_window(window.open(url), t); >+ }, "window.open('javascript:...') inherits policy."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3a9145c90195af6d5699846836cfe1a7cd742097 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance-expected.txt >@@ -0,0 +1,41 @@ >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-xhr >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-xhr >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-xhr >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+Blocked access to external URL http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch >+CONSOLE MESSAGE: Refused to connect to http://www.localhost:8801/common/text-plain.txt?cross-origin-fetch because it does not appear in the connect-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Blocked by Content Security Policy. >+ >+Harness Error (FAIL), message = Error in remote http://localhost:8800/content-security-policy/inside-worker/support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27): NetworkError: A network error occurred. >+ >+PASS Filesystem and blob. >+TIMEOUT Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) Test timed out >+PASS Same-origin 'fetch()' in http: >+PASS Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) >+PASS Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Same-origin XHR in http: >+PASS Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) >+FAIL Same-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) assert_unreached: Reached unreachable code >+PASS Cross-origin 'fetch()' in http: >+PASS Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) >+PASS Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) >+PASS Cross-origin XHR in http: >+PASS Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) >+PASS Cross-origin XHR in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) >+PASS Same-origin => cross-origin 'fetch()' in http: >+PASS Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20*) >+PASS Same-origin => cross-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) >+PASS Same-origin 'fetch()' in blob: >+PASS Same-origin XHR in blob: >+PASS Cross-origin 'fetch()' in blob: >+PASS Cross-origin XHR in blob: >+PASS Same-origin => cross-origin 'fetch()' in blob: >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance.html >new file mode 100644 >index 0000000000000000000000000000000000000000..76f5a20f727fc837f6060b5cd121ed67e29f5c87 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance.html >@@ -0,0 +1,44 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="connect-src 'self'"> >+<script> >+ // External URLs inherit policy. >+ fetch_tests_from_worker(new Worker("./support/connect-src-self.sub.js")); >+ fetch_tests_from_worker(new Worker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,connect-src 'none')")); >+ fetch_tests_from_worker(new Worker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,connect-src *)")); >+ fetch_tests_from_worker(new Worker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src 'none')")); >+ fetch_tests_from_worker(new Worker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src *)")); >+ >+ async_test(t => { >+ fetch("./support/connect-src-self.sub.js") >+ .then(r => r.blob()) >+ .then(b => { >+ // 'blob:' URLs inherit policy. >+ var u = URL.createObjectURL(b); >+ fetch_tests_from_worker(new Worker(u)); >+ >+ if (!window.webkitRequestFileSystem) >+ return t.done(); >+ >+ >+ // 'filesystem:' urls inherit policy. >+ window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, fs => { >+ fs.root.getFile('dedicated-inheritance-worker.js', { create: true }, entry => { >+ entry.createWriter(w => { >+ w.onwriteend = _ => { >+ var u = entry.toURL(); >+ fetch_tests_from_worker(new Worker(u)); >+ >+ // explicit_done: yay. >+ t.done(); >+ }; >+ w.onerror = _ => t.unreached_func(); >+ w.write(b); >+ }); >+ }); >+ }); >+ }); >+ }, "Filesystem and blob."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..175df510b94e6a0a5dad70581ddd1e4c0470c39f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script-expected.txt >@@ -0,0 +1,20 @@ >+Blocked access to external URL http://www.localhost:8801/content-security-policy/support/var-a.js >+Blocked access to external URL http://www.localhost:8801/content-security-policy/support/var-a.js >+Blocked access to external URL http://www.localhost:8801/content-security-policy/support/var-a.js >+ >+Harness Error (FAIL), message = Error in remote http://localhost:8800/content-security-policy/inside-worker/support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src%20%27none%27): NetworkError: A network error occurred. >+ >+PASS Filesystem and blob. >+PASS Cross-origin `importScripts()` blocked in http: >+PASS Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+FAIL `eval()` blocked in http: assert_throws: `eval()` should throw 'EvalError'. function "_ => eval("1 + 1")" did not throw >+PASS `eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) >+PASS Cross-origin `importScripts()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*) >+PASS Cross-origin `importScripts()` blocked in blob: >+TIMEOUT `setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) Test timed out >+PASS `eval()` blocked in blob: >+FAIL `setTimeout([string])` blocked in http: assert_equals: expected 0 but got 1 >+TIMEOUT `setTimeout([string])` blocked in blob: Test timed out >+PASS `eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*) >+TIMEOUT `setTimeout([string])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*) Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d257038376bcecffa443a1c0097e380c2a0f1fe8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script.html >@@ -0,0 +1,44 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:"> >+<script nonce="a"> >+ // External URLs inherit policy: the header delivered with the script resource is ignored. >+ fetch_tests_from_worker(new Worker("./support/script-src-self.sub.js")); >+ fetch_tests_from_worker(new Worker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,script-src 'none')")); >+ fetch_tests_from_worker(new Worker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,script-src *)")); >+ fetch_tests_from_worker(new Worker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src 'none')")); >+ fetch_tests_from_worker(new Worker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src *)")); >+ >+ async_test(t => { >+ fetch("./support/script-src-self.sub.js") >+ .then(r => r.blob()) >+ .then(b => { >+ // 'blob:' URLs inherit policy. >+ var u = URL.createObjectURL(b); >+ fetch_tests_from_worker(new Worker(u)); >+ >+ if (!window.webkitRequestFileSystem) >+ return t.done(); >+ >+ >+ // 'filesystem:' urls inherit policy. >+ window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, fs => { >+ fs.root.getFile('dedicated-script-worker.js', { create: true }, entry => { >+ entry.createWriter(w => { >+ w.onwriteend = _ => { >+ var u = entry.toURL(); >+ fetch_tests_from_worker(new Worker(u)); >+ >+ // explicit_done: yay. >+ t.done(); >+ }; >+ w.onerror = _ => t.unreached_func(); >+ w.write(b); >+ }); >+ }); >+ }); >+ }); >+ }, "Filesystem and blob."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4d452de00e7a22dda2c274af4906947eb2eafae0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Untitled ReferenceError: Can't find variable: SharedWorker >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6bf684c385b14f480f3b956ed34b7881e4853efa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance.html >@@ -0,0 +1,11 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="connect-src 'self'"> >+<script> >+ // SharedWorkers do not inherit policy. >+ fetch_tests_from_worker(new SharedWorker("./support/connect-src-allow.sub.js")); >+ fetch_tests_from_worker(new SharedWorker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,connect-src 'self')")); >+ fetch_tests_from_worker(new SharedWorker("./support/connect-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src 'self')")); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4d452de00e7a22dda2c274af4906947eb2eafae0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Untitled ReferenceError: Can't find variable: SharedWorker >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6065135d9403ada1928a0b666ec195caa3dde440 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script.html >@@ -0,0 +1,11 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:"> >+<script nonce="a"> >+ // SharedWorker URLs do not inherit policy. >+ fetch_tests_from_worker(new SharedWorker("./support/script-src-allow.sub.js")); >+ fetch_tests_from_worker(new SharedWorker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,script-src 'self'")); >+ fetch_tests_from_worker(new SharedWorker("./support/script-src-self.sub.js?pipe=sub|header(Content-Security-Policy,default-src 'self'")); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..7ba44e53634311ec1100a5a3aa2565ec9248ba00 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js >@@ -0,0 +1,53 @@ >+importScripts("{{location[server]}}/resources/testharness.js"); >+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js"); >+ >+// Same-origin >+async_test(t => { >+ var url = "{{location[server]}}/content-security-policy/support/resource.py?same-origin-fetch"; >+ assert_no_csp_event_for_url(t, url); >+ >+ fetch(url) >+ .then(t.step_func_done(r => assert_equals(r.status, 200))); >+}, "Same-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ var url = "{{location[server]}}/content-security-policy/support/resource.py?same-origin-xhr"; >+ assert_no_csp_event_for_url(t, url); >+ >+ var xhr = new XMLHttpRequest(); >+ xhr.open("GET", url); >+ xhr.onload = t.step_func_done(); >+ xhr.onerror = t.unreached_func(); >+ xhr.send(); >+}, "Same-origin XHR in " + self.location.protocol + self.location.search); >+ >+// Cross-origin >+async_test(t => { >+ var url = "http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch"; >+ assert_no_csp_event_for_url(t, url); >+ >+ fetch(url) >+ .then(t.step_func_done(r => assert_equals(r.status, 200))); >+}, "Cross-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ var url = "http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-xhr"; >+ assert_no_csp_event_for_url(t, url); >+ >+ var xhr = new XMLHttpRequest(); >+ xhr.open("GET", url); >+ xhr.onload = t.step_func_done(); >+ xhr.onerror = t.unreached_func(); >+ xhr.send(); >+}, "Cross-origin XHR in " + self.location.protocol + self.location.search); >+ >+// Same-origin redirecting to cross-origin >+async_test(t => { >+ var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch"; >+ assert_no_csp_event_for_url(t, url); >+ >+ fetch(url) >+ .then(t.step_func_done(r => assert_equals(r.status, 200))); >+}, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8c533abdda3f555e9ea17b5a92cb0387a48d028e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js >@@ -0,0 +1,59 @@ >+importScripts("{{location[server]}}/resources/testharness.js"); >+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js"); >+ >+// Same-origin >+async_test(t => { >+ var url = "{{location[server]}}/common/text-plain.txt?same-origin-fetch"; >+ assert_no_csp_event_for_url(t, url); >+ >+ fetch(url) >+ .then(t.step_func_done(r => assert_equals(r.status, 200))); >+}, "Same-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ var url = "{{location[server]}}/common/text-plain.txt?same-origin-xhr"; >+ assert_no_csp_event_for_url(t, url); >+ >+ var xhr = new XMLHttpRequest(); >+ xhr.open("GET", url); >+ xhr.onload = t.step_func_done(); >+ xhr.onerror = t.unreached_func(); >+ xhr.send(); >+}, "Same-origin XHR in " + self.location.protocol + self.location.search); >+ >+// Cross-origin >+async_test(t => { >+ var url = "http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch"; >+ >+ Promise.all([ >+ // TODO(mkwst): A 'securitypolicyviolation' event should fire. >+ fetch(url) >+ .catch(t.step_func(e => assert_true(e instanceof TypeError))) >+ ]).then(t.step_func_done()); >+}, "Cross-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ var url = "http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-xhr"; >+ >+ Promise.all([ >+ // TODO(mkwst): A 'securitypolicyviolation' event should fire. >+ new Promise((resolve, reject) => { >+ var xhr = new XMLHttpRequest(); >+ xhr.open("GET", url); >+ xhr.onload = t.step_func(_ => reject("xhr.open should have thrown.")); >+ xhr.onerror = t.step_func(resolve); >+ xhr.send(); >+ }) >+ ]).then(t.step_func_done()); >+}, "Cross-origin XHR in " + self.location.protocol + self.location.search); >+ >+// Same-origin redirecting to cross-origin >+async_test(t => { >+ var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch"; >+ >+ // TODO(mkwst): A 'securitypolicyviolation' event should fire. >+ fetch(url) >+ .catch(t.step_func_done(e => assert_true(e instanceof TypeError))) >+}, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol + self.location.search); >+ >+done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1f7d7ab91335cb3ca8d122463e42003d9927e9d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js >@@ -0,0 +1,18 @@ >+importScripts("{{location[server]}}/resources/testharness.js"); >+ >+test(t => { >+ importScripts("http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/testharness-helper.js"); >+}, "Cross-origin `importScripts()` not blocked in " + self.location.protocol + self.location.search); >+ >+test(t => { >+ assert_equals(2, eval("1+1")); >+ assert_equals(2, (new Function("return 1+1;"))()); >+}, "`eval()` not blocked in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ self.callback = t.step_func_done(); >+ >+ setTimeout("self.callback();", 1); >+}, "`setTimeout([string])` not blocked in " + self.location.protocol + self.location.search); >+ >+done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..b0d557645da187864fa446c0ac3ecd552a7041ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js >@@ -0,0 +1,31 @@ >+importScripts("{{location[server]}}/resources/testharness.js"); >+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js"); >+ >+test(t => { >+ self.a = false; >+ assert_throws("NetworkError", >+ _ => importScripts("http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"), >+ "importScripts should throw `NetworkError`"); >+ assert_false(self.a); >+}, "Cross-origin `importScripts()` blocked in " + self.location.protocol + self.location.search); >+ >+test(t => { >+ assert_throws(EvalError(), >+ _ => eval("1 + 1"), >+ "`eval()` should throw 'EvalError'."); >+ >+ assert_throws(EvalError(), >+ _ => new Function("1 + 1"), >+ "`new Function()` should throw 'EvalError'."); >+}, "`eval()` blocked in " + self.location.protocol + self.location.search); >+ >+async_test(t => { >+ waitUntilCSPEventForEval(t, 27) >+ .then(t.step_func_done()); >+ >+ self.setTimeoutTest = t; >+ var result = setTimeout("(self.setTimeoutTest.unreached_func('setTimeout([string]) should not execute.'))()", 1); >+ assert_equals(result, 0); >+}, "`setTimeout([string])` blocked in " + self.location.protocol + self.location.search); >+ >+done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..5a5ada1ee2c067b6515a174891327fa9b2050b68 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..dc5bb8421fc3b0f843a90ef1316dafcf414473d9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-inheritance.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/dedicated-script.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-inheritance.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/shared-script.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b166048fe6b5566933845857a113f9defd8d8e28 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1-expected.txt >@@ -0,0 +1,9 @@ >+Video element src attribute must match src list - positive test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL In-policy async video src assert_unreached: Media error handler should be triggered for non-allowed domain. Reached unreachable code >+FAIL In-policy async video source element assert_unreached: Media error handler should be triggered for non-allowed domain. Reached unreachable code >+NOTRUN Should not fire policy violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8fd094e95537d7325484df5836bf27a759c2c8ba >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1.html >@@ -0,0 +1,48 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video element src attribute must match src list - positive test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self'"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video element src attribute must match src list - positive test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var src_test = async_test("In-policy async video src"); >+ var source_test = async_test("In-policy async video source element"); >+ var t_spv = async_test("Should not fire policy violation events"); >+ var test_count = 2; >+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); >+ >+ function media_loaded(t) { >+ t.done(); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ } >+ >+ function media_error_handler(t) { >+ t.step( function () { >+ assert_unreached("Media error handler should be triggered for non-allowed domain."); >+ }); >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)"> >+ <source id="videoSourceObject" >+ type="video/ogg" >+ onerror="media_error_handler(source_test)" >+ src="/media/A4.ogv"> >+ </video> >+ <video id="videoObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_test)" >+ onloadeddata="media_loaded(src_test)" >+ src="/media/A4.ogv"> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4be3023e2bfa6e5137f6fb2a6de4e76a673c51cc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Refused to load http://www2.localhost:8800/media/A4.ogv because it does not appear in the media-src directive of the Content Security Policy. >+Video element src attribute must match src list - negative test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Disallowed async video src >+PASS Disallowed async video source element >+NOTRUN Test that securitypolicyviolation events are fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a293d008b35b4ff241555cd6978fab92a3d02812 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub.html >@@ -0,0 +1,57 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video element src attribute must match src list - negative test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video element src attribute must match src list - negative test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var src_test = async_test("Disallowed async video src"); >+ var source_test = async_test("Disallowed async video source element"); >+ var t_spv = async_test("Test that securitypolicyviolation events are fired"); >+ var test_count = 2; >+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { >+ assert_equals(e.violatedDirective, "media-src"); >+ assert_equals(e.blockedURI, mediaURL); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias >+ var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"; >+ >+ function media_loaded(t) { >+ t.step( function () { >+ assert_unreached("Media error handler should be triggered for non-allowed domain."); >+ }); >+ t.done(); >+ } >+ >+ function media_error_handler(t) { >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)"> >+ <source id="videoSourceObject" >+ type="video/ogg" >+ onerror="media_error_handler(source_test)"> >+ </video> >+ <video id="videoObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_test)" >+ onloadeddata="media_loaded(src_test)"> >+ >+ <script> >+ document.getElementById("videoSourceObject").src = mediaURL; >+ document.getElementById("videoObject2").src = mediaURL; >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..01c9d34bc327d550e8a7a2edfeb17533b77e2592 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2-expected.txt >@@ -0,0 +1,9 @@ >+Audio element src attribute must match src list - positive test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL In-policy audio src assert_unreached: Media error handler should be triggered for non-allowed domain. Reached unreachable code >+FAIL In-policy audio source element assert_unreached: Media error handler should be triggered for non-allowed domain. Reached unreachable code >+NOTRUN Should not fire policy violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0486c8738dac2662981fcb63ef40d8f2369972c3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2.html >@@ -0,0 +1,48 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Audio element src attribute must match src list - positive test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Audio element src attribute must match src list - positive test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var src_test = async_test("In-policy audio src"); >+ var source_test = async_test("In-policy audio source element"); >+ var t_spv = async_test("Should not fire policy violation events"); >+ var test_count = 2; >+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); >+ >+ function media_loaded(t) { >+ t.done(); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ } >+ >+ function media_error_handler(t) { >+ t.step( function () { >+ assert_unreached("Media error handler should be triggered for non-allowed domain."); >+ }); >+ t.done(); >+ } >+ </script> >+ >+ <audio id="audioObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)"> >+ <source id="audioSourceObject" >+ type="audio/ogg" >+ onerror="media_error_handler(source_test)" >+ src="/media/sound_5.oga"> >+ </audio> >+ <audio id="audioObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_test)" >+ onloadeddata="media_loaded(src_test)" >+ src="/media/sound_5.oga"> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1b2423db3ba008eec66536b011ec4a346d3e8ee7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Refused to load http://www2.localhost:8800/media/sound_5.oga because it does not appear in the media-src directive of the Content Security Policy. >+Audio element src attribute must match src list - negative test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Disallaowed audio src >+PASS Disallowed audio source element >+NOTRUN Test that securitypolicyviolation events are fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a1f29085afe69fd7179ad4454f6141327ce2b2b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub.html >@@ -0,0 +1,57 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Audio element src attribute must match src list - negative test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Audio element src attribute must match src list - negative test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var src_test = async_test("Disallaowed audio src"); >+ var source_test = async_test("Disallowed audio source element"); >+ var t_spv = async_test("Test that securitypolicyviolation events are fired"); >+ var test_count = 2; >+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { >+ assert_equals(e.violatedDirective, "media-src"); >+ assert_equals(e.blockedURI, mediaURL); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias >+ var mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/sound_5.oga"; >+ >+ function media_loaded(t) { >+ t.step( function () { >+ assert_unreached("Media error handler should be triggered for non-allowed domain."); >+ }); >+ t.done(); >+ } >+ >+ function media_error_handler(t) { >+ t.done(); >+ } >+ </script> >+ >+ <audio id="audioObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)"> >+ <source id="audioSourceObject" >+ type="audio/ogg" >+ onerror="media_error_handler(source_test)"> >+ </audio> >+ <audio id="audioObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_test)" >+ onloadeddata="media_loaded(src_test)"> >+ >+ <script> >+ document.getElementById("audioSourceObject").src = mediaURL; >+ document.getElementById("audioObject2").src = mediaURL; >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3c4ef9494d8aa157f53cbc2fd08315f12c1f12e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub-expected.txt >@@ -0,0 +1,8 @@ >+Video track src attribute must match src list - positive test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN In-policy track element >+NOTRUN Should not fire policy violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..05aa134e820eaf94b835d2e3073421a1923bc5b8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html >@@ -0,0 +1,53 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video track src attribute must match src list - positive test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{domains[www]}}:{{ports[http][0]}};"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video track src attribute must match src list - positive test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var source_test = async_test("In-policy track element"); >+ >+ var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt"; >+ >+ var t_spv = async_test("Should not fire policy violation events"); >+ var test_count = 1; >+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); >+ >+ function media_loaded(t) { >+ t.done(); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ } >+ >+ function media_error_handler(t) { >+ t.step( function () { >+ assert_unreached("Error handler called for allowed track source."); >+ }); >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)" crossorigin> >+ <source id="audioSourceObject" >+ type="audio/ogg" >+ src="/media/A4.ogv"> >+ <track id="trackObject" >+ kind="subtitles" >+ srclang="en" >+ label="English" >+ onerror="media_error_handler(source_test)"> >+ </video> >+ <script> >+ document.getElementById("trackObject").src = trackURL; >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0aab27df778b247c7942c38ad5f097d478e3b347 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub-expected.txt >@@ -0,0 +1,8 @@ >+Video track src attribute must match src list - negative test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL Disallowed track element onerror handler fires. assert_unreached: Onerror event never fired for track element. Reached unreachable code >+NOTRUN Test that securitypolicyviolation events are fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6abe850624f9bbc77f515c41d0042c234ae414e9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html >@@ -0,0 +1,72 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video track src attribute must match src list - negative test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video track src attribute must match src list - negative test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var source_test = >+ async_test("Disallowed track element onerror handler fires."); >+ >+ var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt"; >+ >+ var t_spv = async_test("Test that securitypolicyviolation events are fired"); >+ var test_count = 1; >+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { >+ assert_equals(e.violatedDirective, "media-src"); >+ assert_equals(e.blockedURI, trackURL); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ >+ function media_loaded(t) { >+ t.step( function () { >+ assert_unreached("Disllowed track source loaded."); >+ }); >+ t.done(); >+ } >+ >+ function media_error_handler(t) { >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onerror="media_error_handler(source_test)" >+ crossorigin> >+ <source id="audioSourceObject" >+ type="audio/ogg" >+ src="/media/A4.ogv"> >+ <track default >+ id="trackObject" >+ kind="subtitles" >+ srclang="en" >+ label="English" >+ onerror="media_error_handler(source_test)" >+ onload="media_loaded(source_test)" >+ onloadeddata="media_loaded(source_test)"> >+ </video> >+ <script> >+ document.getElementById("trackObject").src = trackURL; >+ source_test.step(function() { >+ source_test.set_status(source_test.FAIL); >+ }); >+ >+ setTimeout(function() { >+ if(source_test.phase != source_test.phases.COMPLETE) { >+ source_test.step( function () { assert_unreached("Onerror event never fired for track element."); }); >+ source_test.done(); >+ } >+ }, 2 * 1000); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e0acb3473949d388f12a30fac59905ed6cf87358 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub-expected.txt >@@ -0,0 +1,13 @@ >+CONSOLE MESSAGE: Refused to load http://www2.localhost:8800/media/A4.ogv because it does not appear in the media-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://www2.localhost:8800/media/sound_5.oga because it does not appear in the media-src directive of the Content Security Policy. >+Video element src attribute must match src list - 'none' negative test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Disallowed async video src >+PASS Disallowed async video source element >+PASS Disallaowed audio src >+PASS Disallowed audio source element >+NOTRUN Test that securitypolicyviolation events are fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..10de725e954aeacb90a75806c83dacbcb886daa0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub.html >@@ -0,0 +1,76 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video element src attribute must match src list - 'none' negative test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'none'; connect-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video element src attribute must match src list - 'none' negative test</h1> >+ <div id='log'></div> >+ >+ <script> >+ var v_src_test = async_test("Disallowed async video src"); >+ var v_source_test = async_test("Disallowed async video source element"); >+ var a_src_test = async_test("Disallaowed audio src"); >+ var a_source_test = async_test("Disallowed audio source element"); >+ >+ // we assume tests are run from 'hostname' and 'www.hostname' or 'www2.hostname' is a valid alias >+ var a_mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/sound_5.oga"; >+ >+ var v_mediaURL = location.protocol + "//{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"; >+ >+ var t_spv = async_test("Test that securitypolicyviolation events are fired"); >+ var test_count = 4; >+ window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { >+ assert_equals(e.violatedDirective, "media-src"); >+ assert_true(e.blockedURI == a_mediaURL || e.blockedURI == v_mediaURL, "Unexpected blockedURI"); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ function media_loaded(t) { >+ t.step( function () { >+ assert_unreached("Media error handler should be triggered for non-allowed domain."); >+ }); >+ t.done(); >+ } >+ >+ function media_error_handler(t) { >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onloadeddata="media_loaded(v_source_test)"> >+ <source id="videoSourceObject" >+ type="video/ogg" >+ onerror="media_error_handler(v_source_test)"> >+ </video> >+ <video id="videoObject2" width="320" height="240" controls >+ onerror="media_error_handler(v_src_test)" >+ onloadeddata="media_loaded(v_src_test)"> >+ >+ <script> >+ document.getElementById("videoSourceObject").src = v_mediaURL; >+ document.getElementById("videoObject2").src = v_mediaURL; >+ </script> >+ >+ <audio id="audioObject" width="320" height="240" controls >+ onloadeddata="media_loaded(a_source_test)"> >+ <source id="audioSourceObject" >+ type="audio/ogg" >+ onerror="media_error_handler(a_source_test)"> >+ </audio> >+ <audio id="audioObject2" width="320" height="240" controls >+ onerror="media_error_handler(a_src_test)" >+ onloadeddata="media_loaded(a_src_test)"> >+ >+ <script> >+ document.getElementById("audioSourceObject").src = a_mediaURL; >+ document.getElementById("audioObject2").src = a_mediaURL; >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70acef8d1b25a1b01a43c900b79f83353c181711 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub-expected.txt >@@ -0,0 +1,15 @@ >+Blocked access to external URL http://www2.localhost:8800/media/A4.ogv >+Blocked access to external URL http://www2.localhost:8800/media/A4.ogv >+Video element in media-src list - redirect test >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL In-policy async video src assert_unreached: Media error handler shouldn't be triggered for allowed domain. Reached unreachable code >+FAIL in-policy async video src w/redir assert_unreached: Media error handler shouldn't be triggered for allowed domain. Reached unreachable code >+FAIL In-policy async video source element assert_unreached: Media error handler shouldn't be triggered for allowed domain. Reached unreachable code >+NOTRUN In-policy async video source element w/redir >+NOTRUN Should not fire policy violation events >+This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed as media-src, but only one (self) is allowed for connect-src. If a video src starts on an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug causes the redirect to be done in a fetch context to which connect-src is being applied instead, so the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.) >+ >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a0708bf5ed3c17cb9b1ffd262b11ea5fc4ac8576 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub.html >@@ -0,0 +1,71 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Video element src attribute must match src list - positive test</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src http://{{domains[www2]}}:{{ports[http][0]}}/ 'self'; connect-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Video element in media-src list - redirect test</h1> >+ <div id='log'></div> >+ >+ <p>This test tests a buggy interaction in Chrome 46. Two hosts (self and www2) are both allowed >+ as media-src, but only one (self) is allowed for connect-src. If a video src starts on >+ an allowed host (self), and is redirected to another allowed media-src host, it should succeed. But a bug >+ causes the redirect to be done in a fetch context to which connect-src is being applied instead, so >+ the load is blocked. (This test passes in Firefox 45, modulo an event listener not firing.)</p> >+ >+ <script> >+ var src_test = async_test("In-policy async video src"); >+ var src_redir_test = async_test("in-policy async video src w/redir") >+ var source_test = async_test("In-policy async video source element"); >+ var source_redir_test = async_test("In-policy async video source element w/redir"); >+ >+ var t_spv = async_test("Should not fire policy violation events"); >+ var test_count = 4; >+ window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have fired any event")); >+ >+ function media_loaded(t) { >+ t.done(); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ } >+ >+ function media_error_handler(t) { >+ t.step( function () { >+ assert_unreached("Media error handler shouldn't be triggered for allowed domain."); >+ }); >+ t.done(); >+ } >+ </script> >+ >+ <video id="videoObject" width="320" height="240" controls >+ onloadeddata="media_loaded(source_test)"> >+ <source id="videoSourceObject" >+ type="video/ogg" >+ onerror="media_error_handler(source_test)" >+ src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> >+ </video> >+ >+ <video id="videoObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_test)" >+ onloadeddata="media_loaded(src_test)" >+ src="http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> >+ >+ <video id="videoObject3" width="320" height="240" controls >+ onloadeddata="media_loaded(source_redir_test)"> >+ <source id="videoSourceObject" >+ type="video/ogg" >+ onerror="media_error_handler(source_test)" >+ src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> >+ </video> >+ >+ <video id="videoObject2" width="320" height="240" controls >+ onerror="media_error_handler(src_redir_test)" >+ onloadeddata="media_loaded(src_redir_test)" >+ src="/common/redirect.py?location=http://{{domains[www2]}}:{{ports[http][0]}}/media/A4.ogv"> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..e0a9b87600a6ac325600ea7161ad816269f5048c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_1_2.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_2_2.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-redir-bug.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7d4090a66ddce1a1446c93d87455dcac1dc4e909 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt >@@ -0,0 +1,7 @@ >+Test passes if both style and image are blocked and a report is generated for the style block from the header-supplied policy. >+ >+ >+ >+FAIL Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"] assert_unreached: Logging timeout, expected logs violated-directive=img-src,violated-directive=style-src-elem not sent. Reached unreachable code >+PASS combine-header-and-meta-policies >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..70bfeb6b3bbe86a2cbb97dd78552c4bd42e7acdb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html >@@ -0,0 +1,54 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ <title>combine-header-and-meta-policies</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <!-- enforcing multiple policies: >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self' >+Content-Security-Policy: img-src 'none' >+--> >+</head> >+ >+<body> >+<p>Test passes if both style and image are blocked and a report is generated for the >+ style block from the header-supplied policy.</p> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var img = document.createElement('img'); >+ img.src = '../support/fail.png'; >+ img.onerror = function() { >+ log("TEST COMPLETE"); >+ }; >+ img.onload = function() { >+ log("FAIL"); >+ }; >+ document.body.appendChild(img); >+ >+ </script> >+ <style> >+ body { >+ background-color: blue; >+ } >+ >+ </style> >+ <script> >+ var el = document.querySelector('body'); >+ test(function() { >+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)") >+ }); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..062d823228a0bad1ed84fc432a262501e11a7d79 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self'; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..82537366b35f6135992ea5da615d25b6e4467b6f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src-expected.txt >@@ -0,0 +1,6 @@ >+Test passes if the image is blocked. >+ >+ >+ >+PASS Expecting logs: ["PASS","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bc7ffd66a70d78c4ae9f2cc19f8c2df70914243d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ <title>meta-img-src</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","TEST COMPLETE"]'></script> >+</head> >+ >+<body> >+<p>Test passes if the image is blocked.</p> >+ >+ <script> >+ function testImgSrc() { >+ var img = document.createElement('img'); >+ img.src = '../support/fail.png'; >+ img.onerror = function() { >+ log("PASS"); >+ }; >+ img.onload = function() { >+ log("FAIL"); >+ }; >+ document.body.appendChild(img); >+ } >+ testImgSrc(); >+ log("TEST COMPLETE"); >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e04456f385c4a0c9ee7dea7c773da887fff76fd2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified-expected.txt >@@ -0,0 +1,6 @@ >+Test passes if the image is blocked both before and after policy modification. >+ >+ >+ >+PASS Expecting logs: ["PASS", "PASS","TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d03115f31b09e3cde8868a36549a8299c0402093 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified.html >@@ -0,0 +1,35 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta id="meta_csp" http-equiv="Content-Security-Policy" content="img-src 'none'"> >+ <title>meta-modified</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS", "PASS","TEST COMPLETE"]'></script> >+</head> >+ >+<body> >+<p>Test passes if the image is blocked both before and after policy modification.</p> >+ >+ <script> >+ function testImgSrc() { >+ var img = document.createElement('img'); >+ img.src = '../support/fail.png'; >+ img.onerror = function() { >+ log("PASS"); >+ }; >+ img.onload = function() { >+ log("FAIL"); >+ }; >+ document.body.appendChild(img); >+ } >+ testImgSrc(); >+ document.getElementById("meta_csp").setAttribute("content", "img-src *"); >+ testImgSrc(); >+ log("TEST COMPLETE"); >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e66c2310ff9c60f9be56750ed5ada52a619aec53 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document's head. >+ >+ >+PASS Expecting alerts: ["PASS (1/1)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..94ae5e3979c60a72d75b3fdc5b1a14285678d357 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <title>meta-outside-head</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1/1)"]'></script> >+ <!-- enforcing policy: >+script-src 'self' 'unsafe-inline' 'nonce-abc'; connect-src 'self'; >+--> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ </script> >+ >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self'"> >+ <p>This test checks that Content Security Policy delivered via a meta element is not enforced if the element is outside the document's head.</p> >+ <script nonce='abc'> >+ var aa = "PASS (1/1)"; >+ </script> >+ <script src="../meta/support/metaHelper.js"></script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..8e90073147a233a74727a3ba03307c1564dc3224 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-abc'; connect-src 'self'; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/metaHelper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/metaHelper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..9191a39c73bef941773ad5b8eb1553caa1528faf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/metaHelper.js >@@ -0,0 +1,5 @@ >+if (typeof aa != 'undefined') { >+ alert_assert(aa); >+} else { >+ alert_assert("Failed - allowed inline script blocked by meta policy outside head."); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..c0a69aa75c5a4a640d22776c87869143965353ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/w3c-import.log >@@ -0,0 +1,17 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/support/metaHelper.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..32a50b14d83c64f431c8d5186fbabc837135744b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/w3c-import.log >@@ -0,0 +1,22 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-img-src.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a2ad7c234b3607bd18a6f127415b8082780b8644 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Test that anchor navigation is allowed regardless of the `navigate-to` directive >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1cf01a7f53222bd81aab0c7314f7aa8ae439989b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ >+<a name="anchor"></a> >+ >+<script> >+ var t = async_test("Test that anchor navigation is allowed regardless of the `navigate-to` directive"); >+ >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered any violation")); >+ >+ try { >+ window.location.hash = "anchor"; >+ t.done(); >+ } catch(ex) {} >+</script> >+ >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..739a2ce175313740c217c68e56d865f622ea4c3b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: navigate-to 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ed9291f8f169363daa11bf04ac87fe295c23a1b4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`) >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7b4b455d8d4e783d6006e58d9423943efa0241df >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+ >+<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27self%27'>"> >+ >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..aced1c6d058f814738121bfb0a7ca3a521837e4d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: navigate-to 'self' support/navigate_parent.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..753424c16f0e4e2c55e954ab9ca0e2eebe8a7e36 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+FAIL Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`) assert_equals: expected "fail" but got "success" >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4e50617e3c253eae90e7e4ea5094e4cbca3b5fd0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}'>"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9cb770bcc1be7928b6dad61b29bf6f55c22eda0d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: navigate-to 'self' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f702443ecaaaa649dab7a4fa270571f53b4aef57 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that form-action overrides navigate-to when present. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f58407ac6de2174b1d028d9a3ae7e793f4724c00 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that form-action overrides navigate-to when present."); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f702443ecaaaa649dab7a4fa270571f53b4aef57 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that form-action overrides navigate-to when present. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0ddc8820f94c70b6606970832eb90d089a0e8a10 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that form-action overrides navigate-to when present."); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ef9baa8528a0a46e863c930a2067a11eef956b71 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html?dummy= because it does not appear in the form-action directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that form-action overrides navigate-to when present. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..927ebb4d3619f8fb131600b89f00a19afd706116 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that form-action overrides navigate-to when present."); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'form-action'); >+ }); >+</script> >+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}""> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ef9baa8528a0a46e863c930a2067a11eef956b71 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html?dummy= because it does not appear in the form-action directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that form-action overrides navigate-to when present. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..56688fa418baad02bdb5b19008fdb865f6d6f6f6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that form-action overrides navigate-to when present."); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'form-action'); >+ }); >+</script> >+<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8e7b3672c7462cff7ecd6cf8918622fc43629216 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..aa38d898abdc98bab7fc7778db2d48a9abaedcea >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=post_message_to_frame_owner.html"></iframe> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..85fcd90351757e5dc5732770aad767658b835aac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+FAIL Test that the child iframe navigation is not allowed assert_equals: expected "fail" but got "success" >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..72db7b8d1d584292ac3eeaef6919229d3cedf369 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&action=post_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..965c9decf71cf94efa8400d5bf81b323db452674 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html?dummy= >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4d0ddc30f1ae2668646e9d97e352a72ba1cd301b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1543bca16deec1e76733322db2e851277f063e3b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html?dummy= >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..be5f70c8b1e07de9b8d7934d7427cfc445d6226f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..129b719c2258397b2dda8670126fba3b0340c686 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dpost_message_to_frame_owner.html"></iframe> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f79833064210ea1548b14bf6504677a82985fb89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d60b8a7aa8d41d9498a72a60e5d3ae807d31fea2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+ >+<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..cbdfe4895dbe9c608be314b5e10669869a824aca >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..16e11e0c65955f4a085c9acf62a2034380aedac9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html", "_blank"); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fabb613a5d9a9d6e1bf8e5f57fa50e1bc5dd7380 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+FAIL Test that the child iframe navigation is not allowed assert_equals: expected "fail" but got "success" >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..721f055c71507ec85fea9a4d86b107fe0e91d2f7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html", "_blank"); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4c782b511156690bb23b8aa57e3dec08da68a559 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a9396fc406c1bfdd9f8406718a5a2e3235a6180e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0e300fe0ac61c98b8903f553ee823487e9166154 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cd0cd9106dbb429e2d8ec4cbbc7c3fcb6c56aa93 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..cbdfe4895dbe9c608be314b5e10669869a824aca >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4dbfa7aef9db2295dec1d5837e5ed799c528d8a7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py", "_blank"); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0e300fe0ac61c98b8903f553ee823487e9166154 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5d8fafb31313f0ec18306d4ee1c071f278a34272 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+ >+ window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..977b85dfb2cbaaa4a69288e8d283c483e35eed97 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..85fcd90351757e5dc5732770aad767658b835aac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+FAIL Test that the child iframe navigation is not allowed assert_equals: expected "fail" but got "success" >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..29686fcaeff6b57eca88ccfd599727bd2cc06464 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fa7411199360b4675b2b1944b1db9f240b8af6e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4381bcb08d6ed73abf13da54c9ccf583bd5d7523 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f79833064210ea1548b14bf6504677a82985fb89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f2b106c57730c00b95cbe6cb66582c2d33dcdede >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+ >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..87dea95b1dc0b238b8c033b815daba960935f5d8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f79833064210ea1548b14bf6504677a82985fb89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9b9205a526a4834e8ba918e86c67710353a4ccd8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..eeaefc496e8f1836630cdc788a338f5f9f0ac0fa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..85fcd90351757e5dc5732770aad767658b835aac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+FAIL Test that the child iframe navigation is not allowed assert_equals: expected "fail" but got "success" >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1292c9ba5fc0b7bb7383e584296c29c627a87a96 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+ >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fa7411199360b4675b2b1944b1db9f240b8af6e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..39e887eaadf39c39095b320f9ff12005d9c02982 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f79833064210ea1548b14bf6504677a82985fb89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d7ccd336205da0087c67bc8cdb778d426f167188 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+ >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..438ded5219a29407c91f72ccb48b7140ce692c7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..de756bce8b55b8a25a79b30fcdbd79176a01b63f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+</script> >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py"> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f79833064210ea1548b14bf6504677a82985fb89 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is not allowed >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0734473ee6331318a3913e6dd2ba41d52ed2c02c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is not allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+</script> >+ >+<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d75709451b176623af6b12f5d8aa24b71c4715e7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`) >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..47a661157c3f9b27184cf6f391bd0c55ecb2cc72 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`)"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered a policy violation")); >+ >+ var i = document.createElement('iframe'); >+ var src_changed = false; >+ i.onload = function() { >+ if (src_changed) return; >+ src_changed = true; >+ i.src = "support/post_message_to_frame_owner.html"; >+ } >+ i.src = "support/wait_for_navigation.html?csp=navigate-to%20%none%27"; >+ document.body.appendChild(i); >+</script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9cb770bcc1be7928b6dad61b29bf6f55c22eda0d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: navigate-to 'self' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fe5b89fa8cee009f5270cf6cadf18f3873272b7f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+FAIL Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`) assert_unreached: Should not have received a message as the navigation should not have been successful Reached unreachable code >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c662da95fa1b89e13c61c7b65226cb55a15d93e1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`)"); >+ window.onmessage = t.unreached_func("Should not have received a message as the navigation should not have been successful"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'navigate-to'); >+ })); >+ >+ var i = document.createElement('iframe'); >+ var src_changed = false; >+ i.onload = function() { >+ if (src_changed) return; >+ src_changed = true; >+ i.src = "support/post_message_to_frame_owner.html"; >+ } >+ i.src = "support/wait_for_navigation.html?csp=navigate-to%20%27self%27"; >+ document.body.appendChild(i); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20support%2Fwait_for_navigation.html'></script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..6784a56c8eb5e84d9434676d2c335173c7de1970 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: parent-navigates-child-blocked={{$id:uuid()}}; Path=/content-security-policy/navigate-to/ >+Content-Security-Policy: navigate-to support/wait_for_navigation.html; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7f0f6e080dbb9a44a722af5ddee4df445376b6b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that no spv event is raised >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a09057e71567efa082578541a624b9fe51e13737 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html >@@ -0,0 +1,48 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+<!-- This tests that a navigation initiator that has been replaced by the time >+ the navigation it initiates is blocked, will not receive the SPV event. >+ >+ An iframe will navigate another iframe and the navigate itself. >+ The second iframe's navigation response will be delayed by the server but will >+ eventually be blocked by the CSP of the first iframe. >+ By the time this happens the first iframe should be an entirely different >+ document and it should not receive a SPV event --> >+<script> >+ var t = async_test("Test that no spv event is raised"); >+ window.onmessage = t.step_func(function(e) { >+ if (e.data == "end_test") t.done(); >+ else assert_unreached("Should not have raised a spv event"); >+ }); >+ >+ var frames_loaded_count = 0; >+ var frame_loaded = function() { >+ if (++frames_loaded_count == 2) { >+ // both child frame have loaded we can start the >+ // test now, send a message to iframe1 so it knows to start >+ document.getElementById('iframe1').contentWindow.postMessage('start_test', '*'); >+ } >+ } >+ var i1 = document.createElement('iframe'); >+ i1.src = "support/spv-test-iframe1.sub.html?report_id={{$id:uuid()}}"; >+ i1.id = "iframe1"; >+ i1.name = "iframe1"; >+ i1.onload = frame_loaded; >+ document.body.appendChild(i1); >+ >+ var i2 = document.createElement('iframe'); >+ i2.src = "support/spv-test-iframe2.sub.html"; >+ i2.id = "iframe2"; >+ i2.name = "iframe2"; >+ i2.onload = frame_loaded; >+ document.body.appendChild(i2); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportExists=false&reportID={{$id}}'></script> >+ >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/delayed_frame.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/delayed_frame.py >new file mode 100644 >index 0000000000000000000000000000000000000000..21886c7092a63b77239ba3af92194b5d185ac2d1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/delayed_frame.py >@@ -0,0 +1,12 @@ >+import time >+def main(request, response): >+ time.sleep(1) >+ headers = [("Content-Type", "text/html")] >+ return headers, ''' >+<!DOCTYPE html> >+<head> >+</head> >+<body> >+ DELAYED FRAME >+</body >+''' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3e3e2afcaccec7ea72f0b1b4a7afab46d8900ba3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+</head> >+ >+<body> >+<form action='{{GET[action]}}' target='_self' id='form'> >+ <input type="text" name="dummy"> >+ <div id="form-div"></div> >+</form> >+ >+<script> >+ try { >+ url = new URL("{{GET[action]}}", location.href); >+ for (var p of url.searchParams) { >+ var elem = document.createElement('input'); >+ elem.type = 'text'; >+ elem.name = p[0]; >+ elem.value = p[1]; >+ document.getElementById('form-div').appendChild(elem); >+ } >+ } catch(ex) {} >+ >+ document.getElementById('form').submit(); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9c572a9616204fd7aa275dfd0942443645238756 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..15b1365cc21fbccb02fd11c9e46a067a8fa40b6f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html >@@ -0,0 +1,17 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ opener.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ >+ try { >+ location.href = "{{GET[target]}}"; >+ } catch(ex) {} >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d01e2672a838013072f0266747dd6ac9056f1225 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2434271211f36a456ea2bf61e717e4233a660bba >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<a href="{{GET[target]}}" id="link">dummy link</a> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ >+ document.getElementById('link').click(); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d01e2672a838013072f0266747dd6ac9056f1225 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..64bae27fed669d2152a2074a42d947bea333b3d7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+ >+ <meta http-equiv="refresh" content="0; url={{GET[target]}}"> >+</head> >+ >+<body> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d01e2672a838013072f0266747dd6ac9056f1225 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a84c9c64ca9b450558b62d8f61c4aeb4b0fa1187 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+</head> >+ >+<body> >+<a href="post_message_to_frame_owner.html" id="link" target="_parent">dummy link</a> >+<script> >+ document.getElementById('link').click(); >+</script> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d01e2672a838013072f0266747dd6ac9056f1225 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}}; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c25e49d14663000245512f647a33b96d61f11deb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >@@ -0,0 +1,6 @@ >+<script> >+ if (window.opener) >+ window.opener.postMessage({result: 'success'}, '*'); >+ else >+ top.postMessage({result: 'success'}, '*'); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py >new file mode 100644 >index 0000000000000000000000000000000000000000..d22e9202a2a57fac314b1fee26a9a88d68db6c26 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py >@@ -0,0 +1,6 @@ >+def main(request, response): >+ response.status = 302 >+ if "location" in request.GET: >+ response.headers.set("Location", request.GET["location"]) >+ else: >+ response.headers.set("Location", "post_message_to_frame_owner.html") >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9e26c02be3110c19b7b6f69719fc5cd9cfcf2086 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+<head> >+ <script> >+ window.onmessage = function(e) { >+ if (e.data == "start_test") { >+ document.getElementById('link').click(); >+ location.href = "{{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html"; >+ } >+ } >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+</head> >+ >+<body> >+ <a href="{{location[server]}}/content-security-policy/navigate-to/support/delayed_frame.py" id="link" target="iframe2">dummy link</a> >+ IFRAME 1 >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..50d77dc7dbb24583e7e91a4e8e2128e73c69336a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: navigate-to {{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html 'unsafe-allow-redirects'; report-uri /content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1329683c88bf584cbc63479f3ba3f6e06281f223 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html >@@ -0,0 +1,14 @@ >+<!DOCTYPE html> >+<head> >+</head> >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ setTimeout(function() { >+ top.postMessage("end_test", "*"); >+ }, 4000); >+ </script> >+ IFRAME 2 >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..09dbf6863dc7c8374fc082aa63f36690fe80a4a0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html >@@ -0,0 +1,12 @@ >+<!DOCTYPE html> >+<head> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({iframe: 'iframe3', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+</head> >+ >+<body> >+ IFRAME 3 >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..9c2441e3628d8ac9da842826d802bcf22fec4ada >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/w3c-import.log >@@ -0,0 +1,35 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/delayed_frame.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2450ff1c0aa072afd370865e24557510f5b7fa67 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html >@@ -0,0 +1,14 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); >+ }); >+ </script> >+</head> >+ >+<body> >+</body> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d3c635b9a062bba15489562293cf0ebf3d2aa0c1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Content-Security-Policy: {{GET[csp]}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..75b9956166648c2be15d9aaba21b569efea70edc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www2.localhost:8800/common/redirect.py?location=http%3A%2F%2Fwww1.localhost%3A8800%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..192477296b61d283d9a229ede466a4ed516e46f3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ >+ // the iframe will navigate to: >+ // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to >+ // [www1]/..../post_message_to_frame_owner.html which is not exactly in >+ // the list but the check should be reduced to an origin check since there has been a redirect. >+ // Because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect >+ >+ var i = document.createElement('iframe'); >+ i.src = "../support/link_click_navigation.sub.html" + >+ "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/some-path/ 'unsafe-allow-redirects'") + >+ "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + >+ encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); >+ document.body.appendChild(i); >+</script> >+ >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..75b9956166648c2be15d9aaba21b569efea70edc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www2.localhost:8800/common/redirect.py?location=http%3A%2F%2Fwww1.localhost%3A8800%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is allowed >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..74fe8f2e7a673564ebf2502d07ec4136802b1537 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is allowed"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'success'); >+ }); >+ >+ // the iframe will navigate to: >+ // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to >+ // [www1]/..../post_message_to_frame_owner.html which is in the list >+ // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect >+ >+ var i = document.createElement('iframe'); >+ i.src = "../support/link_click_navigation.sub.html" + >+ "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") + >+ "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + >+ encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); >+ document.body.appendChild(i); >+</script> >+ >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..115637699628038bb24ec22c6e3f07ac367908a1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'navigate-to'. >+ >+Blocked access to external URL http://www2.localhost:8800/common/redirect.py?location=http%3A%2F%2Fwww2.localhost%3A8800%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the child iframe navigation is blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..86e54b3d93745d4eb892ba33074f66fa4dfa9bd9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+ >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+<script> >+ var t = async_test("Test that the child iframe navigation is blocked"); >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data.result, 'fail'); >+ assert_equals(e.data.violatedDirective, 'navigate-to'); >+ }); >+ >+ // the iframe will navigate to: >+ // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to >+ // [www2]/..../post_message_to_frame_owner.html which is also not in the list >+ // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect >+ >+ var i = document.createElement('iframe'); >+ i.src = "../support/link_click_navigation.sub.html" + >+ "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") + >+ "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + >+ encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); >+ document.body.appendChild(i); >+</script> >+ >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..aafd7ebd49c6da783f8b6de01f794ec5dab7c8e0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7bffb3f46a4384319a80873d266f673b34cb2798 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/w3c-import.log >@@ -0,0 +1,51 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a1bc3b6442e6f5f9b6acc59ed9522d475309964b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Violation report status OK. assert_true: violated-directive value of "default-src 'none'" did not match frame-src. expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html >new file mode 100644 >index 0000000000000000000000000000000000000000..21c4fb33ce2d66db750d92a892e3871bd5d9b576 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<script> >+ var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'"); >+ var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp"); >+ window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name); >+ setTimeout(function() { >+ var s = document.createElement('script'); >+ s.async = true; >+ s.defer = true; >+ s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27"; >+ document.body.appendChild(s); >+ }, 2000); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b4d5b82e46cb3c1b43c7b450b5f1022e5617dbd2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html >@@ -0,0 +1,2 @@ >+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}"> >+CHILD FRAME >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ab0f8f82e3951a412824d066f670af17377dcec5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html >@@ -0,0 +1,8 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<script> >+ var window_url = decodeURIComponent("{{GET[window_url]}}").replace('<', '<').replace('>', '>'); >+ window.open(window_url, "_self"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..dd418ec7648ba3f5603b0e070460ac171b8bc4d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/ >+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..947e784917e4ccf137ae3e20c10a7f532435c5b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8b45bb1f4a9ab2980093de8091a79336fad29b87 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Should have executed the javascript url >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e95e71c59bca3b368034d3b44fda8834d0eeb7b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<head> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27unsafe-inline%27"></iframe> >+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div> >+<script> >+ var t = async_test("Should have executed the javascript url"); >+ frames[0].addEventListener('load', () => { >+ window.onmessage = t.step_func(function(e) { >+ if (e.data == "executed") >+ t.done(); >+ }); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event")); >+ document.getElementById('special_div').click(); >+ }); >+</script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ca447fdfc98f0dfced62aa15ef9436d9f6b61e64 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Should not have executed the javascript url assert_true: Javascript url executed expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3a0641170ea26edfd998acc9105ccc3bad8b4f98 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<head> >+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'"> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20'self'%20'unsafe-inline'"></iframe> >+<script nonce='abc'> >+ var t = async_test("Should not have executed the javascript url"); >+ const iframe = document.querySelector("iframe"); >+ iframe.addEventListener('load', () => { >+ window.onmessage = t.step_func(function(e) { >+ if (e.data == "executed") >+ assert_true(false, "Javascript url executed"); >+ }); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ iframe.contentWindow.location.href = 'javascript:parent.postMessage(\'executed\', \'*\')' >+ }); >+</script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..11aa8adcb362ef8f8a17d1f4f46e6ea4d1ae2870 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: line 9: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not have executed the javascript url >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8aa8884914d58185bc5622dc0f3047030f873e1c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<head> >+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'"> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+<iframe src="support/frame-with-csp.sub.html"></iframe> >+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div> >+<script nonce='abc'> >+ var t = async_test("Should not have executed the javascript url"); >+ frames[0].addEventListener('load', () => { >+ window.onmessage = t.step_func(function(e) { >+ if (e.data == "executed") >+ assert_true(false, "Javascript url executed"); >+ }); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.blockedURI, 'inline'); >+ assert_equals(e.violatedDirective, 'script-src-attr'); >+ })); >+ document.getElementById('special_div').click(); >+ }); >+</script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f597f3df68e9e1d1d971bf19077badd46295085c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS <iframe src='javascript:...'> not blocked by 'frame-src' >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..79b881cfcd41dc05b3be1a3d27988914280f89b7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'"> >+ >+<body> >+ >+<script> >+ var t = async_test("<iframe src='javascript:...'> not blocked by 'frame-src'"); >+ >+ var i = document.createElement('iframe'); >+ i.src = "javascript:window.top.t.done();"; >+ >+ document.body.appendChild(i); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1fe31c30bc7f38e048a0e2c264910c56ab316ff9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src-expected.txt >@@ -0,0 +1,12 @@ >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT <iframe src='javascript:'> blocked without 'unsafe-inline'. Test timed out >+FAIL <iframe> navigated to 'javascript:' blocked without 'unsafe-inline'. assert_unreached: The CSP event should be fired in the embedding document, not in the embedee. Reached unreachable code >+TIMEOUT <iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document Test timed out >+FAIL <iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document. assert_unreached: The CSP event should be fired in the embedding document, not in the embedee. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..70dea1f985e6b7642b5bfd194c34f1d8c8dcaa74 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html >@@ -0,0 +1,72 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> >+ >+<body> >+ >+<script nonce="abc"> >+ function assert_csp_event_for_element(test, element) { >+ assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'."); >+ document.addEventListener("securitypolicyviolation", test.step_func(e => { >+ if (e.target != element) >+ return; >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.effectiveDirective, "script-src-elem"); >+ assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document."); >+ element.remove(); >+ test.done(); >+ })); >+ } >+ >+ function navigate_to_javascript_onload(test, iframe) { >+ iframe.addEventListener("load", test.step_func(e => { >+ assert_equals(typeof SecurityPolicyViolationEvent, "function"); >+ iframe.contentDocument.addEventListener( >+ "securitypolicyviolation", >+ test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.") >+ ); >+ >+ iframe.src = "javascript:'Fail.'"; >+ })); >+ } >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ i.src = "javascript:'Fail.'"; >+ >+ assert_csp_event_for_element(t, i); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ >+ assert_csp_event_for_element(t, i); >+ navigate_to_javascript_onload(t, i); >+ >+ document.body.appendChild(i); >+ }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'"); >+ >+ assert_csp_event_for_element(t, i); >+ navigate_to_javascript_onload(t, i); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'"); >+ >+ assert_csp_event_for_element(t, i); >+ navigate_to_javascript_onload(t, i); >+ >+ document.body.appendChild(i); >+ }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..3f60521e80ed8059fb3afe261f43c50b1cdf4b5b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/w3c-import.log >@@ -0,0 +1,22 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-frame-src.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..28b7552247171e34654bff02ab690bb2186094ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub-expected.txt >@@ -0,0 +1,14 @@ >+async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], "url(\"http://localhost:8800/security/resources/abe.png\")"); })); }, "Nonces leak via CSS side-channels."); >+ >+PASS Reading 'nonce' content attribute and IDL attribute. >+PASS Cloned node retains nonce. >+PASS Cloned node retains nonce when inserted. >+PASS Writing 'nonce' content attribute. >+FAIL Writing 'nonce' IDL attribute. assert_equals: expected "foo" but got "bar" >+PASS Document-written script executes. >+PASS Document-written script's nonce value. >+FAIL createElement.nonce. assert_equals: expected (object) null but got (string) "abc" >+PASS setAttribute('nonce') overwrites '.nonce' upon insertion. >+PASS createElement.setAttribute. >+PASS Nonces leak via CSS side-channels. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b15fcfa30b5ae23ea0a9ba7c461711579fe7c8f1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html >@@ -0,0 +1,130 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'"> >+ >+<body> >+<!-- Basics --> >+<script nonce="abc" id="testScript"> >+ document.currentScript.setAttribute('executed', 'yay'); >+</script> >+ >+<script nonce="abc"> >+ var script = document.querySelector('#testScript'); >+ >+ test(t => { >+ // Query Selector >+ assert_equals(document.querySelector('body [nonce]'), script); >+ assert_equals(document.querySelector('body [nonce=""]'), null); >+ assert_equals(document.querySelector('body [nonce=abc]'), script); >+ >+ assert_equals(script.getAttribute('nonce'), 'abc'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Reading 'nonce' content attribute and IDL attribute."); >+ >+ // Clone node. >+ test(t => { >+ script.setAttribute('executed', 'boo'); >+ var s2 = script.cloneNode(); >+ assert_equals(s2.nonce, 'abc', 'IDL attribute'); >+ assert_equals(s2.getAttribute('nonce'), 'abc'); >+ }, "Cloned node retains nonce."); >+ >+ async_test(t => { >+ var s2 = script.cloneNode(); >+ document.head.appendChild(s2); >+ assert_equals(s2.nonce, 'abc'); >+ assert_equals(s2.getAttribute('nonce'), 'abc'); >+ window.addEventListener('load', t.step_func_done(_ => { >+ // The cloned script won't execute, as its 'already started' flag is set. >+ assert_equals(s2.getAttribute('executed'), 'boo'); >+ })); >+ }, "Cloned node retains nonce when inserted."); >+ >+ // Set the content attribute to 'foo' >+ test(t => { >+ script.setAttribute('nonce', 'foo'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ assert_equals(script.nonce, 'foo'); >+ }, "Writing 'nonce' content attribute."); >+ >+ // Set the IDL attribute to 'bar' >+ test(t => { >+ script.nonce = 'bar'; >+ assert_equals(script.nonce, 'bar'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ }, "Writing 'nonce' IDL attribute."); >+ >+ // Fragment parser. >+ var documentWriteTest = async_test("Document-written script executes."); >+ document.write(`<script nonce='abc'> >+ documentWriteTest.done(); >+ test(t => { >+ var script = document.currentScript; >+ assert_equals(script.getAttribute('nonce'), 'abc'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Document-written script's nonce value."); >+ </scr` + `ipt>`); >+ >+ // Create node. >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.nonce = 'abc'; >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc'); >+ assert_equals(s.getAttribute('nonce'), null); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "createElement.nonce."); >+ >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.nonce = 'zyx'; >+ s.setAttribute('nonce', 'abc'); >+ assert_equals(s.nonce, 'abc'); >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc'); >+ assert_equals(s.getAttribute('nonce'), 'abc'); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "setAttribute('nonce') overwrites '.nonce' upon insertion."); >+ >+ // Create node. >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.setAttribute('nonce', 'abc'); >+ assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content"); >+ assert_equals(s.nonce, 'abc', "Pre-insertion IDL"); >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc', "Post-insertion IDL"); >+ assert_equals(s.getAttribute('nonce'), 'abc', "Post-insertion content"); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "createElement.setAttribute."); >+</script> >+ >+<!-- CSS Leakage --> >+<style> >+ #cssTest { display: block; } >+ #cssTest[nonce=abc] { background: url(/security/resources/abe.png); } >+</style> >+<script nonce="abc" id="cssTest"> >+ async_test(t => { >+ requestAnimationFrame(t.step_func_done(_ => { >+ var script = document.querySelector('#cssTest'); >+ var style = getComputedStyle(script); >+ assert_equals(style['display'], 'block'); >+ assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")"); >+ })); >+ }, "Nonces leak via CSS side-channels."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b1a8aa48b7b6d16320c267276b9df6bccf3013f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative-expected.txt >@@ -0,0 +1,16 @@ >+async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], 'none'); })); }, "Nonces don't leak via CSS side-channels."); >+ >+FAIL Reading 'nonce' content attribute and IDL attribute. assert_equals: expected Element node <script nonce="abc" id="testScript" executed="yay"> >+ doc... but got null >+FAIL Cloned node retains nonce. assert_equals: expected "" but got "abc" >+FAIL Cloned node retains nonce when inserted. assert_equals: expected "" but got "abc" >+PASS Writing 'nonce' content attribute. >+FAIL Writing 'nonce' IDL attribute. assert_equals: expected "foo" but got "bar" >+PASS Document-written script executes. >+FAIL Document-written script's nonce value. assert_equals: expected "" but got "abc" >+FAIL createElement.nonce. assert_equals: expected (object) null but got (string) "abc" >+FAIL setAttribute('nonce') overwrites '.nonce' upon insertion. assert_equals: expected "" but got "abc" >+FAIL createElement.setAttribute. assert_equals: Post-insertion content expected "" but got "abc" >+FAIL Custom elements expose the correct events. assert_equals: expected 3 but got 2 >+FAIL Nonces don't leak via CSS side-channels. assert_equals: expected "none" but got "url(\"http://localhost:8800/security/resources/abe.png\")" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4b717b9b2a04be239ea849e7f53c9119077f589e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html >@@ -0,0 +1,171 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js" nonce="abc"></script> >+<script src="/resources/testharnessreport.js" nonce="abc"></script> >+ >+<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers --> >+ >+<body> >+<!-- Basics --> >+<script nonce="abc" id="testScript"> >+ document.currentScript.setAttribute('executed', 'yay'); >+</script> >+ >+<script nonce="abc"> >+ var script = document.querySelector('#testScript'); >+ >+ test(t => { >+ // Query Selector >+ assert_equals(document.querySelector('body [nonce]'), script); >+ assert_equals(document.querySelector('body [nonce=""]'), script); >+ assert_equals(document.querySelector('body [nonce=abc]'), null); >+ >+ assert_equals(script.getAttribute('nonce'), ''); >+ assert_equals(script.nonce, 'abc'); >+ }, "Reading 'nonce' content attribute and IDL attribute."); >+ >+ // Clone node. >+ test(t => { >+ script.setAttribute('executed', 'boo'); >+ var s2 = script.cloneNode(); >+ assert_equals(s2.nonce, 'abc', 'IDL attribute'); >+ assert_equals(s2.getAttribute('nonce'), ''); >+ }, "Cloned node retains nonce."); >+ >+ async_test(t => { >+ var s2 = script.cloneNode(); >+ document.head.appendChild(s2); >+ assert_equals(s2.nonce, 'abc'); >+ assert_equals(s2.getAttribute('nonce'), ''); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ // The cloned script won't execute, as its 'already started' flag is set. >+ assert_equals(s2.getAttribute('executed'), 'boo'); >+ })); >+ }, "Cloned node retains nonce when inserted."); >+ >+ // Set the content attribute to 'foo' >+ test(t => { >+ script.setAttribute('nonce', 'foo'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ assert_equals(script.nonce, 'foo'); >+ }, "Writing 'nonce' content attribute."); >+ >+ // Set the IDL attribute to 'bar' >+ test(t => { >+ script.nonce = 'bar'; >+ assert_equals(script.nonce, 'bar'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ }, "Writing 'nonce' IDL attribute."); >+ >+ // Fragment parser. >+ var documentWriteTest = async_test("Document-written script executes."); >+ document.write(`<script nonce='abc'> >+ documentWriteTest.done(); >+ test(t => { >+ var script = document.currentScript; >+ assert_equals(script.getAttribute('nonce'), ''); >+ assert_equals(script.nonce, 'abc'); >+ }, "Document-written script's nonce value."); >+ </scr` + `ipt>`); >+ >+ // Create node. >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.nonce = 'abc'; >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc'); >+ assert_equals(s.getAttribute('nonce'), null); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "createElement.nonce."); >+ >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.nonce = 'zyx'; >+ s.setAttribute('nonce', 'abc'); >+ assert_equals(s.nonce, 'abc'); >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc'); >+ assert_equals(s.getAttribute('nonce'), ''); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "setAttribute('nonce') overwrites '.nonce' upon insertion."); >+ >+ // Create node. >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = script.innerText; >+ s.setAttribute('nonce', 'abc'); >+ assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content"); >+ assert_equals(s.nonce, 'abc', "Pre-insertion IDL"); >+ document.head.appendChild(s); >+ assert_equals(s.nonce, 'abc', "Post-insertion IDL"); >+ assert_equals(s.getAttribute('nonce'), '', "Post-insertion content"); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ assert_equals(s.getAttribute('executed'), 'yay'); >+ })); >+ }, "createElement.setAttribute."); >+</script> >+ >+<!-- Custom Element --> >+<script nonce="abc"> >+ var eventList = []; >+ class NonceElement extends HTMLElement { >+ static get observedAttributes() { >+ return ['nonce']; >+ } >+ >+ constructor() { >+ super(); >+ } >+ >+ attributeChangedCallback(name, oldValue, newValue) { >+ eventList.push({ >+ type: "AttributeChanged", >+ name: name, >+ oldValue: oldValue, >+ newValue: newValue >+ }); >+ } >+ >+ connectedCallback() { >+ eventList.push({ >+ type: "Connected", >+ }); >+ } >+ } >+ >+ customElements.define("nonce-element", NonceElement); >+</script> >+<nonce-element nonce="abc"></nonce-element> >+<script nonce="abc"> >+ test(t => { >+ assert_equals(eventList.length, 3); >+ assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" }); >+ assert_object_equals(eventList[1], { type: "Connected" }); >+ assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" }); >+ }, "Custom elements expose the correct events."); >+</script> >+ >+<!-- CSS Leakage --> >+<style> >+ #cssTest { display: block; } >+ #cssTest[nonce=abc] { background: url(/security/resources/abe.png); } >+</style> >+<script nonce="abc" id="cssTest"> >+ async_test(t => { >+ requestAnimationFrame(t.step_func_done(_ => { >+ var script = document.querySelector('#cssTest'); >+ var style = getComputedStyle(script); >+ assert_equals(style['display'], 'block'); >+ assert_equals(style['background-image'], 'none'); >+ })); >+ }, "Nonces don't leak via CSS side-channels."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ad8d0b54f31d6d0682152f9f75f65c649c36a6a7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'nonce-abc'; img-src 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..98346ad5cc06e1e75392f6f43be84ced5018204b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Untitled TypeError: null is not an object (evaluating 'document.currentScript.setAttribute') >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bd1c33760d0835b1418652da7826d96ad6fe9815 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html >@@ -0,0 +1,116 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'"> >+ >+<body> >+<!-- Basics --> >+<svg xmlns="http://www.w3.org/2000/svg"> >+ <script nonce="abc" id="testScript"> >+ document.currentScript.setAttribute('executed', 'yay'); >+ </script> >+</svg> >+ >+<script nonce="abc"> >+ var script = document.querySelector('#testScript'); >+ >+ test(t => { >+ // Query Selector >+ assert_equals(document.querySelector('[nonce]'), script); >+ assert_equals(document.querySelector('[nonce=""]'), null); >+ assert_equals(document.querySelector('[nonce=abc]'), script); >+ >+ assert_equals(script.getAttribute('nonce'), 'abc'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Reading 'nonce' content attribute and IDL attribute."); >+ >+ // Clone node. >+ test(t => { >+ script.setAttribute('executed', 'boo'); >+ var s2 = script.cloneNode(); >+ assert_equals(s2.nonce, 'abc', 'IDL attribute'); >+ assert_equals(s2.getAttribute('nonce'), 'abc'); >+ }, "Cloned node retains nonce."); >+ >+ async_test(t => { >+ var s2 = script.cloneNode(); >+ document.head.appendChild(s2); >+ assert_equals(s2.nonce, 'abc'); >+ assert_equals(s2.getAttribute('nonce'), 'abc'); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ // The cloned script won't execute, as its 'already started' flag is set. >+ assert_equals(s2.getAttribute('executed'), 'boo'); >+ })); >+ }, "Cloned node retains nonce when inserted."); >+ >+ // Set the content attribute to 'foo' >+ test(t => { >+ script.setAttribute('nonce', 'foo'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Writing 'nonce' content attribute."); >+ >+ // Set the IDL attribute to 'bar' >+ test(t => { >+ script.nonce = 'bar'; >+ assert_equals(script.nonce, 'bar'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ }, "Writing 'nonce' IDL attribute."); >+ >+ // Fragment parser. >+ var documentWriteTest = async_test("Document-written script executes."); >+ document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'> >+ documentWriteTest.done(); >+ test(t => { >+ var script = document.currentScript; >+ assert_equals(script.getAttribute('nonce'), 'abc'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Document-written script's nonce value."); >+ </scr` + `ipt></svg>`); >+ >+ // Create node. >+ test(t => { >+ var s = document.createElement('svg'); >+ var innerScript = document.createElement('innerScript'); >+ innerScript.innerText = script.innerText; >+ innerScript.nonce = 'abc'; >+ s.appendChild(innerScript); >+ document.body.appendChild(s); >+ assert_equals(innerScript.nonce, 'abc'); >+ assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce'); >+ }, "createElement.nonce."); >+ >+ // Create node. >+ test(t => { >+ var s = document.createElement('svg'); >+ var innerScript = document.createElement('script'); >+ innerScript.innerText = script.innerText; >+ innerScript.setAttribute('nonce', 'abc'); >+ assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content"); >+ assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL"); >+ s.appendChild(innerScript); >+ document.body.appendChild(s); >+ assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL"); >+ assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content"); >+ }, "createElement.setAttribute."); >+</script> >+ >+<!-- CSS Leakage --> >+<style> >+ #cssTest { display: block; } >+ #cssTest[nonce=abc] { background: url(/security/resources/abe.png); } >+</style> >+<svg xmlns="http://www.w3.org/2000/svg"> >+ <script nonce="abc" id="cssTest"> >+ async_test(t => { >+ requestAnimationFrame(t.step_func_done(_ => { >+ var script = document.querySelector('#cssTest'); >+ var style = getComputedStyle(script); >+ assert_equals(style['display'], 'block'); >+ assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")"); >+ })); >+ }, "Nonces don't leak via CSS side-channels."); >+ </script> >+</svg> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..98346ad5cc06e1e75392f6f43be84ced5018204b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Untitled TypeError: null is not an object (evaluating 'document.currentScript.setAttribute') >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8c0e58b1d1d24228339c44059a8450582780c1f1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html >@@ -0,0 +1,116 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js" nonce="abc"></script> >+<script src="/resources/testharnessreport.js" nonce="abc"></script> >+ >+<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers --> >+ >+<body> >+<!-- Basics --> >+<svg xmlns="http://www.w3.org/2000/svg"> >+ <script nonce="abc" id="testScript"> >+ document.currentScript.setAttribute('executed', 'yay'); >+ </script> >+</svg> >+ >+<script nonce="abc"> >+ var script = document.querySelector('#testScript'); >+ >+ test(t => { >+ // Query Selector >+ assert_equals(document.querySelector('body [nonce]'), script); >+ assert_equals(document.querySelector('body [nonce=""]'), script); >+ assert_equals(document.querySelector('body [nonce=abc]'), null); >+ >+ assert_equals(script.getAttribute('nonce'), ''); >+ assert_equals(script.nonce, 'abc'); >+ }, "Reading 'nonce' content attribute and IDL attribute."); >+ >+ // Clone node. >+ test(t => { >+ script.setAttribute('executed', 'boo'); >+ var s2 = script.cloneNode(); >+ assert_equals(s2.nonce, 'abc', 'IDL attribute'); >+ assert_equals(s2.getAttribute('nonce'), ''); >+ }, "Cloned node retains nonce."); >+ >+ async_test(t => { >+ var s2 = script.cloneNode(); >+ document.head.appendChild(s2); >+ assert_equals(s2.nonce, 'abc'); >+ assert_equals(s2.getAttribute('nonce'), ''); >+ >+ window.addEventListener('load', t.step_func_done(_ => { >+ // The cloned script won't execute, as its 'already started' flag is set. >+ assert_equals(s2.getAttribute('executed'), 'boo'); >+ })); >+ }, "Cloned node retains nonce when inserted."); >+ >+ // Set the content attribute to 'foo' >+ test(t => { >+ script.setAttribute('nonce', 'foo'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ assert_equals(script.nonce, 'abc'); >+ }, "Writing 'nonce' content attribute."); >+ >+ // Set the IDL attribute to 'bar' >+ test(t => { >+ script.nonce = 'bar'; >+ assert_equals(script.nonce, 'bar'); >+ assert_equals(script.getAttribute('nonce'), 'foo'); >+ }, "Writing 'nonce' IDL attribute."); >+ >+ // Fragment parser. >+ var documentWriteTest = async_test("Document-written script executes."); >+ document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'> >+ documentWriteTest.done(); >+ test(t => { >+ var script = document.currentScript; >+ assert_equals(script.getAttribute('nonce'), ''); >+ assert_equals(script.nonce, 'abc'); >+ }, "Document-written script's nonce value."); >+ </scr` + `ipt></svg>`); >+ >+ // Create node. >+ test(t => { >+ var s = document.createElement('svg'); >+ var innerScript = document.createElement('script'); >+ innerScript.innerText = script.innerText; >+ innerScript.nonce = 'abc'; >+ s.appendChild(innerScript); >+ document.body.appendChild(s); >+ assert_equals(innerScript.nonce, 'abc'); >+ assert_equals(innerScript.getAttribute('nonce'), null); >+ }, "createElement.nonce."); >+ >+ // Create node. >+ test(t => { >+ var s = document.createElement('svg'); >+ var innerScript = document.createElement('script'); >+ innerScript.innerText = script.innerText; >+ innerScript.setAttribute('nonce', 'abc'); >+ assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content"); >+ assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL"); >+ s.appendChild(innerScript); >+ document.body.appendChild(s); >+ assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL"); >+ assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content"); >+ }, "createElement.setAttribute."); >+</script> >+ >+<!-- CSS Leakage --> >+<style> >+ #cssTest { display: block; } >+ #cssTest[nonce=abc] { background: url(/security/resources/abe.png); } >+</style> >+<svg xmlns="http://www.w3.org/2000/svg"> >+ <script nonce="abc" id="cssTest"> >+ async_test(t => { >+ requestAnimationFrame(t.step_func_done(_ => { >+ var script = document.querySelector('#cssTest'); >+ var style = getComputedStyle(script); >+ assert_equals(style['display'], 'block'); >+ assert_equals(style['background-image'], 'none'); >+ })); >+ }, "Nonces don't leak via CSS side-channels."); >+ </script> >+</svg> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ad8d0b54f31d6d0682152f9f75f65c649c36a6a7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'nonce-abc'; img-src 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..2455fb832e56dc0d6ac4b1ce7ba1c3fcf92d22f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log >@@ -0,0 +1,22 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..65c575c4b5406b7d607bf1b8b6dac3be4c930f2f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> >+</head> >+ >+<body> >+ <object type="application/x-webkit-test-netscape"></object> >+ >+ <!-- we rely on the report because we can't rely on the onload event for >+ "allowed" tests as it is not fired for object and embed --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..012702bfc1ac19e7c5154b8861760e58b463e71f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/ >+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9423e593a1f631f84022e3ae8d89435557c45ac0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load because it does not appear in the object-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load because it does not appear in the object-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should block the object and fire a spv >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cb7292976ae35af97d39188c745d5cc6f63282b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should block the object and fire a spv"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "object-src"); >+ })); >+ </script> >+ >+ <object type="application/x-webkit-test-netscape"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7ab85bd6bcea33969288b948042914ebdd4e4175 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> >+</head> >+ >+<body> >+ <object type="image/png" data="/content-security-policy/support/pass.png"></object> >+ >+ <!-- we rely on the report because we can't rely on the onload event for >+ "allowed" tests as it is not fired for object and embed --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9372a723c873557551def190e43df7f44693873b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/ >+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c1ade0f5278bf449ef2b30a2b6aa749f61d45ce6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked-expected.txt >@@ -0,0 +1,6 @@ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should block the object and fire a spv >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f45eab9fb90942c73835abd78dfcc5530963277b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should block the object and fire a spv"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "object-src"); >+ })); >+ </script> >+ >+ <object type="image/png" data="/content-security-policy/support/pass.png"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..edb01b3839f2d8a165de572bb43d88d8371bb77c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> >+</head> >+ >+<body> >+ <embed height="40" width="40" type="image/png" >+ src="/content-security-policy/support/pass.png"></embed> >+ >+ <!-- we rely on the report because we can't rely on the onload event for >+ "allowed" tests as it is not fired for object and embed --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..7c20bf3d4005c67266a2bc0e88b1c921de4335ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: object-src-url-embed-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/ >+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c1ade0f5278bf449ef2b30a2b6aa749f61d45ce6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked-expected.txt >@@ -0,0 +1,6 @@ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should block the object and fire a spv >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f133800737199ea02aca47744b723003751c0af4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should block the object and fire a spv"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "object-src"); >+ })); >+ </script> >+ >+ <embed height="40" width="40" type="image/png" >+ src="/content-security-policy/support/pass.png"></embed> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8a37db491799923a6848234154872437c67af297 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c52286fc1294783ac24e629199c3e0891274c3a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> >+</head> >+ >+<body> >+ <object type="image/png" data="/common-redirect.py?location=/content-security-policy/support/pass.png"></object> >+ >+ <!-- we rely on the report because we can't rely on the onload event for >+ "allowed" tests as it is not fired for object and embed --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..82779ec642ad36efca47108610436336fce21112 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: object-src-url-redirect-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/ >+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1bd9b545005a0987c4efcb5392f5ecd71eea48c1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www1.localhost/content-security-policy/support/pass.png >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should block the object and fire a spv >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c79c9938e1ce9045b4772b48f5670be6319bf550 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="object-src 'self'; script-src 'self' 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should block the object and fire a spv"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "object-src"); >+ })); >+ </script> >+ >+ <object type="image/png" data="/common/redirect.py?location=http://{{domains[www1]}}/content-security-policy/support/pass.png"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..e32114e389ada8516ad970d51af9f28d373d831a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/w3c-import.log >@@ -0,0 +1,28 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f05f5154e2c4851df0c82a2e8f6788e272e078d5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: 'plugin-types' Content Security Policy directive is empty; all plugins will be blocked. >+ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because plugin-types allows no plugins >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0cd1a70a1dd9325d98040f3afad1b0b01c9305fd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types ;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because plugin-types allows no plugins'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <object type="application/x-shockwave-flash" data="/content-security-policy/support/media/flash.swf"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ffaa2362a5372ff9e1aee542cdf695da58272f32 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load data:application/x-shockwave-flash,asdf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load data:application/x-shockwave-flash,asdf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because its declared type does not match its actual type >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data.html >new file mode 100644 >index 0000000000000000000000000000000000000000..430a3a1eb9febec2e034f784cf0dee7ae25cac76 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types application/pdf;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because its declared type does not match its actual type'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <object type="application/pdf" data="data:application/x-shockwave-flash,asdf"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..22b6369c4da2f9096ca63a74d49650f3be193d07 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because its declared type does not match its actual type >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url.html >new file mode 100644 >index 0000000000000000000000000000000000000000..306d08f79e16632aefa2a900e9e460e0a0aefe02 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types application/pdf;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because its declared type does not match its actual type'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <object type="application/pdf" data="/content-security-policy/support/media/flash.swf"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d3bde4f529e94f18824f10ba30d8808dcb8f3f5e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load data:application/x-shockwave-flash,asdf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load data:application/x-shockwave-flash,asdf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because it does not have a declared type >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e10d5335772dae788f8a1e146b6e5794c31a4579 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types application/pdf;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because it does not have a declared type'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <!-- Objects need to declare an explicit type --> >+ <object data="data:application/x-shockwave-flash,asdf"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d2a65bacaa04bbb341ac51614672b3c372f6b54c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/media/flash.swf because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because it does not have a declared type >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url.html >new file mode 100644 >index 0000000000000000000000000000000000000000..73ff7366e01e44e48b8c55b715054dbac7937a77 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types application/pdf;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because it does not have a declared type'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <!-- Objects need to declare an explicit type --> >+ <object data="/content-security-policy/support/media/flash.swf"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cd50086761ffec96e84ae59e8407f95daba1b125 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <object type="application/x-shockwave-flash"></object> >+ <!-- we rely on the report because we can't rely on the onload event for >+ "allowed" tests as it is not fired for object and embed --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..95cc52be322fbd1ebd53734868f12d63478497ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: plugintypes-nourl-allowed={{$id:uuid()}}; Path=/content-security-policy/plugin-types/ >+Content-Security-Policy: plugin-types application/x-shockwave-flash; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..547a784923a073b8545c7f27508d251ac971624d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to load because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load because its MIME type does not appear in the plugin-types directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not load the object because it does not match plugin-types >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..02da1e0d1e6a20314dcc21ecc5cc977ed34d2e6e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="plugin-types application/pdf;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test('Should not load the object because it does not match plugin-types'); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "plugin-types"); >+ assert_equals(e.blockedURI, ""); >+ })); >+ </script> >+ >+ <object type="application/x-shockwave-flash"></object> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..26d1276a3c5c948665ba5a19ee6af221cc20d823 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-empty.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-data.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-mismatched-url.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-data.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-notype-url.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-allowed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/plugin-types/plugintypes-nourl-blocked.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..470e3365d61bb1c18a05c8ffa765ef5a235cb68e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS Browser supports prefetch. >+PASS Browser supports performance APIs. >+PASS Prefetch succeeds when allowed by prefetch-src >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..95177c13064b024b362b1b6ba9528f878024ee36 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='/content-security-policy/support/testharness-helper.js'></script> >+ <script src='/content-security-policy/support/prefetch-helper.js'></script> >+ <script> >+ async_test(t => { >+ var win = window.open('/content-security-policy/support/' + >+ 'file-prefetch-allowed.html'); >+ win.addEventListener('load', function () { >+ // Cache control headers are added,since they are needed >+ // to enable prefetching. >+ let url = '/content-security-policy/support/pass.png' + >+ '?pipe=header(Cache-Control, max-age=604800)'; >+ >+ // Link element is created on the new opened window. >+ let link = win.document.createElement('link'); >+ link.rel = 'prefetch'; >+ link.href = url; >+ assert_link_prefetches(t, link); >+ win.close(); >+ }, false); >+ }, 'Prefetch succeeds when allowed by prefetch-src'); >+ </script> >+</head> >+<body> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7acea36db2cb1454372f003547ea34c7acb719bb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS Browser supports prefetch. >+PASS Browser supports performance APIs. >+FAIL Blocked prefetch generates report. assert_unreached: onload should not fire. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..890a65f82cf58b045bffc91fd10f6f7aa91ae185 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="prefetch-src 'none';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='/content-security-policy/support/testharness-helper.js'></script> >+ <script src='/content-security-policy/support/prefetch-helper.js'></script> >+ <script> >+ async_test(t => { >+ let url = window.origin + '/content-security-policy/support/fail.png'; >+ >+ let link = document.createElement('link'); >+ link.rel = 'prefetch'; >+ link.href = url; >+ >+ assert_link_does_not_prefetch(t, link); >+ }, "Blocked prefetch generates report."); >+ </script> >+</head> >+<body> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2300d8709e7907e4428e581503eb05eaa01494b5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'prefetch-src'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Browser supports prefetch. >+PASS Browser supports performance APIs. >+TIMEOUT Prefetch via `Link` header succeeds when allowed by prefetch-src Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..dd8071b66ee2139fc18dd13de951e0c5075a5c5a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <!-- Headers: >+ Content-Security-Policy: prefetch-src 'self' >+ Link: </content-security-policy/support/pass.png>;rel=prefetch >+ --> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='/content-security-policy/support/testharness-helper.js'></script> >+ <script src='/content-security-policy/support/prefetch-helper.js'></script> >+ <script> >+ async_test(t => { >+ let url = window.origin + '/content-security-policy/support/pass.png'; >+ assert_no_csp_event_for_url(t, url); >+ >+ waitUntilResourceDownloaded(url) >+ .then(t.step_func_done()); >+ }, 'Prefetch via `Link` header succeeds when allowed by prefetch-src'); >+ </script> >+</head> >+<body> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..2b1d42a8d16c04cf339366b05262c27516e4196c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers >@@ -0,0 +1,2 @@ >+Content-Security-Policy: prefetch-src 'self' >+Link: </content-security-policy/support/pass.png>;rel=prefetch >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2300d8709e7907e4428e581503eb05eaa01494b5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'prefetch-src'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Browser supports prefetch. >+PASS Browser supports performance APIs. >+TIMEOUT Prefetch via `Link` header succeeds when allowed by prefetch-src Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..382c99a80d34ab25b8acc2cfbff2a0d85ac8b9e2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="prefetch-src 'none'"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='/content-security-policy/support/testharness-helper.js'></script> >+ <script src='/content-security-policy/support/prefetch-helper.js'></script> >+ <script> >+ async_test(t => { >+ let url = window.origin + '/content-security-policy/support/fail.png'; >+ waitUntilCSPEventForURL(t, url) >+ .then(t.step_func_done(e => { >+ assert_equals(e.violatedDirective, 'prefetch-src'); >+ assert_resource_not_downloaded(t, url); >+ })); >+ >+ // Load a stylesheet that tries to trigger a prefetch: >+ let link = document.createElement('link'); >+ link.rel = 'stylesheet'; >+ link.href = '/content-security-policy/support/prefetch-subresource.css'; >+ document.head.appendChild(link); >+ }, 'Prefetch via `Link` header succeeds when allowed by prefetch-src'); >+ </script> >+</head> >+<body> >+</body> >+</html> >+ >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..99d4bda2ec2c382ffa374bc7e1ae06ec5f6e8e5c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/w3c-import.log >@@ -0,0 +1,21 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ec4282fa5569c5ded558a63885f962a2ca3fab73 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS Test that image loads >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cb3842854c83dcd8615035337e1f95767f6a053e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that reports using the report-api service are not sent when there's not validation</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image loads"); >+ window.addEventListener("securitypolicyviolation", >+ t1.unreached_func("Should not have triggered a violation event")); >+ </script> >+ <img src='/content-security-policy/support/pass.png' >+ onload='t1.done();' >+ onerror='t1.unreached_func("The image should have loaded");'> >+ >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..054d332035add5e16bd08c5adf452e61a4b5f7c7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: reporting-api-doesnt-send-reports-without-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] } >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'self'; report-to csp-group >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ff1f0a4946c436338d1a83a44daab9abcae08882 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub-expected.txt >@@ -0,0 +1,13 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: The Content Security Policy 'script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. >+CONSOLE MESSAGE: [Report Only] Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: [Report Only] Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+TIMEOUT Event is fired Test timed out >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..302025669d4417db670b6ebba18a6a49aed4e2eb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that report-only policies still work with report-to</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image does not load"); >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ </script> >+ <img src='/content-security-policy/support/fail.png' >+ onload='t1.done();' >+ onerror='t1.unreached_func("The image should have loaded");'> >+ >+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..973c20e23f8b5a5e3b32c0d6f62d84cd7fd8c4d2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: reporting-api-report-only-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] } >+Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d7955136a51c0ac60d0f8519048193d6c2d241ac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+TIMEOUT Event is fired Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..119a027c4ee4df035a528cbdb3c5c212eafbe8a2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image does not load"); >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ </script> >+ <img src='/content-security-policy/support/fail.png' >+ onload='t1.unreached_func("The image should not have loaded");' >+ onerror='t1.done();'> >+ <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b6504f6275bcceb6a8505109a1453e6d4535a77d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: reporting-api-report-to-overrides-report-uri-1={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-uri "/content-security-policy/support/report.py?op=put&reportID={{$id}}"; report-to csp-group >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id:uuid()}}" }] } >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d7955136a51c0ac60d0f8519048193d6c2d241ac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+TIMEOUT Event is fired Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3c4d2446aee51f3a53ea3a3a361ba136851554a2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that report-to overrides report-uri. This tests report-uri after report-to in the policy</title> <meta name=timeout content=long> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image does not load"); >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ </script> >+ <img src='/content-security-policy/support/fail.png' >+ onload='t1.unreached_func("The image should not have loaded");' >+ onerror='t1.done();'> >+ <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> >+ <script async defer src='../support/checkReport.sub.js?reportExists=false></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..98541e1cc160b13eab6a4c910225699e37d6afd3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: reporting-api-report-to-overrides-report-uri-2={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group; report-uri "/content-security-policy/support/report.py?op=put&reportID={{$id}}" >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id:uuid()}}" }] } >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ec273e53d0fe921401932f1a3699e742ce265c59 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub-expected.txt >@@ -0,0 +1,13 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Test that image does not load >+TIMEOUT Event is fired Test timed out >+FAIL Report is observable to ReportingObserver Can't find variable: ReportingObserver >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..23337ae8d077e33fcec38fec6baa59778a39e0f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html >@@ -0,0 +1,55 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that reports using the report-api service are sent when there's a violation</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t1 = async_test("Test that image does not load"); >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ >+ async_test(function(t3) { >+ var observer = new ReportingObserver(function(reports, observer) { >+ t3.step(function() { >+ assert_equals(reports.length, 1); >+ >+ // Ensure that the contents of the report are valid. >+ var base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/" >+ var document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation.https.sub.html"; >+ assert_equals(reports[0].type, "csp-violation"); >+ assert_equals(reports[0].url, document_url); >+ assert_equals(reports[0].body.documentURL, document_url); >+ assert_equals(reports[0].body.referrer, null); >+ assert_equals(reports[0].body.blockedURL, >+ base_url + "support/fail.png"); >+ assert_equals(reports[0].body.effectiveDirective, "img-src"); >+ assert_equals(reports[0].body.originalPolicy, >+ "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group"); >+ assert_equals(reports[0].body.sourceFile, document_url); >+ assert_equals(reports[0].body.sample, null); >+ assert_equals(reports[0].body.disposition, "enforce"); >+ assert_equals(reports[0].body.statusCode, 0); >+ assert_equals(reports[0].body.lineNumber, 53); >+ assert_equals(reports[0].body.columnNumber, 0); >+ }); >+ >+ t3.done(); >+ }); >+ observer.observe(); >+ }, "Report is observable to ReportingObserver"); >+ </script> >+ <img src='/content-security-policy/support/fail.png' >+ onload='t1.unreached_func("The image should not have loaded");' >+ onerror='t1.done();'> >+ >+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b57b94031ac3df10df87ce700fbebbfad898ddf4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: reporting-api-sends-reports-on-violation={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] } >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..95e92766675fa9c0dd690ebbde4dc0f5ad0ec3ae >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub-expected.txt >@@ -0,0 +1,12 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'report-to'. >+ >+CONSOLE MESSAGE: Refused to load https://localhost:9443/content-security-policy/support/fail.html because it does not appear in the frame-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Event is fired Test timed out >+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b83a05ce4b5bd4cbf05bbb0ef7fb5bb3f85f96e4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Test that reports using the report-api service are sent when there's a violation</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ async_test(function(t2) { >+ window.addEventListener("securitypolicyviolation", t2.step_func(function(e) { >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.html"); >+ assert_equals(e.violatedDirective, "frame-src"); >+ t2.done(); >+ })); >+ }, "Event is fired"); >+ </script> >+ <iframe src="../support/fail.html"></iframe> >+ >+ <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=frame-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..13d0ce65c96912d3c5888aae669696cdc2b580f9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Pragma: no-cache >+Set-Cookie: reporting-api-works-on-frame-src={{$id:uuid()}}; Path=/content-security-policy/reporting-api >+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] } >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; frame-src 'none'; report-to csp-group >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..5a6d6c9ae06783e450b45ed2da831e021e04762a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log >@@ -0,0 +1,28 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ab70c4a7becad36be83776214532d634a19a7c37 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS 1-Violation report status OK >+PASS 2-Violation report status OK >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html >new file mode 100644 >index 0000000000000000000000000000000000000000..204c1f3202492084bd3c8e212dbcfd181084af96 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>When multiple report-uri endpoints for multiple policies are specified, each gets a report</title> >+ <!-- CSP headers >+Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ >+Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >+--> >+</head> >+<body> >+ <img src="ftp://blah.test" /> >+ >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A%20https%3A%2F%2F%2A&testName=1-Violation%20report%20status%20OK'></script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A&reportCookieName=multiple-report-policies-2&testName=2-Violation%20report%20status%20OK'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7affbe7d41dd9e7bf555aa151cf6d31fb2279a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers >@@ -0,0 +1,8 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: multiple-report-policies={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy-Report-Only: img-src http://* https://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >+Set-Cookie: multiple-report-policies-2={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy-Report-Only: img-src http://*; default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9e3da2f126bf69db1bcacf61809c304dc1009680 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce-expected.txt >@@ -0,0 +1,6 @@ >+ >+ >+PASS The image should be blocked >+PASS The stylesheet should load >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html >new file mode 100644 >index 0000000000000000000000000000000000000000..910df20a4c22a049e90fb62fc668f467808767f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Reporting and enforcing policies can be different</title> >+ <!-- CSP headers >+Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline' >+ >+Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >+--> >+</head> >+<body> >+ <script> >+ var img_test = async_test("The image should be blocked"); >+ var sheet_test = async_test("The stylesheet should load"); >+ <!-- This image should be blocked, but should not generate a report--> >+ var i = document.createElement('img'); >+ i.onerror = img_test.step_func_done(); >+ i.onload = img_test.unreached_func("Should not have loaded the img"); >+ i.src = "../support/fail.png"; >+ document.body.appendChild(i); >+ <!-- This font should be loaded but should generate a report--> >+ var s = document.createElement('link'); >+ s.onerror = sheet_test.unreached_func("Should have loaded the font"); >+ s.onload = sheet_test.step_func_done(); >+ s.type = "text/css"; >+ s.rel="stylesheet"; >+ s.href = "../support/fonts.css"; >+ document.body.appendChild(s); >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..5d4c5dcc4f61f16a93548e9ee18d915bbd2d3dd3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-and-enforce={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline' >+Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a75ea1c0a14b04334abf40a11db572864538765 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Data-uri images are reported correctly</title> >+ <!-- CSP headers >+Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >+--> >+</head> >+<body> >+ <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..52e2f164415f346c392c9eed5e3d7746bc237ee2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-blocked-data-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7366e729031fac21a859f8b114abb238629000fe >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/pass.png >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/support/pass.png >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9d56cdbdd903dcf3a79ef87590a819e9267e9c85 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Cross-origin images are reported correctly</title> >+ <!-- CSP headers >+Content-Security-Policy: script-src 'self' 'unsafe-inline' >+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID=$id >+--> >+</head> >+<body> >+ <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png"> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ef5073b3863c104d4c47dd68fcf5e44267af3513 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-blocked-uri-cross-origin={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'self' 'unsafe-inline' >+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5eb9f297496d308dccb06cee4b7e817e9d10826b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Blocked relative images are reported correctly</title> >+ <!-- CSP headers >+Content-Security-Policy: script-src 'self' 'unsafe-inline' >+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >+--> >+</head> >+<body> >+ <img src="../support/pass.png"> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..6f4b37ef8366974b5c64f558577fe60b72a6713b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-blocked-uri={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'self' 'unsafe-inline' >+Content-Security-Policy-Report-Only: img-src 'none'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..98d85b6994be5955388d7652cf63c90d9cc58eee >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html >@@ -0,0 +1,37 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>Cookies are not sent on cross origin violation reports</title> >+ <meta name="timeout" content="long"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- CSP headers >+ Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID=$id >+ --> >+</head> >+<body> >+<script> >+ promise_test(function(test) { >+ const path = encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/"); >+ return fetch( >+ "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + path, >+ {mode: 'no-cors', credentials: 'include'}) >+ .then(() => { >+ test.add_cleanup(() => { >+ return fetch("/cookies/resources/set.py?cspViolationReportCookie1=; path=" + path + "; expires=Thu, 01 Jan 1970 00:00:01 GMT"); >+ }); >+ >+ // This image will generate a CSP violation report. >+ const img = new Image(); >+ img.onerror = test.step_func_done(); >+ img.onload = test.unreached_func("Should not have loaded the image"); >+ >+ img.src = "../support/fail.png"; >+ document.body.appendChild(img); >+ }); >+ }, "Image should not load"); >+</script> >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&noCookies=true'></script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..cb1acfcd121669beda2293bf1cdb161d5b70caf0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-cross-origin-no-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..028d1b168b0d9998cb07b59dfc4d82bff63810d8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01-expected.txt >@@ -0,0 +1,5 @@ >+ >+ >+PASS Violation report status OK. >+FAIL Test number of sent reports. assert_equals: Report count was not what was expected. expected "2" but got "4" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7a92f1b955639eb26bfd4a737ee1a930fdec6592 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Test multiple violations cause multiple reports</title> >+ <!-- CSP headers >+ Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <img src="../support/pass.png"> >+ <img src="../support/pass2.png"> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&reportCount=2'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..904e2c64aaef02ce8a1cccc25a84a150dee9ca4a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-multiple-violations-01={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4c0be5828800a3a6550bae843d2a8d55603cd967 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02-expected.txt >@@ -0,0 +1,14 @@ >+PASS: setTimeout #0 executed. >+ >+PASS: setTimeout #1 executed. >+ >+PASS: setTimeout #2 executed. >+ >+PASS: setTimeout #3 executed. >+ >+PASS: setTimeout #4 executed. >+ >+ >+PASS Violation report status OK. >+FAIL Test number of sent reports. assert_equals: Report count was not what was expected. expected "1" but got "5" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d9f7da333884db5bc5f73e77a1c901ef851ade1f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>This tests that multiple violations on a page trigger multiple reports >+ if and only if the violations are distinct.</title> >+ <!-- CSP headers >+ Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <script> >+ for (var i = 0; i<5; i++) >+ setTimeout("document.body.innerHTML += ('<p>PASS: setTimeout #" + i + " executed.');", 0); >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27%20%27self%27&reportCount=1'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..e7bf84b9448d25550731f8506bcf5745452cc25f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-multiple-violations-02={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ab5c6ee8115368bd701e0d1f0c4241d7b6e00950 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Image should load >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..04b968807c60ce7b50d1811bcd79db74c8b60279 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>Report-only policy not allowed in meta tag</title> >+ <meta name="timeout" content="long"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- CSP headers >+ Content-Security-Policy: script-src 'unsafe-inline' 'self' >+ --> >+ <!-- since we try to set the report-uri in the meta tag, we have to set the cookie with the reportID in here instead of in the headers file --> >+ <meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id:uuid()}}"> >+</head> >+<body> >+ <script> >+ var test = async_test("Image should load"); >+ >+ <!-- Set cookie for checking if the report exists >+ --> >+ fetch( >+ "support/set-cookie.py?name=report-only-in-meta&value={{$id}}&path=" + encodeURIComponent("/content-security-policy/reporting/"), >+ {mode: 'no-cors', credentials: 'include'}) >+ .then(() => { >+ const img = new Image(); >+ img.onload = test.step_func_done(); >+ img.onerror = test.unreached_func("Should have loaded the image"); >+ >+ img.src = "../support/pass.png"; >+ document.body.appendChild(img); >+ >+ <!-- this needs to be done after setting the cookie so we do it here --> >+ const script = document.createElement('script'); >+ script.async = true; >+ script.defer = true; >+ script.src = '../support/checkReport.sub.js?reportExists=false' >+ document.body.appendChild(script); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b56292b4703acaee09b6dfb7b0f1bb674b788207 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'unsafe-inline' 'self' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c2971c2e411aacb734b01dfbb641713a65a61fc6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub-expected.txt >@@ -0,0 +1,13 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png?t=1 because it does not appear in the img-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://www2.localhost:8800/content-security-policy/support/fail.png?t=2 because it does not appear in the img-src directive of the Content Security Policy. >+Blocked access to external URL http://www1.localhost:8800/common/redirect.py?location=http%3A%2F%2Flocalhost%3A8800%2Fcontent-security-policy%2Fsupport%2Ffail.png%3Ft%3D3 >+Blocked access to external URL http://www1.localhost:8800/common/redirect.py?location=http%3A%2F%2Fwww2.localhost%3A8800%2Fcontent-security-policy%2Fsupport%2Ffail.png%3Ft%3D4 >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Direct block, same-origin = full URL in report >+TIMEOUT Direct block, cross-origin = full URL in report Test timed out >+TIMEOUT Block after redirect, same-origin = original URL in report Test timed out >+PASS Block after redirect, cross-origin = original URL in report >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..45c1aeb2de86e64ec7de51bf0898c85f42d13320 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html >@@ -0,0 +1,51 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- CSP headers >+ Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID=$id >+ --> >+</head> >+<body> >+<script> >+function createListener(expectedURL, test) { >+ var listener = test.step_func(e => { >+ if (e.blockedURI == expectedURL) { >+ document.removeEventListener('securitypolicyviolation', listener); >+ test.done(); >+ } >+ }); >+ document.addEventListener('securitypolicyviolation', listener); >+} >+ >+async_test(t => { >+ var i = document.createElement('img'); >+ createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1", t); >+ i.src = "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=1"; >+}, "Direct block, same-origin = full URL in report"); >+ >+async_test(t => { >+ var i = document.createElement('img'); >+ createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2", t); >+ i.src = "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=2"; >+}, "Direct block, cross-origin = full URL in report"); >+ >+async_test(t => { >+ var i = document.createElement('img'); >+ var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3"); >+ createListener("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3", t); >+ i.src = url; >+}, "Block after redirect, same-origin = original URL in report"); >+ >+async_test(t => { >+ var i = document.createElement('img'); >+ var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=4"); >+ createListener("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}", t); >+ i.src = url; >+}, "Block after redirect, cross-origin = original URL in report"); >+</script> >+ >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src {{location[scheme]}}%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..1031a7a00a989d6f6b95c0aecf9ba5125ce026a3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-original-url={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src {{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fc8cc1d16d15fb2afd843e13275a34b47968418d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies-expected.txt >@@ -0,0 +1,6 @@ >+ >+ >+PASS Image should not load >+PASS Violation report status OK. >+FAIL Test report cookies. assert_true: Report should contain cookie: cspViolationReportCookie2 expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9a09722b409388a2b26102a5c5f85044016901dd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Cookies are sent on same origin violation reports</title> >+ <!-- CSP headers >+ Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+<script> >+ var test = async_test("Image should not load"); >+ fetch( >+ "/cookies/resources/set-cookie.py?name=cspViolationReportCookie2&path=" + encodeURIComponent("/"), >+ {mode: 'no-cors', credentials: 'include'}) >+ .then(() => { >+ test.add_cleanup(() => { >+ document.cookie = "cspViolationReportCookie2=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT"; >+ }); >+ >+ // This image will generate a CSP violation report. >+ const img = new Image(); >+ img.onerror = test.step_func_done(); >+ img.onload = test.unreached_func("Should not have loaded the image"); >+ >+ img.src = "../support/fail.png"; >+ document.body.appendChild(img); >+ }); >+</script> >+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27&cookiePresent=cspViolationReportCookie2'></script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..356439db435ecf526b67e9f19e97160c2f3f20f5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-same-origin-with-cookies={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'unsafe-inline' 'self'; img-src 'none'; report-uri /content-security-policy/support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d2eca7f0c58170dc23eb85189aeb24e9bd1704a6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: Refused to load https://evil.com/img.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Reported document URI does not contain fragments. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4ecfa845ecb40e0a6f26323280348566fd950d46 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="/content-security-policy/support/testharness-helper.js"></script> >+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+</head> >+<body> >+ <script> >+ async_test(t => { >+ waitUntilCSPEventForURL(t, "https://evil.com/img.png") >+ .then(t.step_func_done(e => { >+ var u = new URL(e.documentURI); >+ assert_equals(u.hash, ""); >+ })); >+ >+ window.location.hash = "should-not-appear-in-report"; >+ >+ var i = document.createElement("img"); >+ i.src = "https://evil.com/img.png#boo"; >+ }, "Reported document URI does not contain fragments."); >+ </script> >+</body> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..75fa626b566aed46652ba1646be15c8ae505de63 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Violation report status OK. assert_true: violated-directive value of "default-src 'self'" did not match script-src. expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1d959fd4abcc78cf5c003952d9bbe4d5bfdde964 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Violation report is sent if violation occurs.</title> >+ <!-- CSP headers >+ Content-Security-Policy: default-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <script> >+ // This script block will trigger a violation report. >+ alert('FAIL'); >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..1fb9842c8aa28273c5ee7b7d5ca251feef74c6ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-effective-directive={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: default-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..759478b3a440c2030c0740bdcbc00d7783034847 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Check that we received a message from the child frame >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html >new file mode 100644 >index 0000000000000000000000000000000000000000..92b1e1be5438f43f44d9f29e34283b51ec8d9f70 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Reporting works in child iframes.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'"> >+</head> >+<body> >+ <script nonce="abc"> >+ var t1 = async_test("Check that we received a message from the child frame"); >+ >+ window.onmessage = function(e) { >+ if (e.data == 'cookie set') { >+ var s = document.createElement('script'); >+ s.async = true; >+ s.defer = true; >+ s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27nonce-abc%27&reportCookieName=generate-csp-report'; >+ document.body.appendChild(s); >+ >+ t1.done(); >+ } >+ } >+ </script> >+ <iframe src="support/generate-csp-report.html"/> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ca65c9054a8ec47acaee84c55ff1403a4ecca667 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Violation report is sent from inline javascript.</title> >+ <!-- CSP headers >+ Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <script> >+ // This script block will trigger a violation report. >+ var i = document.createElement('img'); >+ i.src = '/security/resources/abe.png'; >+ document.body.appendChild(i); >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..07239a066a6f1de2b8f17b76e6ed083970ab6c28 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-from-inline-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html >new file mode 100644 >index 0000000000000000000000000000000000000000..354c69644cf4bc1c3af868b4b696c15ad14086fb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html >@@ -0,0 +1,15 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Violation report is sent from javascript resource.</title> >+ <!-- CSP headers >+ Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <script src="../support/inject-image.js"></script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20%27none%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9443226937a6c51964192bf4df1258e4ad70bb22 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-from-javascript={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src 'none'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..53f2f2d01347dcaa94f94e2573af660e0dd9b5e6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..499d1195370974b0722db53755715c9014ecd1e8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title> >+ <!-- CSP headers >+ Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}} >+ Content-Security-Policy: img-src http://* >+ --> >+</head> >+<body> >+ <img src="ftp://blah.test" /> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..0c128872102c90f5483fcb9c408c56267da2e976 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-multiple-reversed={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}} >+Content-Security-Policy: img-src http://* >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html >new file mode 100644 >index 0000000000000000000000000000000000000000..268da91296d40e8149a1bd85d6a0776658157372 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Content-Security-Policy-Report-Only violation report is sent even when resource is blocked by actual policy.</title> >+ <!-- CSP headers >+ Content-Security-Policy: img-src http://* >+ Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <img src="ftp://blah.test" /> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=img-src%20http%3A%2F%2F%2A'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..d78c8e50fb4a00d637bfed974f811a54db0b7163 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-multiple={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: img-src http://* >+Content-Security-Policy-Report-Only: img-src http://*; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8a37db491799923a6848234154872437c67af297 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e64d797f9a93dee96ec68cdac52c6f32163bd041 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <title>Relative scheme URIs are accepted as the report-uri.</title> >+ <!-- CSP headers >+ Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >+ --> >+</head> >+<body> >+ <script> >+ // This script block will trigger a violation report. >+ alert('FAIL'); >+ </script> >+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..74f263dea50ffd1923bae8f86fabe071849bd51f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: report-uri-scheme-relative={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'self'; report-uri //{{location[host]}}/content-security-policy/support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c2024c0a1b6027b1ef4d5c4d8cafff581c6fede6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html >@@ -0,0 +1,12 @@ >+<!DOCTYPE html> >+<html> >+<body> >+ <script nonce='abc'> >+ top.postMessage('cookie set', '*'); >+ </script> >+ <script> >+ // This script block will trigger a violation report. >+ alert('FAIL'); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..6d1eedb1fcbfda2bf27f74af1b34763adc62d599 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: generate-csp-report={{$id:uuid()}}; Path=/content-security-policy/reporting/ >+Content-Security-Policy: script-src 'self' 'nonce-abc'; report-uri ../../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py >new file mode 100644 >index 0000000000000000000000000000000000000000..7f321a5c39d749d0695866cc497bd861c5e0ba96 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py >@@ -0,0 +1,28 @@ >+import sys >+import urlparse >+ >+def main(request, response): >+ """ >+ Returns cookie name and path from query params in a Set-Cookie header. >+ >+ e.g. >+ >+ > GET /cookies/resources/set-cookie.py?name=match-slash&path=%2F HTTP/1.1 >+ > Host: localhost:8000 >+ > User-Agent: curl/7.43.0 >+ > Accept: */* >+ > >+ < HTTP/1.1 200 OK >+ < Content-Type: application/json >+ < Set-Cookie: match-slash=1; Path=/; Expires=Wed, 09 Jun 2021 10:18:14 GMT >+ < Server: BaseHTTP/0.3 Python/2.7.12 >+ < Date: Tue, 04 Oct 2016 18:16:06 GMT >+ < Content-Length: 80 >+ """ >+ params = urlparse.parse_qs(request.url_parts.query) >+ headers = [ >+ ("Content-Type", "application/json"), >+ ("Set-Cookie", "{name[0]}={value[0]}; Path={path[0]}; Expires=Wed, 09 Jun 2021 10:18:14 GMT".format(**params)) >+ ] >+ body = "{}" >+ return headers, body >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..adcfd68a05658035b1ce49dea1139d5ef923a05b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..3bdef907ccb9e223384d57847501fd44715aacf8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log >@@ -0,0 +1,52 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-data-uri.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri-cross-origin.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-01.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-strips-fragment.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-inline-javascript.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-javascript.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple-reversed.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-multiple.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-scheme-relative.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c4d82f38813abb2a6975dc3253a962cdb47b3307 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["PASS (1/2): Script can execute","PASS (2/2): Eval works"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cd402bdba0198bf763e1733004c2005614b9a542 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub.html >@@ -0,0 +1,18 @@ >+<html> >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS (1/2): Script can execute","PASS (2/2): Eval works"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<body> >+ <script> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ <iframe src="support/sandboxed-eval.sub.html"></iframe> >+</body> >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..db7f33e6656a70e9bf6ddf8f4834441fe77423c6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["Message"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1d6db3cde71cddb66f5536720a632b537465cbff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Message"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ >+ <iframe src="support/sandboxed-data-iframe.sub.html?sandbox=allow-scripts"></iframe> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..db7f33e6656a70e9bf6ddf8f4834441fe77423c6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["Message"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e58402e4ba668220326f7ca7757e22e1f4647a8f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Message"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ >+ <iframe src="support/sandboxed-post-message-to-parent.html?sandbox=allow-scripts"></iframe> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b0ec4e118259c096b1da719b717219934a9cdb3e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["PASS2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3396e566b8b9589bad9d5e783c53e59daa193a49 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS2"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ >+ <iframe src="support/sandboxed-data-iframe.sub.html?sandbox=" >+ onload="log('PASS2')"></iframe> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..204144d4692a4cfc5241463bc210af59c8163813 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub-expected.txt >@@ -0,0 +1,6 @@ >+This test passes if it does alert pass. >+ >+ >+ >+PASS Expecting logs: ["PASS2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..47034710203a1fb8a3326cd7c8d8367166837628 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS2"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <p>This test passes if it does alert pass.</p> >+ >+ <script> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ </script> >+ >+ <iframe src="support/sandboxed-post-message-to-parent.sub.html?sandbox=" >+ onload="log('PASS2')"></iframe> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fafd4dc7707ab0d26ed2c67f34c26920649795f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html >@@ -0,0 +1 @@ >+<iframe src="data:text/html,<script>window.top.postMessage('Message','*');</script>"></iframe> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..a7ea308208d81a9f9a2ec24004d5d1f72cf21f84 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: sandbox {{GET[sandbox]}}; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9480e521de21ef930674721de943f96e1fd1219a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html >@@ -0,0 +1,4 @@ >+<script> >+ window.parent.postMessage('PASS (1/2): Script can execute', '*'); >+ eval("window.parent.postMessage('PASS (2/2): Eval works', '*')"); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..c7e4e7cc5bd3fa25851c1e26c3c04eb95050d94b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: sandbox allow-scripts >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ef4b1a0b95a7e00275c423d49dd28f98545950d3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html >@@ -0,0 +1,3 @@ >+<script> >+ window.top.postMessage("Message", "*"); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ebbb54d36d86fe3ee3696b7dc302de11cb4ac30c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html >@@ -0,0 +1,3 @@ >+<script> >+ window.opener.postMessage(window.testProperty, "*"); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..a7ea308208d81a9f9a2ec24004d5d1f72cf21f84 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: sandbox {{GET[sandbox]}}; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ebbb54d36d86fe3ee3696b7dc302de11cb4ac30c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html >@@ -0,0 +1,3 @@ >+<script> >+ window.opener.postMessage(window.testProperty, "*"); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..07f2bd2bc4ffed2c17ee4809535ad65883f0b2a7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-data-iframe.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-eval.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..835640e8872c6c9d061b6df933e18cfed6935eda >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/w3c-import.log >@@ -0,0 +1,23 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-inside-csp.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts-subframe.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-allow-scripts.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty-subframe.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/sandbox-empty.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5aca20f5f46a941b89c0b5390f43e5fe2f8b65eb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Window object should not be reused assert_equals: expected (undefined) undefined but got (string) "test" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a7a080daf72ee8ae97f5adf433f17c947892d4ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Window object should not be reused"); >+ >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data, undefined); >+ }); >+ >+ w = window.open("support/sandboxed-post-property-to-opener.html?sandbox=allow-scripts","","width=400,height=400"); >+ w.testProperty = "test"; >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f5f3eca13f1279b647c182b7075dc4dcc146cccc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Window object should be reused >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..dd69c41354b583e427d4e12a060f1b6f71eb2c86 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-unsandboxed.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Window object should be reused"); >+ >+ window.onmessage = t.step_func_done(function(e) { >+ assert_equals(e.data, "test"); >+ }); >+ >+ w = window.open("support/unsandboxed-post-property-to-opener.html","","width=400,height=400"); >+ w.testProperty = "test"; >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..15d9def40e76440ffe6541c148addff0d3d1950d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'. >+ >+CONSOLE MESSAGE: line 17: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not fire a security policy violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d4c19c546676d031e4e8aa9e2e3bd59c7ae898d1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-inline'; >+ script-src 'nonce-abc';"> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should not fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event")); >+ </script> >+ >+ <img src="../support/pass.png" onload="t.done()"> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8167e52112518ff30380ff24919a4d8ffab46286 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..199726e212d93b769aa128992ead4ef95d1d3453 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-attr 'none'; >+ script-src 'unsafe-inline' 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+ >+ <img src="../support/pass.png" onload="t.unreached_func('Should not have executed the inline handler')"> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..df2b8c993a84dccb5580fe2ffa3599b97d42dfe7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'. >+ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation for the attribute >+PASS Should execute the inline script block >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c21898377e5cea61af577060aa7c47320a60aa8f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline'; >+ script-src-attr 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script> >+ var t = async_test("Should fire a security policy violation for the attribute"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ var t1 = async_test("Should execute the inline script block"); >+ </script> >+ >+ <script> >+ t1.done(); >+ </script> >+ >+ <img src="../support/pass.png" onload="t.unreached_func('should not have run this event handler')"> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ebb556e877cdb8affdbc3cf9c167530aa00d1826 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'. >+ >+CONSOLE MESSAGE: line 17: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should not fire a security policy violation event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c7954613c78999631e932c89f2ad46b85f470fe6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'nonce-def'; >+ script-src 'nonce-abc';"> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should not fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event")); >+ </script> >+ >+ <script nonce='def'> >+ t.done(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ecedff32a012a693504bb469578acda62b52c75e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'. >+ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'. >+ >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation for the attribute >+PASS Should execute the inline script attribute >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4a85c15376c93a27d0026d6f46172dc22929765c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'self'; >+ script-src-attr 'unsafe-inline'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should fire a security policy violation for the attribute"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ var t1 = async_test("Should execute the inline script attribute"); >+ </script> >+ >+ <script> >+ t.step_func(function() { >+ assert_unreached("Should not have executed the inline script block"); >+ }) >+ </script> >+ >+ <img src="../support/pass.png" onload="t1.done()"> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..54fa9c2025c116f57ab003c731b2364ccde9166e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a spv event >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ac4726f9f4bcf93c0500ba374b5218c1959435f1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc'; >+ script-src 'nonce-abc' 'nonce-def';"> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should fire a spv event"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ </script> >+ >+ <script nonce='def'> >+ t.step_func(function() { >+ assert_unreached("Should not have executed the inline block"); >+ }); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b6543778230247f758773f667915fdad0ebfa901 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src-elem 'strict-dynamic' 'nonce-abc'; >+ script-src 'nonce-abc';"> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should not fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event")); >+ >+ var s = document.createElement('script'); >+ s.src = 'support/t_done.js'; >+ document.head.appendChild(s); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..04394dc33ac17c024fa448046ab7725c17061766 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-abc'; >+ script-src-elem 'nonce-abc';"> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ var t = async_test("Should fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/script-src-attr-elem/support/t_fail.js"); >+ })); >+ >+ var s = document.createElement('script'); >+ s.src = 'support/t_fail.js'; >+ document.head.appendChild(s); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_done.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_done.js >new file mode 100644 >index 0000000000000000000000000000000000000000..e31eb1d95927d6f9132d127796861de23c8df719 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_done.js >@@ -0,0 +1 @@ >+t.done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_fail.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_fail.js >new file mode 100644 >index 0000000000000000000000000000000000000000..fa48d6e2c5dda3fe0521f4cc5ceb2104ff467ea7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_fail.js >@@ -0,0 +1,3 @@ >+t.step(function() { >+ assert_unreached("Should not loaded the script"); >+}); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7e58d2642831dc89d6a7f2681f8856faabf5b839 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/w3c-import.log >@@ -0,0 +1,18 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_done.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/support/t_fail.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..645c65c69c8c01b36937b9ee77a526058ee57f2b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/w3c-import.log >@@ -0,0 +1,24 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_1.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_1.js >new file mode 100644 >index 0000000000000000000000000000000000000000..9bfe201711a0b4f3201700261fe13135cf4e8d02 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_1.js >@@ -0,0 +1,4 @@ >+var dataScriptRan = false; >+ >+var t_spv = async_test("Test that no report violation event was raised"); >+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should not have raised any securitypolicyviolation event")); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_2.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_2.js >new file mode 100644 >index 0000000000000000000000000000000000000000..6e6c15d22352ef455dfe1ff0d44db009253360fd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_2.js >@@ -0,0 +1,5 @@ >+test(function () { >+ assert_true(dataScriptRan, "data script ran"); >+ }, "Verify that data: as script src runs with this policy"); >+ >+t_spv.done(); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js >new file mode 100644 >index 0000000000000000000000000000000000000000..02c8c8cdd421dd3db80929d57e34325ab834e84b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js >@@ -0,0 +1,28 @@ >+(function () { >+ var t_spv = async_test("Test that securitypolicyviolation event is fired"); >+ var test_count = 2; >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ >+ var dmTest = async_test("DOM manipulation inline tests"); >+ var attachPoint = document.getElementById('attachHere'); >+ var inlineScript = document.createElement('script'); >+ var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});'); >+ >+ inlineScript.appendChild(scriptText); >+ attachPoint.appendChild(inlineScript); >+ >+ document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});'; >+ document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>'; >+ >+ document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>'); >+ document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>'); >+ >+ dmTest.done(); >+})(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/buildInlineWorker.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/buildInlineWorker.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8cd092147cb107e45a7206dcbe6c09b3a983f1b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/buildInlineWorker.js >@@ -0,0 +1,21 @@ >+(function () >+{ >+ var workerSource = document.getElementById('inlineWorker'); >+ var blob = new Blob([workerSource.textContent]); >+ >+ // can I create a new script tag like this? ack... >+ var url = window.URL.createObjectURL(blob); >+ >+ try { >+ var worker = new Worker(url); >+ } >+ catch (e) { >+ done(); >+ } >+ >+ worker.addEventListener('message', function(e) { >+ assert_unreached("script ran"); >+ }, false); >+ >+ worker.postMessage(''); >+})(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js >new file mode 100644 >index 0000000000000000000000000000000000000000..08535fa552eafa27db55b093bd305254642d6840 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js >@@ -0,0 +1,3 @@ >+// Identical to simpleSourcedScript.js but with a different hash, thanks to >+// this comment! >+window.postMessage(document.currentScript.id, "*"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..cb762eff806849df46dc758ef7b98b63f27f54c9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js.headers >@@ -0,0 +1 @@ >+Access-Control-Allow-Origin: * >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bc37a9708c050ab7c8749945725468e0d2b7d5d8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Eval is allowed because the CSP is report-only >+PASS Violation report status OK. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5357aa2eef2a97122a24a4cced51d340b156995e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html >@@ -0,0 +1,19 @@ >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> >+</head> >+<body> >+ <script> >+ var t = async_test("Eval is allowed because the CSP is report-only"); >+ try { >+ eval("t.done()"); >+ } catch { >+ t.step(function() { assert_true(false, "The eval should have execute succesfully"); }) >+ } >+ </script> >+ >+ <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27"></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..37a04b5fc2eb66cbe2e7b09f03b9762b65eb2cab >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers >@@ -0,0 +1,2 @@ >+Set-Cookie: eval-allowed-in-report-only-mode-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/script-src >+Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7246e093d2f1820b3b51c1e324ce99dddd0b5320 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Eval is allowed because the CSP is report-only >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html >new file mode 100644 >index 0000000000000000000000000000000000000000..eebc8f026f9f1b7387614c86f4d5d2af8ab29ddf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html >@@ -0,0 +1,17 @@ >+<html> >+<head> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <!-- Content-Security-Policy-Report-Only: script-src 'unsafe-inline' --> >+</head> >+<body> >+ <script> >+ var t = async_test("Eval is allowed because the CSP is report-only"); >+ try { >+ eval("t.done()"); >+ } catch { >+ t.step(function() { assert_true(false, "The eval should have execute succesfully"); }) >+ } >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b9b5d81acc3bc58dc6fdff2f436504810f6f4f6e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/externalScript.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/externalScript.js >new file mode 100644 >index 0000000000000000000000000000000000000000..2920b03c9bc98d16d4c7ebefaf8bcef268c3796c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/externalScript.js >@@ -0,0 +1 @@ >+externalRan = true; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f0ab6482999c9f3fbbbbb1a4323227388fcf3a38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should convert the script contents to UTF-8 before hashing >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..64d9498d6d8443276f932823b370210fa98362c4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html >@@ -0,0 +1,20 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM=';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t1 = async_test("Should convert the script contents to UTF-8 before hashing"); >+ window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv")); >+ </script> >+ >+ <!-- � (micro sign) has the value of 0xB5 in latin-1 and of 0xC2B5 in utf-8 but the hash value should be the same as the utf-8 computed one --> >+ <script> >+ // � - latin micro sign >+ t1.done(); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..acc92f4e80b64d826f1f8cddf6c17580019a2e56 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=iso-8859-1 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f0ab6482999c9f3fbbbbb1a4323227388fcf3a38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should convert the script contents to UTF-8 before hashing >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fdcc54534ccb2bbdca592cfc6ee774f61cd920d3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html >@@ -0,0 +1,20 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t3 = async_test("Should convert the script contents to UTF-8 before hashing"); >+ window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv")); >+ </script> >+ >+ <!-- � (latin capital letter g with breve) has the value of 0xAB in latin-3 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one --> >+ <script> >+ // � - latin capital letter g with breve >+ t3.done(); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..ae3e03dae1f81ed14d381b4882e6a70b6e72b994 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=iso-8859-3 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f0ab6482999c9f3fbbbbb1a4323227388fcf3a38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should convert the script contents to UTF-8 before hashing >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html >new file mode 100644 >index 0000000000000000000000000000000000000000..23a64df179220a39a6e4be3de9582420a389231b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html >@@ -0,0 +1,20 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8=';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t2 = async_test("Should convert the script contents to UTF-8 before hashing"); >+ window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv")); >+ </script> >+ >+ <!-- � (greek small letter mu) has the value of 0xEC in latin-7 and of 0xCEBC in utf-8 but the hash value should be the same as the utf-8 computed one --> >+ <script> >+ // � - greek small letter mu >+ t2.done(); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..9550b0de30ad89cc48896da3dac137ad6d5c9680 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=iso-8859-7 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f0ab6482999c9f3fbbbbb1a4323227388fcf3a38 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should convert the script contents to UTF-8 before hashing >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a29d197a1ce653c6c4cb3fd74fd3b56b8770cd2b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html >@@ -0,0 +1,20 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t3 = async_test("Should convert the script contents to UTF-8 before hashing"); >+ window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv")); >+ </script> >+ >+ <!-- � (latin capital letter g with breve) has the value of 0xD0 in latin-9 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one --> >+ <script> >+ // � - latin capital letter g with breve >+ t3.done(); >+ </script> >+</body> >+</html> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..6382ff86a7204a8638ab74966deabaef093c5125 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=iso-8859-9 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0210f80d4297dbad2f0efab93129e692de4769a8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS Should convert the script contents to UTF-8 before hashing - latin micro sign >+PASS Should convert the script contents to UTF-8 before hashing - greek small letter mu >+PASS Should convert the script contents to UTF-8 before hashing - latin capital letter g with breve >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fe5d52f53880582a8b6e9543bf402fe3444b684d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should convert the script contents to UTF-8 before hashing >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html >new file mode 100644 >index 0000000000000000000000000000000000000000..58730a72cc5d8100ed6ebc570b7f7d6639f15748 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html >@@ -0,0 +1,31 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-YJSaNEZFStZqU2Mp2EttwhcP2aT9lnDvexn+BM2HfKo=';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t = async_test("Should convert the script contents to UTF-8 before hashing"); >+ var count = 0; >+ var script_ran = function() { >+ // if both blocks run the tests is succsssful >+ if (++count == 2) t.done(); >+ } >+ window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a spv")); >+ >+ // Insert a script element that contains the U+FFFD replacement character >+ var scr1 = document.createElement('script'); >+ scr1.text ="//\uFFFD\nscript_ran();"; >+ document.body.appendChild(scr1); >+ >+ // Insert a script element that contains a surrogate character but it otherwise >+ // entirely identical to the previously inserted one, the surrogate should be >+ // be converted to U+FFFD when converting to UTF-8 so it should have the >+ // same hash as the one inserted before >+ var scr2 = document.createElement('script'); >+ scr2.text ="//\uD801\nscript_ran();"; >+ document.body.appendChild(scr2); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..2d1c08b9e8aacea63675fb5c94f7e969165784ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=utf-8 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b770cba24661f96ace9b0b049c5edd6da761afc1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html >@@ -0,0 +1,36 @@ >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' >+ 'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM=' >+ 'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8=' >+ 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';"> >+ <!-- hashes matching the 3 script blocks below --> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t1 = async_test("Should convert the script contents to UTF-8 before hashing - latin micro sign"); >+ window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv")); >+ var t2 = async_test("Should convert the script contents to UTF-8 before hashing - greek small letter mu"); >+ window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv")); >+ var t3 = async_test("Should convert the script contents to UTF-8 before hashing - latin capital letter g with breve"); >+ window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv")); >+ </script> >+ >+ <!-- the hash values of these script blocks should match the same values >+ of identical script blocks in documents with other encodings --> >+ <script> >+ // µ - latin micro sign >+ t1.done(); >+ </script> >+ <script> >+ // μ - greek small letter mu >+ t2.done(); >+ </script> >+ <script> >+ // Ä - latin capital letter g with breve >+ t3.done(); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..2d1c08b9e8aacea63675fb5c94f7e969165784ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers >@@ -0,0 +1 @@ >+Content-Type: text/html; charset=utf-8 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..8f2e7ec85e77cc98b4910c1cd9b1d0d8a6576251 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/w3c-import.log >@@ -0,0 +1,28 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..58f6f6622e246eb56b69a7c0dddb455e8605a731 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["Pass 1 of 2","Pass 2 of 2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a8cdec8472e923bf8984d5b5c77a6cf939e4d13 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'"> >+ <title>injected-inline-script-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Pass 1 of 2","Pass 2 of 2"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ <script src="support/inject-script.js"></script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a58899764259ea820bd0be28007bbb52eb06bf5b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["violated-directive=script-src-elem",] assert_unreached: Logging timeout, expected logs violated-directive=script-src-elem not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..45c389f7f1e930927bc951f2373dd3dd3c6758c4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';"> >+ <title>injected-inline-script-blocked</title> >+ <script nonce='abc' src="/resources/testharness.js"></script> >+ <script nonce='abc' src="/resources/testharnessreport.js"></script> >+ <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem",]'></script> >+ <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <script src="support/inject-script.js"></script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1f0d7ae71549577a88bd89446ca9f35e1ba0dd0b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js >@@ -0,0 +1,12 @@ >+var t_spv = async_test("Should not fire policy violation events"); >+window.addEventListener("securitypolicyviolation", t_spv.unreached_func("Should have not fired any securitypolicyviolation event")); >+ >+var inlineRan = false; >+ >+onload = function() { >+ test(function() { >+ assert_true(inlineRan, 'Unsafe inline script ran.')}, >+ 'Inline script in a script tag should run with an unsafe-inline directive' >+ ); >+ t_spv.done(); >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineTests.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineTests.js >new file mode 100644 >index 0000000000000000000000000000000000000000..3c0712b4499019372223bf7c36ec51548cfb6c79 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineTests.js >@@ -0,0 +1,22 @@ >+var t1 = async_test("Inline script block"); >+var t2 = async_test("Inline event handler"); >+ >+onload = function() {t1.done(); t2.done();}; >+ >+var t_spv = async_test("Should fire policy violation events"); >+var block_event_fired = false; >+var handler_event_fired = false; >+window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) { >+ if (e.violatedDirective == "script-src-elem") { >+ assert_false(block_event_fired); >+ block_event_fired = true; >+ } else if (e.violatedDirective == "script-src-attr") { >+ assert_false(handler_event_fired); >+ handler_event_fired = true; >+ } else { >+ assert_unreached("Unexpected directive broken"); >+ } >+ if (block_event_fired && handler_event_fired) { >+ t_spv.done(); >+ } >+})); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bcd1cd505235756e937b7433c6a52678116734d8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Check that a securitypolicyviolation event is fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ae4d8227edc83cb238fda810268a73278ab31bfd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Window.open should not open javascript url if not allowed.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';"> >+ <script nonce='abc' src='/resources/testharness.js'></script> >+ <script nonce='abc' src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce='abc'> >+ var t = async_test("Check that a securitypolicyviolation event is fired"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ window.open('javascript:test(function() { assert_unreached("FAIL")});', 'new'); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..32fc4d54a3266f818182192d21998ca99fdec8a8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: javascript-window-open-blocked={{$id:uuid()}}; Path=/content-security-policy/script-src/ >+Content-Security-Policy: script-src 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b4a17b3973ff220085a5befb8f0d636466f21c8e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Unnonced scripts generate reports. assert_unreached: '<script' attribute, no execution. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..25343a5d4dc470aca2294cdaec28457e864204d5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked.html >@@ -0,0 +1,63 @@ >+<!DOCTYPE html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> >+<script src="/resources/testharness.js" nonce="abc"></script> >+<script src="/resources/testharnessreport.js" nonce="abc"></script> >+<script nonce="abc"> >+ var t = async_test("Unnonced scripts generate reports."); >+ var events = 0; >+ var firstLine = 38; >+ var expectations = {} >+ expectations[firstLine] = true; >+ expectations[firstLine + 3] = true; >+ expectations[firstLine + 6] = true; >+ expectations[firstLine + 9] = true; >+ expectations[firstLine + 12] = true; >+ expectations[firstLine + 15] = true; >+ expectations[firstLine + 18] = true; >+ expectations["/content-security-policy/support/nonce-should-be-blocked.js?1"] = true; >+ expectations["/content-security-policy/support/nonce-should-be-blocked.js?2"] = true; >+ expectations["/content-security-policy/support/nonce-should-be-blocked.js?3"] = true; >+ expectations["/content-security-policy/support/nonce-should-be-blocked.js?4"] = true; >+ expectations["/content-security-policy/support/nonce-should-be-blocked.js?5"] = true; >+ >+ document.addEventListener('securitypolicyviolation', t.step_func(e => { >+ if (e.lineNumber) { >+ // Verify that the line is expected, then clear the expectation: >+ assert_true(expectations[e.lineNumber], "Line number: " + e.lineNumber); >+ assert_equals(e.blockedURI, "inline"); >+ } else { >+ // Otherwise, verify that the URL is expected, then clear the expectation: >+ var url = new URL(e.blockedURI); >+ assert_true(expectations[url.pathname + url.search], "URL: " + e.blockedURI); >+ } >+ events++; >+ if (events == 12) >+ t.done(); >+ })); >+</script> >+<script> >+ t.unreached_func("No nonce, no execution.")(); >+</script> >+<script nonce="xyz"> >+ t.unreached_func("Bad nonce, no execution.")(); >+</script> >+<script <script nonce="abc"> >+ t.unreached_func("'<script' attribute, no execution.")(); >+</script> >+<script attribute<script nonce="abc"> >+ t.unreached_func("'attribute<script', no execution.")(); >+</script> >+<script attribute=<script nonce="abc"> >+ t.unreached_func("'<script' value, no execution.")(); >+</script> >+<script attribute=value<script nonce="abc"> >+ t.unreached_func("'value<script', no execution.")(); >+</script> >+<script attribute="" attribute=<style nonce="abc"> >+ t.unreached_func("Duplicate attribute, no execution.")(); >+</script> >+<script src="../support/nonce-should-be-blocked.js?1" <script nonce="abc"></script> >+<script src="../support/nonce-should-be-blocked.js?2" attribute=<script nonce="abc"></script> >+<script src="../support/nonce-should-be-blocked.js?3" <style nonce="abc"></script> >+<script src="../support/nonce-should-be-blocked.js?4" attribute=<style nonce="abc"></script> >+<script src="../support/nonce-should-be-blocked.js?5" attribute=<style nonce="abc"></script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c52e22eccf090911e03a156ac4b43df7ffcc2238 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 18: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Inline script block >+PASS Inline event handler >+NOTRUN Should fire policy violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d66253c6a19d459828e33a0989398f4aa37b188a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='inlineTests.js'></script> >+</head> >+<body> >+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1> >+ <div id='log'></div> >+ >+ <script> >+ t1.step(function() {assert_unreached('Unsafe inline script ran.');}); >+ </script> >+ >+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b21b2250a015c60117b6e80b16bafbff1dd623db >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7 because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy. >+data: as script src should not run with a policy that doesn't specify data: as an allowed source >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that securitypolicyviolation event is fired >+PASS Verify that data: as script src doesn't run with this policy >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a1bfdaeb15bfbadb322b393b34f6872de1c55699 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1> >+ <div id='log'></div> >+ >+ <script> >+ var dataScriptRan = false; >+ var t_spv = async_test("Test that securitypolicyviolation event is fired"); >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src"); >+ })); >+ </script> >+ >+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. --> >+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script> >+ >+ <script> >+ test(function () { >+ assert_false(dataScriptRan, "data script ran"); >+ }, "Verify that data: as script src doesn't run with this policy"); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a33ec1e55408d1939213b6b9d6253b209721dcf6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1-expected.txt >@@ -0,0 +1,6 @@ >+data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline' >+ >+ >+PASS Test that no report violation event was raised >+PASS Verify that data: as script src runs with this policy >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a1e2f72cdb73977d56973873967e85f8bc01ee47 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html >@@ -0,0 +1,19 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' data:;"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1> >+ <div id='log'></div> >+ >+ <script src="10_1_support_1.js"></script> >+ >+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script> >+ >+ <script src="10_1_support_2.js"></script> >+</body> >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..abe14f6768ab9ae5052797018c876d69882eb18b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: line 14: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 18: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS Inline script block >+PASS Inline event handler >+NOTRUN Should fire policy violation events >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a68945cb853733627c9c1ff5fd03633d02d90a59 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src *;"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='inlineTests.js'></script> >+</head> >+<body> >+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1> >+ <div id='log'></div> >+ >+ <script> >+ t1.step(function() {assert_unreached('Unsafe inline script ran.');}); >+ </script> >+ >+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..31c2e09f025f2c5cd5d896705ec05284c701619a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt >@@ -0,0 +1,12 @@ >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src * >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that securitypolicyviolation event is fired >+PASS DOM manipulation inline tests >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2641c867f638f67b2687a605b21428c19de3ee07 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html >@@ -0,0 +1,21 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src *;"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1> >+ <div id="log"></div> >+ >+ <div id=attachHere></div> >+ >+ <script id=emptyScript></script> >+ >+ <div id=emptyDiv></div> >+ >+ <script src="addInlineTestsWithDOMManipulation.js"></script> >+</body> >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a72f84b7aa59065522cf7c4597fe562932c6140d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3-expected.txt >@@ -0,0 +1,6 @@ >+Positive test case: Inline script should run 'unsafe-inline' script-src directive. >+ >+ >+PASS Should not fire policy violation events >+PASS Inline script in a script tag should run with an unsafe-inline directive >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bf7a6921b4d0dc403faaa716814352db4681d77b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ <script src='inlineSuccessTest.js'></script> >+</head> >+<body> >+ <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script> >+ inlineRan = true; >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6bcb0ac48931a93f943f398e7f5d34c9e4ac4fbf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt >@@ -0,0 +1,9 @@ >+eval() should not run without 'unsafe-eval' script-src directive. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that securitypolicyviolation event is fired >+PASS eval() should throw without 'unsafe-eval' keyword source in script-src directive. >+PASS eval() should not run without 'unsafe-eval' script-src directive. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bfc66b2a8d048dcf21e9b9216f298368ce158677 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>eval() should not run without 'unsafe-eval' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script> >+ var t_spv = async_test("Test that securitypolicyviolation event is fired"); >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src"); >+ })); >+ >+ var evalRan = false; >+ >+ test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive."); >+ >+ test(function() {assert_false(evalRan);}) >+ >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..446f9b44f7bb9caf6795886a1f785325b8fb4907 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: line 29: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 30: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS window.setTimeout() >+PASS window.setInterval() >+NOTRUN Test that securitypolicyviolation event is fired >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html >new file mode 100644 >index 0000000000000000000000000000000000000000..522b9c5f7c8876b260ceac17586ac19772e4b341 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script> >+ var t1 = async_test("window.setTimeout()"); >+ var t2 = async_test("window.setInterval()"); >+ var t_spv = async_test("Test that securitypolicyviolation event is fired"); >+ var test_count = 2; >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src"); >+ if (--test_count <= 0) { >+ t_spv.done(); >+ } >+ })); >+ >+ >+ onload = function() {t1.done(); t2.done()} >+ >+ window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0); >+ window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..591b6bf03519c4ef0dc775976b92c0dec6020d18 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt >@@ -0,0 +1,8 @@ >+Function() called as a constructor should throw without 'unsafe-eval' script-src directive. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that securitypolicyviolation event is fired >+PASS Unsafe eval ran in Function() constructor. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0ee6f587c5ce1683ba0f2887d3865dae820f7d63 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script> >+ var t_spv = async_test("Test that securitypolicyviolation event is fired"); >+ >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src"); >+ })); >+ >+ >+ test(function() { >+ assert_throws( >+ new EvalError(), >+ function() { >+ var funq = new Function(''); >+ funq(); >+ })}, "Unsafe eval ran in Function() constructor."); >+ >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ddcd2fc8d66db2628e58028c89bab62be8382550 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Test that script executes if allowed by proper hash values assert_true: expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html >new file mode 100644 >index 0000000000000000000000000000000000000000..70b314572783c509b1319c351bd9a09a7f27faac >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Multiple policies with different hashing algorithms still work.</title> >+ <!-- nonces are here just to let all of our scripts run --> >+ <script nonce="abc" src='/resources/testharness.js'></script> >+ <script nonce="abc" src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t = async_test("Test that script executes if allowed by proper hash values"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event")); >+ var executed = false; >+ </script> >+ >+ <!-- test will fail if this script is not allowed to run --> >+ <script>executed = true;</script> >+ >+ <script nonce="abc"> >+ t.step(function() { >+ assert_true(executed); >+ t.done(); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..89f99e621f830c59c672c7fdf0daef83dc4f6c2d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; >+Content-Security-Policy: script-src 'sha384-skw7BVxHbmE2umPGMd1kX+ye6qBeHAb875erPoD8ilKv1LkjKR+WFi7N85ORMdhS' 'nonce-abc'; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..782c5ebeec4e6cd4820e62f86548d24331a0da06 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt >@@ -0,0 +1,5 @@ >+layer at (0,0) size 1280x960 >+ RenderView at (0,0) size 1280x960 >+layer at (0,0) size 1280x8 >+ RenderBlock {HTML} at (0,0) size 1280x8 >+ RenderBody {BODY} at (8,8) size 1264x0 >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html >new file mode 100644 >index 0000000000000000000000000000000000000000..da9e60f874305c297cd896afd2654059ff650919 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Multiple policies some using hashes some not using hashes still work.</title> >+ <!-- nonces are here just to let all of our scripts run --> >+ <script nonce="abc" src='/resources/testharness.js'></script> >+ <script nonce="abc" src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t = async_test("Test that script executes if allowed by proper hash values"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event")); >+ var executed = false; >+ </script> >+ >+ <!-- test will fail if this script is not allowed to run --> >+ <script>executed = true;</script> >+ >+ <script nonce="abc"> >+ t.step(function() { >+ assert_true(executed); >+ t.done(); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..83fe7f7005e4503d52daba631dfa71875a8a6f0b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc'; >+Content-Security-Policy: script-src 'self' 'unsafe-inline'; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ca4298c87278863ce5ad4aaf2e4fbbc46d97d681 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a0dfe50e1593ee8dfc19cbcde3d8b5110ffc7ef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'; style-src 'self'; connect-src 'self';"> >+ <title>script-src-overrides-default-src</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+</head> >+ >+<body onload="log('PASS 2 of 2')"> >+ <script> >+ log('PASS 1 of 2'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3a8b1e41cb35beaaee059473a61180e14280008e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-abc';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/script-src/externalScript.js because it does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8800/content-security-policy/script-src/externalScript.js because it does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/script-src/externalScript.js because it does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8800/content-security-policy/script-src/externalScript.js because it does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire securitypolicyviolation event >+FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3c4e39e8250287adb729ea3ceab5e2fb6943cf7d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title> >+ <!-- nonces are here just to let all of our scripts run --> >+ <script nonce="abc" src='/resources/testharness.js'></script> >+ <script nonce="abc" src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t_spv = async_test("Should fire securitypolicyviolation event"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ assert_equals(e.disposition, "report"); >+ })); >+ var externalRan = false; >+ </script> >+ <script src='./externalScript.js' >+ integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script> >+ <script nonce="abc"> >+ test(function() { >+ assert_true(externalRan, 'External script ran.'); >+ }, 'External script in a script tag with matching SRI hash should run.'); >+ </script></body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..7f03464d4d3a0c78120839b1a1c1f0e15912de62 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'nonce-abc' >+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..928e6e2933b77920195364e15637ab037f3dfe13 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Test that script executes if allowed by proper hash values >+FAIL Test that the securitypolicyviolation event is fired assert_equals: expected "script-src-elem" but got "script-src 'nonce-abc'" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html >new file mode 100644 >index 0000000000000000000000000000000000000000..850f4b2c2eed88876d8da2fa866aa513469fc462 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title> >+ <!-- nonces are here just to let all of our scripts run --> >+ <script nonce="abc" src='/resources/testharness.js'></script> >+ <script nonce="abc" src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script nonce="abc"> >+ var t = async_test("Test that script executes if allowed by proper hash values"); >+ var t_spv = async_test("Test that the securitypolicyviolation event is fired"); >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ assert_equals(e.disposition, "report"); >+ assert_equals(e.blockedURI, "inline"); >+ })); >+ var executed = false; >+ </script> >+ >+ <!-- test will fail if this script is not allowed to run --> >+ <script>executed = true;</script> >+ >+ <script nonce="abc"> >+ t.step(function() { >+ assert_true(executed); >+ t.done(); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..1237c247a6783b9b6d0ca03b48e0a9597354ce1a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'sha256-EpVP4fTImWaRzBRBw/wrdfLhGTe/1U+CaBP1LNeKUIE=' 'nonce-abc' >+Content-Security-Policy-Report-Only: script-src 'nonce-abc'; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9f24b1dd73941b9c83f9e7684b947995cee26e04 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt >@@ -0,0 +1,17 @@ >+Blocked access to external URL http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js >+Blocked access to external URL http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js >+External scripts with matching SRI hash should be allowed. >+ >+ >+PASS Load all the tests. >+FAIL matching integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code >+FAIL multiple matching integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code >+PASS no integrity >+FAIL matching plus unsupported integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code >+PASS mismatched integrity >+PASS multiple mismatched integrity >+PASS partially matching integrity >+FAIL crossorigin no integrity but whitelisted host assert_unreached: Script should load! http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code >+FAIL crossorigin mismatched integrity but whitelisted host assert_unreached: Script should load! http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code >+FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2c888f46d991ebcea59c77dffb598e653039be36 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html >@@ -0,0 +1,104 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>External scripts with matching SRI hash should be allowed.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' --> >+</head> >+ >+<body> >+ <h1>External scripts with matching SRI hash should be allowed.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var port = "{{ports[http][0]}}"; >+ if (location.protocol === "https:") >+ port = "{{ports[https][0]}}"; >+ var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port; >+ >+ // Test name, src, integrity, expected to run. >+ var test_cases = [ >+ [ 'matching integrity', >+ './simpleSourcedScript.js', >+ 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', >+ true ], >+ [ 'multiple matching integrity', >+ './simpleSourcedScript.js', >+ 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=', >+ true ], >+ [ 'no integrity', >+ './simpleSourcedScript.js', >+ '', >+ false ], >+ [ 'matching plus unsupported integrity', >+ './simpleSourcedScript.js', >+ 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz', >+ true ], >+ [ 'mismatched integrity', >+ './simpleSourcedScript.js', >+ 'sha256-xyz', >+ false ], >+ [ 'multiple mismatched integrity', >+ './simpleSourcedScript.js', >+ 'sha256-xyz sha256-zyx', >+ false ], >+ [ 'partially matching integrity', >+ './simpleSourcedScript.js', >+ 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', >+ false ], >+ [ 'crossorigin no integrity but whitelisted host', >+ crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', >+ '', >+ true ], >+ [ 'crossorigin mismatched integrity but whitelisted host', >+ crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', >+ 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=', >+ true ], >+ ]; >+ >+ test(_ => { >+ for (item of test_cases) { >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.id = item[0].replace(' ', '-'); >+ s.src = item[1]; >+ s.integrity = item[2]; >+ s.setAttribute('crossorigin', 'anonymous'); >+ >+ if (item[3]) { >+ s.onerror = t.unreached_func("Script should load! " + s.src); >+ window.addEventListener('message', t.step_func(e => { >+ if (e.data == s.id) >+ t.done(); >+ })); >+ } else { >+ s.onerror = t.step_func_done(); >+ window.addEventListener('message', t.step_func(e => { >+ if (e.data == s.id) >+ assert_unreached("Script should not execute!"); >+ })); >+ } >+ >+ document.body.appendChild(s); >+ }, item[0]); >+ } >+ }, "Load all the tests."); >+ </script> >+ >+ <script nonce='dummy'> >+ var externalRan = false; >+ </script> >+ <script src='./externalScript.js' >+ integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script> >+ <script nonce='dummy'> >+ test(function() { >+ assert_true(externalRan, 'External script ran.'); >+ }, 'External script in a script tag with matching SRI hash should run.'); >+ </script> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..25cd6541acac853f97723ab329a8c060a8609365 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html >new file mode 100644 >index 0000000000000000000000000000000000000000..96ef2496b5b4993bf895f08117f72dd56a063fbe >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' --> >+</head> >+ >+<body> >+ <h1>Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var evalScriptRan = false; >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.')); >+ try { >+ eval("evalScriptRan = true;"); >+ } catch (e) { >+ assert_unreached("`eval` should be allowed with `strict-dynamic` with `unsafe-eval`."); >+ } >+ assert_true(evalScriptRan); >+ t.done(); >+ }, "Script injected via `eval` is allowed with `strict-dynamic` with `unsafe-eval`."); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..dc5f30a03a36f880aac5aa2c2b3e2acb736470cc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3041db056f2d6a72f420c6a5ec6dd1c2c170d7d9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' --> >+</head> >+ >+<body> >+ <h1>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var newFunctionScriptRan = false; >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.')); >+ try { >+ new Function('newFunctionScriptRan = true;')(); >+ } catch (e) { >+ assert_unreached("`new Function()` should be allowed with `strict-dynamic` with `unsafe-eval`."); >+ } >+ assert_true(newFunctionScriptRan); >+ t.done(); >+ }, "Script injected via `new Function()` is allowed with `strict-dynamic` with `unsafe-eval`."); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..dc5f30a03a36f880aac5aa2c2b3e2acb736470cc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html >new file mode 100644 >index 0000000000000000000000000000000000000000..51b0b7971a09f550cd89070db74ec47d9d9c0a90 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Whitelists are discarded with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'self' 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Whitelists are discarded with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'whitelistedScript') { >+ assert_unreached('Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.effectiveDirective, 'script-src-elem'); >+ })); >+ }, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ <script id='whitelistedScript' src='simpleSourcedScript.js'></script> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..8499eb0559d7f975a1c9114661b828cf79507e18 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'self' 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html >new file mode 100644 >index 0000000000000000000000000000000000000000..91d12ed7bd33a81d670526a4a8d8583897466821 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html >@@ -0,0 +1,68 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: >+ 1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+ 2) Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2' >+ --> >+</head> >+ >+<body> >+ <h1>A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'unNonced-appendChild') { >+ assert_unreached('Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.'); >+ } >+ })); >+ >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'unNonced-appendChild') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ var e = document.createElement('script'); >+ e.id = 'unNonced-appendChild'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onload = t.unreached_func('OnLoad should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'nonced-appendChild') { >+ t.done(); >+ } >+ })); >+ >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'nonced-appendChild') { >+ return; >+ } >+ assert_unreached('No CSP violation report has fired.'); >+ })); >+ >+ var e = document.createElement('script'); >+ e.setAttribute('nonce', 'dummy2'); >+ e.id = 'nonced-appendChild'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` with a correct nonce is allowed with `strict-dynamic` + a nonce-only double policy.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..63d96aaf1ee7d55a1ae74bc697c3686467fb85d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+Content-Security-Policy: script-src 'nonce-dummy' 'nonce-dummy2' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..314ed91e5d30e26b3e9d05f9618f06deadf9fbb3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html >@@ -0,0 +1,61 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: >+ 1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+ 2) Content-Security-Policy: script-src 'self' 'nonce-dummy' >+ --> >+</head> >+ >+<body> >+ <h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'whitelisted-appendChild') { >+ t.done(); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') { >+ return; >+ } >+ assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.'); >+ })); >+ >+ var e = document.createElement('script'); >+ e.id = 'whitelisted-appendChild'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'"); >+ t.done(); >+ })); >+ >+ var e = document.createElement('script'); >+ e.id = 'nonWhitelisted-appendChild'; >+ e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id; >+ e.onload = t.unreached_func('OnLoad should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..5b4078efd377ffdf3db5346a2ae07cdb971e854f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+Content-Security-Policy: script-src 'self' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1ceb74c63d1392672a36a2506b63c50199aa39fd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html >@@ -0,0 +1,44 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: >+ 1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+ 2) Content-Security-Policy-Report-Only: script-src 'none' >+ --> >+</head> >+ >+<body> >+ <h1>A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'appendChild-reportOnly') { >+ t.done(); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'appendChild-reportOnly') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ // Check that the violation comes from the Report-Only policy. >+ assert_equals(violation.originalPolicy, "script-src 'none'"); >+ t.done(); >+ })); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-reportOnly'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src \'none\'` policy.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..7883f80ef610477ca7922dafe9acf3c3b2314d8c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >+Content-Security-Policy-Report-Only: script-src 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html >new file mode 100644 >index 0000000000000000000000000000000000000000..62fda4f3d23051be27e377c4bfb3699068ba0460 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html >@@ -0,0 +1,37 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var evalScriptRan = false; >+ >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_false(evalScriptRan); >+ assert_equals(e.effectiveDirective, 'script-src'); >+ })); >+ >+ assert_throws(new Error(), >+ function() { >+ try { >+ eval("evalScriptRan = true;"); >+ } catch (e) { >+ throw new Error(); >+ } >+ }); >+ }, "Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`."); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..acb9f00d80809de50132c7a5af761d8bbfd3235a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html >@@ -0,0 +1,52 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>`strict-dynamic` allows scripts matching hashes present in the policy.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' --> >+</head> >+ >+<body> >+ <h1>`strict-dynamic` allows scripts matching hashes present in the policy.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var hashScriptRan = false; >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report has fired.'); >+ }); >+ </script> >+ >+ <!-- Hash: 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' --> >+ <script> >+ hashScriptRan = true; >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ assert_true(hashScriptRan); >+ t.done(); >+ }, "Script matching SHA256 hash is allowed with `strict-dynamic`."); >+ </script> >+ >+ <!-- Hash: 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' --> >+ <script> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'hashScript') { >+ t.done(); >+ } >+ })); >+ var e = document.createElement('script'); >+ e.id = 'hashScript'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.'); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..f48fca3ec49dff99741b4ef9ac032f6a2e225519 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d640421cb74d298a8e5396dbb17238495ba15543 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>`strict-dynamic` does not drop whitelists in `img-src`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: img-src 'strict-dynamic' 'self' --> >+</head> >+ >+<body> >+ <h1>`strict-dynamic` does not drop whitelists in `img-src`.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report has fired.'); >+ }); >+ >+ async_test(function(t) { >+ var e = document.createElement('img'); >+ e.id = 'whitelistedImage'; >+ e.src = '/content-security-policy/support/pass.png'; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ e.onload = t.step_func_done(); >+ document.body.appendChild(e); >+ }, '`strict-dynamic` does not drop whitelists in `img-src`.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..75a41c9e251410f913d8177cae25fb8b0082638c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: img-src 'strict-dynamic' 'self' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f7625afdaf9056274c607ed9b209ea976d013459 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</h1> >+ <div id='log'></div> >+ <a id='javascriptUri' href='javascript:javascriptUriScriptRan = true;'></a> >+ >+ <script nonce='dummy'> >+ var javascriptUriScriptRan = false; >+ >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_false(javascriptUriScriptRan); >+ assert_equals(e.effectiveDirective, 'script-src-elem'); >+ })); >+ >+ document.getElementById('javascriptUri').click(); >+ assert_false(javascriptUriScriptRan); >+ }, "Script injected via `javascript:` URIs are not allowed with `strict-dynamic`."); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fa38b65a23851ce17629538234303afddf76c007 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html >@@ -0,0 +1,76 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>A `strict-dynamic` policy can be served in a META tag.</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-dummy'"> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>A `strict-dynamic` policy can be served in a META tag.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report has fired.'); >+ }); >+ >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'appendChild') { >+ t.done(); >+ } >+ })); >+ var e = document.createElement('script'); >+ e.id = 'appendChild'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'appendChild-incorrectNonce') { >+ t.done(); >+ } >+ })); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-incorrectNonce'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.setAttribute('nonce', 'wrong'); >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.appendChildViaTextContent = t.step_func_done(); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-textContent'; >+ e.textContent = "appendChildViaTextContent();"; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.appendChildViaTextContentIncorrectNonce = t.step_func_done(); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-textContent-incorrectNonce'; >+ e.setAttribute('nonce', 'wrong'); >+ e.textContent = "appendChildViaTextContentIncorrectNonce();"; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.'); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..519dcaacb1f6c28d09728858c3a213872d299315 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers >@@ -0,0 +1,4 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2b75276588f28f41764403a62a3659bbf0dc8471 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html >@@ -0,0 +1,37 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ var newFunctionScriptRan = false; >+ >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_false(newFunctionScriptRan); >+ assert_equals(e.effectiveDirective, 'script-src'); >+ })); >+ >+ assert_throws(new Error(), >+ function() { >+ try { >+ new Function('newFunctionScriptRan = true;')(); >+ } catch (e) { >+ throw new Error(); >+ } >+ }); >+ }, "Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'."); >+ </script> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html >new file mode 100644 >index 0000000000000000000000000000000000000000..63b7a612470ac14b7b9cfb6cd735d65fbd06dd60 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html >@@ -0,0 +1,76 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report has fired.'); >+ }); >+ >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'appendChild') { >+ t.done(); >+ } >+ })); >+ var e = document.createElement('script'); >+ e.id = 'appendChild'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'appendChild-incorrectNonce') { >+ t.done(); >+ } >+ })); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-incorrectNonce'; >+ e.src = 'simpleSourcedScript.js?' + e.id; >+ e.setAttribute('nonce', 'wrong'); >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.appendChildViaTextContent = t.step_func_done(); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-textContent'; >+ e.textContent = "appendChildViaTextContent();"; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.appendChildViaTextContentIncorrectNonce = t.step_func_done(); >+ var e = document.createElement('script'); >+ e.id = 'appendChild-textContent-incorrectNonce'; >+ e.setAttribute('nonce', 'wrong'); >+ e.textContent = "appendChildViaTextContentIncorrectNonce();"; >+ e.onerror = t.unreached_func('Error should not be triggered.'); >+ document.body.appendChild(e); >+ }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.'); >+ </script> >+ >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ac180d23f50981737ea66b2b63cce0c3fa3c9b50 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.effectiveDirective, 'script-src-elem'); >+ })); >+ }, 'All the expected CSP violation reports have been fired.'); >+ </script> >+ >+ <script nonce='wrong'> >+ assert_unreached('Inline script with an incorrect nonce should not be executed.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c5e33dc4253dbf3ce2b0c6cb2fca4b0306d68244 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html >@@ -0,0 +1,205 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite') { >+ assert_unreached('Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWrite') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.write('<scr' + 'ipt id="documentWrite" src="simpleSourcedScript.js?documentWrite"></scr' + 'ipt>'); >+ }, 'Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln') { >+ assert_unreached('Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWriteln') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.writeln('<scr' + 'ipt id="documentWriteln" src="simpleSourcedScript.js?documentWriteln"></scr' + 'ipt>'); >+ }, 'Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-deferred') { >+ assert_unreached('Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.write('<scr' + 'ipt defer id="documentWrite-deferred" src="simpleSourcedScript.js?documentWrite-deferred"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-deferred') { >+ assert_unreached('Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.writeln('<scr' + 'ipt defer id="documentWriteln-deferred" src="simpleSourcedScript.js?documentWriteln-deferred"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-async') { >+ assert_unreached('Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.write('<scr' + 'ipt async id="documentWrite-async" src="simpleSourcedScript.js?documentWrite-async"></scr' + 'ipt>'); >+ }, 'Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-async') { >+ assert_unreached('Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.writeln('<scr' + 'ipt async id="documentWriteln-async" src="simpleSourcedScript.js?documentWriteln-async"></scr' + 'ipt>'); >+ }, 'Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-deferred-async') { >+ assert_unreached('Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.write('<scr' + 'ipt defer async id="documentWrite-deferred-async" src="simpleSourcedScript.js?documentWrite-deferred-async"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-deferred-async') { >+ assert_unreached('Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ } >+ })); >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') { >+ return; >+ } >+ assert_equals(violation.effectiveDirective, 'script-src-elem'); >+ t.done(); >+ })); >+ >+ document.writeln('<scr' + 'ipt defer async id="documentWriteln-deferred-async " src="simpleSourcedScript.js?documentWriteln-deferred-async "></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ var innerHTMLScriptRan = false; >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.target.id !== 'innerHTML') { >+ return; >+ } >+ assert_false(innerHTMLScriptRan); >+ assert_equals(violation.effectiveDirective, 'script-src-attr'); >+ t.done(); >+ })); >+ >+ var e = document.createElement('div'); >+ e.innerHTML = "<img id='innerHTML' src='/nonexisting.jpg' onerror='innerHTMLScriptRan = true;' style='display:none'>"; >+ document.body.appendChild(e); >+ }, 'Script injected via `innerHTML` is not allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ var insertAdjacentHTMLScriptRan = false; >+ async_test(function(t) { >+ window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { >+ if (violation.target.id !== 'insertAdjacentHTML') { >+ return; >+ } >+ assert_false(insertAdjacentHTMLScriptRan); >+ assert_equals(violation.effectiveDirective, 'script-src-attr'); >+ t.done(); >+ })); >+ >+ var e = document.createElement('div'); >+ e.insertAdjacentHTML('afterbegin', "<img id='insertAdjacentHTML' src='/nonexisting.jpg' onerror='insertAdjacentHTMLScriptRan = true;' style='display:none'>"); >+ document.body.appendChild(e); >+ }, 'Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.'); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9368089781d8cf1d08e80892f7b70f53ed00e09d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html >@@ -0,0 +1,110 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <title>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</title> >+ <script src='/resources/testharness.js' nonce='dummy'></script> >+ <script src='/resources/testharnessreport.js' nonce='dummy'></script> >+ >+ <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> >+</head> >+ >+<body> >+ <h1>Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive.</h1> >+ <div id='log'></div> >+ >+ <script nonce='dummy'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ assert_unreached('No CSP violation report has fired.'); >+ }); >+ >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite') { >+ t.done(); >+ } >+ })); >+ document.write('<scr' + 'ipt nonce="dummy" id="documentWrite" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted script via `document.write` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln') { >+ t.done(); >+ } >+ })); >+ document.writeln('<scr' + 'ipt nonce="dummy" id="documentWriteln" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-defer') { >+ t.done(); >+ } >+ })); >+ document.write('<scr' + 'ipt defer nonce="dummy" id="documentWrite-defer" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred script via `document.write` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-defer') { >+ t.done(); >+ } >+ })); >+ document.writeln('<scr' + 'ipt defer nonce="dummy" id="documentWriteln-defer" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-async') { >+ t.done(); >+ } >+ })); >+ document.write('<scr' + 'ipt async nonce="dummy" id="documentWrite-async" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-async') { >+ t.done(); >+ } >+ })); >+ document.writeln('<scr' + 'ipt async nonce="dummy" id="documentWriteln-async" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWrite-defer-async') { >+ t.done(); >+ } >+ })); >+ document.write('<scr' + 'ipt defer async nonce="dummy" id="documentWrite-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred async script via `document.write` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+ <script nonce='dummy'> >+ async_test(function(t) { >+ window.addEventListener('message', t.step_func(function(e) { >+ if (e.data === 'documentWriteln-defer-async') { >+ t.done(); >+ } >+ })); >+ document.writeln('<scr' + 'ipt defer async nonce="dummy" id="documentWriteln-defer-async" src="simpleSourcedScript.js"></scr' + 'ipt>'); >+ }, 'Parser-inserted deferred async script via `document.writeln` with a correct nonce is allowed with `strict-dynamic`.'); >+ </script> >+ >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b7918c93323eff9db66ad26a73b78798d35e5f7b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html >new file mode 100644 >index 0000000000000000000000000000000000000000..681e19547ae6f10d18d0aa8640a31394fa09fc46 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<script src='/resources/testharness.js'></script> >+<script src='/resources/testharnessreport.js'></script> >+<script src='../support/testharness-helper.js'></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'"> >+ >+<script nonce="abc"> >+ async_test(t => { >+ assert_no_csp_event_for_url(t, "../support/import-scripts.js"); >+ var w = new Worker("../support/import-scripts.js"); >+ assert_no_event(t, w, "error"); >+ waitUntilEvent(w, "message") >+ .then(t.step_func_done(e => { >+ assert_true(e.data.executed); >+ })); >+ }, "`importScripts(...)` is allowed by 'strict-dynamic'"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html >new file mode 100644 >index 0000000000000000000000000000000000000000..213eb6276d854d394b51089bb1585a19c77be93c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<script src='/resources/testharness.js'></script> >+<script src='/resources/testharnessreport.js'></script> >+<script src='../support/testharness-helper.js'></script> >+ >+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'"> >+ >+<script nonce="abc"> >+ assert_worker_is_loaded( >+ "../support/ping.js", >+ "Dedicated worker is allowed via 'strict-dynamic'"); >+ >+ assert_shared_worker_is_loaded( >+ "../support/ping.js", >+ "Shared worker is allowed via 'strict-dynamic'"); >+ >+ assert_service_worker_is_loaded( >+ "../support/ping.js", >+ "Service worker is allowed via 'strict-dynamic'"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..85c0c6111c8292bfb4f6f06b54dccd58f50a225f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS data: URIs should not match * >+PASS blob: URIs should not match * >+PASS filesystem URIs should not match * >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7bf3d89b6726dbec7ed98e8176be3f11da9e1b86 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html >@@ -0,0 +1,63 @@ >+<!DOCTYPE html> >+<html> >+ <head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';"> >+ <title>script-src disallowed wildcard use</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ </head> >+ <body> >+ <script nonce="nonce"> >+ var t1 = async_test('data: URIs should not match *'); >+ t1.step(function() { >+ var script = document.createElement("script"); >+ script.src = 'data:application/javascript,'; >+ script.addEventListener('load', t1.step_func(function() { >+ assert_unreached('Should not successfully load data URI.'); >+ })); >+ script.addEventListener('error', t1.step_func(function() { >+ t1.done(); >+ })); >+ document.head.appendChild(script); >+ }); >+ >+ var t2 = async_test('blob: URIs should not match *'); >+ t2.step(function() { >+ var b = new Blob([''], { type: 'application/javascript' }); >+ var script = document.createElement('script'); >+ script.addEventListener('load', t2.step_func(function() { >+ assert_unreached('Should not successfully load blob URI.'); >+ })); >+ script.addEventListener('error', t2.step_func(function() { >+ t2.done(); >+ })); >+ >+ script.src = URL.createObjectURL(b); >+ document.head.appendChild(script); >+ }); >+ >+ var t3 = async_test('filesystem URIs should not match *'); >+ if (window.webkitRequestFileSystem) { >+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { >+ fs.root.getFile('fail.js', {create: true}, function(fileEntry) { >+ fileEntry.createWriter(function(fileWriter) { >+ var script = document.createElement('script'); >+ >+ script.addEventListener('load', t3.step_func(function() { >+ assert_unreached('Should not successfully load filesystem URI.'); >+ })); >+ script.addEventListener('error', t3.step_func(function() { >+ t3.done(); >+ })); >+ >+ script.src = fileEntry.toURL('application/javascript'); >+ document.body.appendChild(script); >+ }); >+ }); >+ }); >+ } else { >+ t3.done(); >+ } >+ </script> >+ </body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..17fdbcd594a7af671e30adc74e30d3ae950243de >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed. >+ >+ >+PASS Expecting alerts: ["PASS (1/4)","PASS (2/4)","PASS (3/4)","PASS (4/4)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c46a99136d8b1f80029178d575cb32990007da61 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html >@@ -0,0 +1,42 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-IFmozo9WnnsMXVl/Ka8XzJ3Nd8yzS2zA2ME0mwtd+Ck=' 'sha256-jSpTmJKcrnHttKdYM/wCCDJoQY5tdSxNf7zd2prwFfI=' 'sha256-qbgA2XjB2EZKjn/UmK7v/K77t+fvfxA89QT/K9qPNyE=' 'sha256-K+7X5Ip3msvRvyQzf6fkrWZziuhaUIee1aLnlP5nX10='; connect-src 'self';"> >+ <title>scripthash-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="/content-security-policy/support/alertAssert.sub.js?alerts=%5B%22PASS%20(1%2F4)%22%2C%22PASS%20(2%2F4)%22%2C%22PASS%20(3%2F4)%22%2C%22PASS%20(4%2F4)%22%5D"> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ </script> >+ >+ <script> >+ alert_assert('PASS (1/4)'); >+ >+ </script> >+ <script> >+ alert_assert('PASS (2/4)'); >+ >+ </script> >+ <script> >+ alert_assert('PASS (3/4)'); >+ >+ </script> >+ <script> >+ alert_assert('PASS (4/4)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of a valid script-hash value. It passes if no CSP violation is generated, and the alert_assert() is executed. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0dc1a7dd3822f7e5ab36d2bc202e8c2d6c43f694 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported. >+ >+ >+PASS Expecting alerts: ["PASS (1/1)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d254053ecedad157389460beef5b54990c5ae751 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html >@@ -0,0 +1,72 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4='; connect-src 'self';"> >+ <title>scripthash-basic-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ </script> >+ >+ <script> >+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); >+ var expected_alerts = ["PASS (1/1)"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <script> >+ alert_assert('PASS (1/1)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (1/4)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (2/4)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (3/4)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (4/4)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of a valid script-hash value, with one valid script and several invalid ones. It passes if one alert is executed and a CSP violation is reported. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..48b84e5b3c33866cf67aea9ce322a833e2f043f3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS script-hash allowed from default-src >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6025a67179fe2e71c60e811e7740f84f16da5d2a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE html> >+<html> >+ <head> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'nonce-abc' 'sha256-sc3CeiHrlck5tH2tTC4MnBYFnI9D5zp8f9odqnmGQjE='; connect-src 'self';"> >+ <title>script-hash allowed from default-src</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script nonce='abc'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ test(function() { assert_unreached("Should not have fired event")}); >+ }); >+ </script> >+ >+ <script>done();</script> >+ </head> >+ >+ <body> >+ <div id="log"></div> >+ </body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..665820275ba53945455c4d2db0e680b050d12ab8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present. >+ >+ >+PASS Expecting alerts: ["PASS (1/1)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d7af328f4e3e4d102d1c6f594d906ef01918a74d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html >@@ -0,0 +1,56 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'sha256-k7iO9DPkNQ7PcwPP+8XyYuRiCJ0p76Ofveol9g3mFNs=' 'sha256-EgE/bwVJ+ZLL9F5hNjDqD4C7nlFFrdDaKeNIJ2cUem4=' 'sha256-lxHfHAe5I15v8qaArcZ5WiKmLU4CjV+3tJeQUqSIWBk='; connect-src 'self';"> >+ >+ <title>scripthash-ignore-unsafeinline</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script>window.addEventListener('securitypolicyviolation', function(e) { alert_assert("Fail"); })</script> >+ <script> >+ var t_alert = async_test('Expecting alerts: ["PASS (1/1)"]'); >+ var expected_alerts = ["PASS (1/1)"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <script> >+ alert_assert('PASS (1/1)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (1/1)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests that a valid hash value disables inline JavaScript, even if 'unsafe-inline' is present. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9c28a3ad57a07ff795aafd74087a8757353462c4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub-expected.txt >@@ -0,0 +1,8 @@ >+This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire securitypolicyviolation >+FAIL Only matching content runs even with NFC normalization. assert_unreached: nonMatchingContent script ran Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4212297c68399ad32038f5e7bad2f8c8e4aa3120 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html >@@ -0,0 +1,72 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';"> >+ <title>scripthash-unicode-normalization</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> >+</head> >+ >+<body> >+ <!-- The following two scripts contain two separate code points (U+00C5 >+ and U+212B, respectively) which, depending on your text editor, might be >+ rendered the same.However, their difference is important because, under >+ NFC normalization, they would become the same code point, which would be >+ against the spec. This test, therefore, validates that the scripts have >+ *different* hash values. --> >+ <script nonce="nonceynonce"> >+ var t_spv = async_test("Should fire securitypolicyviolation"); >+ window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ >+ var matchingContent = 'Ã '; >+ var nonMatchingContent = 'â«'; >+ >+ // This script should have a hash value of >+ // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c= >+ var scriptContent1 = "window.finish('" + matchingContent + "');"; >+ >+ // This script should have a hash value of >+ // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM= >+ var scriptContent2 = "window.finish('" + nonMatchingContent + "');"; >+ >+ var script1 = document.createElement('script'); >+ var script2 = document.createElement('script'); >+ >+ script1.test = async_test("Only matching content runs even with NFC normalization."); >+ >+ var failure = function() { >+ assert_unreached(); >+ } >+ >+ window.finish = function(content) { >+ if (content == matchingContent) { >+ script1.test.step(function() { >+ script1.test.done(); >+ }); >+ } else { >+ script1.test.step(function() { >+ assert_unreached("nonMatchingContent script ran"); >+ }); >+ } >+ } >+ >+ script1.onerror = failure; >+ >+ document.body.appendChild(script2); >+ script2.textContent = scriptContent2; >+ document.body.appendChild(script1); >+ script1.textContent = scriptContent1; >+ </script> >+ >+ <p> >+ This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b71f797dd868b5cdf155278d46fee70c25747415 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed. >+ >+ >+PASS Expecting alerts: ["PASS (1/2)","PASS (2/2)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..46fdabd62c54bd4c162fafebbb3845b36155c02d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html >@@ -0,0 +1,68 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self';"> >+ <title>scriptnonce-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script nonce="noncynonce"> >+ function log(msg) { >+ test(function() { >+ assert_unreached(msg) >+ }); >+ } >+ >+ </script> >+ <script nonce="noncynonce"> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)"]'); >+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce='; connect-src 'self'; >+--> >+ <script nonce="noncynonce"> >+ alert_assert('PASS (1/2)'); >+ >+ </script> >+ <script nonce="noncy+/nonce="> >+ alert_assert('PASS (2/2)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of a valid script-nonce value. It passes if no CSP violation is generated and the alerts are executed. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..330759a0947381abf9803625827ef4e37ece6fff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: line 62: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 66: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"] Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8f1f596bd0039c4eadcdc8f2b84a54f8785262a0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html >@@ -0,0 +1,79 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';"> >+ <title>scriptnonce-and-scripthash</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script nonce="nonceynonce"> >+ function log(msg) { >+ test(function() { >+ assert_unreached(msg) >+ }); >+ } >+ </script> >+ <script nonce="nonceynonce"> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]'); >+ var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self'; >+--> >+ <script nonce="nonceynonce"> >+ alert_assert('PASS (1/3)'); >+ >+ </script> >+ <script> >+ alert_assert('PASS (2/3)'); >+ >+ </script> >+ <script nonce="nonceynonce"> >+ alert_assert('PASS (3/3)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (1/2)'); >+ >+ </script> >+ <script nonce="notanonce"> >+ alert_assert('FAIL (2/2)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..673bab13eca5d72b47a55949360f2bb76ea4fea0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed. >+ >+ >+FAIL Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"] assert_unreached: Alert timeout, expected alerts violated-directive=script-src-elem,violated-directive=script-src-elem,violated-directive=script-src-elem not fired. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2001afcd9cac51a007569bf8ea0642dc905b5422 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html >@@ -0,0 +1,43 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> >+ <title>scriptnonce-basic-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]'></script> >+ <script nonce="noncynonce"> >+ alert_assert('PASS (closely-quoted nonce)'); >+ >+ </script> >+ <script nonce=" noncynonce "> >+ alert_assert('PASS (nonce w/whitespace)'); >+ >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <script nonce="noncynonce noncynonce"> >+ alert_assert('FAIL (1/3)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (2/3)'); >+ >+ </script> >+ <script nonce="noncynonceno?"> >+ alert_assert('FAIL (3/3)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of a valid script-nonce value. It passes if a CSP violation is generated, and the two PASS alerts are executed. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f07bacd42ea2bcc3d591d4d38c555bd46a3c6e8a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: line 61: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"] Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b595b76389ffce3e8ee642e9581073f4dbbe04a1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html >@@ -0,0 +1,74 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';"> >+ <title>scriptnonce-ignore-unsafeinline</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script nonce='noncynonce'> >+ function log(msg) { >+ test(function() { >+ assert_unreached(msg) >+ }); >+ } >+ >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <script nonce='noncynonce'> >+ var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]'); >+ var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src-elem"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self'; >+--> >+ <script nonce="noncynonce"> >+ >+ >+ </script> >+ <script nonce="noncynonce"> >+ alert_assert('PASS (1/2)'); >+ </script> >+ <script nonce="noncy+/nonce="> >+ alert_assert('PASS (2/2)'); >+ >+ </script> >+ <script> >+ alert_assert('FAIL (1/1)'); >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present. >+ </p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0bb6002e1b4f506d8e801515a505513a51944960 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub-expected.txt >@@ -0,0 +1,4 @@ >+This tests whether a deferred script load caused by a redirect is properly allowed by a nonce. >+ >+PASS Expecting alerts: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7e4e848375d75d8ee585befd808f8c887644e637 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html >@@ -0,0 +1,62 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self';"> >+ <title>scriptnonce-redirect</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script nonce="noncynonce"> >+ function log(msg) { >+ test(function() { >+ assert_unreached(msg) >+ }); >+ } >+ >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ </script> >+ <script nonce="noncynonce"> >+ var t_alert = async_test('Expecting alerts: ["PASS"]'); >+ var expected_alerts = ["PASS"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+script-src 'self' 'unsafe-inline' 'nonce-noncynonce'; connect-src 'self'; >+--> >+</head> >+ >+<body> >+ This tests whether a deferred script load caused by a redirect is properly allowed by a nonce. >+ <script nonce="noncynonce" src="/common/redirect.py?location=http://{{host}}:{{ports[http][0]}}/content-security-policy/support/alert-pass.js"></script> >+ <script nonce="noncynonce"> >+ >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js >new file mode 100644 >index 0000000000000000000000000000000000000000..deca86508fffd807ffd71dc2fc7554bbaba7e1e2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js >@@ -0,0 +1 @@ >+window.postMessage(document.currentScript.id, "*"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1cd7241514329c5b16c8848eb0c83d879b690bbc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Expecting logs: ["violated-directive=script-src-elem"] assert_unreached: Logging timeout, expected logs violated-directive=script-src-elem not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2cae85ec301fa2cd15005468b7efab6440ec2f17 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html >@@ -0,0 +1,35 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';"> >+ <title>srcdoc-doesnt-bypass-script-src</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script> >+</head> >+ >+<body> >+ >+ <script nonce='abc'> >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ >+ var i = document.createElement('iframe'); >+ i.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ i.srcdoc = "<sc" + "ript nonce='abc'>" + >+ "window.addEventListener('securitypolicyviolation', function(e) {" + >+ "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" + >+ "</scr" + "ipt>" + >+ "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>"; >+ document.body.appendChild(i); >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inject-script.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inject-script.js >new file mode 100644 >index 0000000000000000000000000000000000000000..c04033c46f09b55eb604d22d23fc2595a0928335 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inject-script.js >@@ -0,0 +1,5 @@ >+document.write("<script>log('Pass 1 of 2');</script>"); >+ >+var s = document.createElement('script'); >+s.textContent = "log('Pass 2 of 2');"; >+document.body.appendChild(s); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/post-message.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/post-message.js >new file mode 100644 >index 0000000000000000000000000000000000000000..69daa31d2f1b645d394ca41dab119924209d4871 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/post-message.js >@@ -0,0 +1 @@ >+postMessage("importScripts allowed"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..2d2df6a1dfe81cd51d8a730a078d79672c9e020f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/w3c-import.log >@@ -0,0 +1,26 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inject-script.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/post-message.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js >new file mode 100644 >index 0000000000000000000000000000000000000000..9aa87129aeef272e7559383e034fced3618929a0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js >@@ -0,0 +1,5 @@ >+var id = 0; >+try { >+ id = eval("1 + 2 + 3"); >+} catch (e) {} >+postMessage(id === 0 ? "eval blocked" : "eval allowed"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..afdcc7c011b18e372a4e8b4b9e383d85c3b0327f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'unsafe-inline' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js >new file mode 100644 >index 0000000000000000000000000000000000000000..03d9bf4cbbcad9baacf75d343457f0954125d84e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js >@@ -0,0 +1,7 @@ >+var fn = function() { >+ postMessage('Function() function blocked'); >+} >+try { >+ fn = new Function("", "postMessage('Function() function allowed');"); >+} catch (e) {} >+fn(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..afdcc7c011b18e372a4e8b4b9e383d85c3b0327f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-function-function.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'unsafe-inline' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js >new file mode 100644 >index 0000000000000000000000000000000000000000..0204de32cf19f32232d4e1bc79d4b8defa82932d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js >@@ -0,0 +1,6 @@ >+try { >+ importScripts("/content-security-policy/support/post-message.js"); >+ postMessage("importScripts allowed"); >+} catch (e) { >+ postMessage("importScripts blocked"); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..57616b1fc2dbdcd6399152a03cd13a248ef66313 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js >new file mode 100644 >index 0000000000000000000000000000000000000000..a16827eddfc8b214f674614de1cc2b9d10009141 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js >@@ -0,0 +1,5 @@ >+var id = 0; >+try { >+ id = setTimeout("postMessage('handler invoked')", 100); >+} catch (e) {} >+postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..57616b1fc2dbdcd6399152a03cd13a248ef66313 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-set-timeout.js.sub.headers >@@ -0,0 +1 @@ >+Content-Security-Policy: script-src 'none' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..9a4d89231b4ae0ad79ce74a303c6cfd113f48d41 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log >@@ -0,0 +1,106 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_1.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/10_1_support_2.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/buildInlineWorker.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/crossoriginScript.js.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/eval-allowed-in-report-only-mode.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/externalScript.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineSuccessTest.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/inlineTests.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10_1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_3.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-overrides-default-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_correct_nonce.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4e16cc2cc7964a9d07d8761fcb54be6ae354012b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, delivered with its own policy. The eval() call in the worker should be forbidden by that policy. No report should be generated because the worker policy does not set a report-uri (although this parent resource does). >+ >+ >+PASS Expecting logs: ["eval blocked"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9a264f2a240bfb89b29aeee7ec39fb1e035b0f52 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-eval-blocked.sub.html >@@ -0,0 +1,38 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>worker-eval-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["eval blocked"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <p>This test loads a worker, delivered with its own policy. >+ The eval() call in the worker should be forbidden by that >+ policy. No report should be generated because the worker >+ policy does not set a report-uri (although this parent >+ resource does).</p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ >+ try { >+ var worker = new Worker('/content-security-policy/script-src/support/worker-eval.js'); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a64876717807d4e43eb71d84ea7a92c70a2e29c2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+This test loads a worker, delivered with its own policy. The Function constructor should be forbidden by that policy. No report should be generated because the worker policy does not set a report-uri (although this parent resource does). >+ >+ >+PASS Expecting logs: ["Function() function blocked"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8c1df9f667967f03c640e1656cb5d1c6ad655007 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-function-function-blocked.sub.html >@@ -0,0 +1,37 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>worker-function-function-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["Function() function blocked"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <p>This test loads a worker, delivered with its own policy. >+ The Function constructor should be forbidden by that >+ policy. No report should be generated because the worker >+ policy does not set a report-uri (although this parent >+ resource does).</p> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ try { >+ var worker = new Worker('/content-security-policy/script-src/support/worker-function-function.js'); >+ worker.onmessage = function(event) { >+ log(event.data); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..22d84972ba28ec04ed69befa7679224f535f8cbd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Expecting logs: ["TEST COMPLETE"] >+PASS worker-importscripts-blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..28906138069e255d671d5d25db75d15082647ea2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-importscripts-blocked.sub.html >@@ -0,0 +1,41 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> >+ <title>worker-importscripts-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ var result = ''; >+ try { >+ var worker = new Worker('/content-security-policy/script-src/support/worker-importscripts.js'); >+ worker.onmessage = function(event) { >+ result = event.data; >+ test(function() { >+ assert_equals(result, 'importScripts blocked') >+ }); >+ log("TEST COMPLETE"); >+ }; >+ } catch (e) { >+ result = e; >+ test(function() { >+ assert_equals(result, 'importScripts blocked') >+ }); >+ log("TEST COMPLETE"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..da7771b9c4befb938bf85d9cdcc79b3ccd3c1089 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-script-src.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>worker-script-src</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ try { >+ var foo = new Worker('/content-security-policy/script-src/support/post-message.js'); >+ foo.onmessage = function(event) { >+ log("PASS"); >+ }; >+ } catch (e) { >+ log(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ae0f1d169685d26094b3ea4fe41fd61018b8cb43 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting alerts: ["setTimeout blocked"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5f93433416b1a40efe7fa38389dc5a54a587add4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/worker-set-timeout-blocked.sub.html >@@ -0,0 +1,32 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'self' 'unsafe-eval'; connect-src 'self';"> >+ <title>worker-set-timeout-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["setTimeout blocked"]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log('Fail'); >+ }); >+ try { >+ var worker = new Worker('/content-security-policy/script-src/support/worker-set-timeout.js'); >+ worker.onmessage = function(event) { >+ alert_assert(event.data); >+ }; >+ } catch (e) { >+ alert_assert(e); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e14f320fad76e0d76ecb2be00266e6877f2f5e1f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt >@@ -0,0 +1,5 @@ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Eval violations have a blockedURI of 'eval' Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ddd5068df1f1ae65b603f6d7a290e316da735b28 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html >@@ -0,0 +1,20 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script> >+ async_test(t => { >+ var watcher = new EventWatcher(t, document, 'securitypolicyviolation'); >+ watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "eval"); >+ assert_equals(e.lineNumber, 15); >+ assert_equals(e.columnNumber, 12); >+ })); >+ >+ try { >+ eval("assert_unreached('eval() should be blocked."); >+ } catch (e) { >+ assert_equals(e.name, 'EvalError'); >+ } >+ }, "Eval violations have a blockedURI of 'eval'"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d01f69010fb1f0053f0efe4be4abca9e8eb542e8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Inline violations have a blockedURI of 'inline' assert_equals: expected "inline" but got "" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html >new file mode 100644 >index 0000000000000000000000000000000000000000..40c4865185a919135f1fa8b54167192a5773eaef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html >@@ -0,0 +1,19 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<script nonce="abc"> >+ async_test(t => { >+ var watcher = new EventWatcher(t, document, 'securitypolicyviolation'); >+ watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.lineNumber, 15); >+ assert_equals(e.columnNumber, 1); >+ })); >+ }, "Inline violations have a blockedURI of 'inline'"); >+</script> >+<script> >+ test(t => { >+ assert_unreached(); >+ }, "Blocked script shouldn't execute."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..79d8a1fb7d1739150dbe4f5ab90a3d62273c1186 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt >@@ -0,0 +1,94 @@ >+ >+PASS SecurityPolicyViolationEvent constructor should throw with no parameters >+PASS SecurityPolicyViolationEvent constructor works with an init dict >+FAIL SecurityPolicyViolationEvent constructor requires documentURI assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ // documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+FAIL SecurityPolicyViolationEvent constructor requires violatedDirective assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ // violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+FAIL SecurityPolicyViolationEvent constructor requires effectiveDirective assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ // effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+FAIL SecurityPolicyViolationEvent constructor requires originalPolicy assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ // originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+FAIL SecurityPolicyViolationEvent constructor requires disposition assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ // disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+FAIL SecurityPolicyViolationEvent constructor requires statusCode assert_throws: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ // statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}" did not throw >+PASS SecurityPolicyViolationEvent constructor does not require referrer >+PASS SecurityPolicyViolationEvent constructor does not require blockedURI >+PASS SecurityPolicyViolationEvent constructor does not require sourceFile >+PASS SecurityPolicyViolationEvent constructor does not require sample >+PASS SecurityPolicyViolationEvent constructor does not require lineNumber >+PASS SecurityPolicyViolationEvent constructor does not require columnNumber >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1260c491fc2501b080850b5e523a847d37200127 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html >@@ -0,0 +1,239 @@ >+<!doctype html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script> >+ // basic tests. >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent(); }); >+ }, "SecurityPolicyViolationEvent constructor should throw with no parameters"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor works with an init dict"); >+ >+ // missing required members >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ // documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires documentURI"); >+ >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ // violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires violatedDirective"); >+ >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ // effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires effectiveDirective"); >+ >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ // originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires originalPolicy"); >+ >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ // disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires disposition"); >+ >+ test(function() { >+ assert_throws(TypeError(), >+ function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ // statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ })}); >+ }, "SecurityPolicyViolationEvent constructor requires statusCode"); >+ >+ // missing optional members >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ // referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require referrer"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ // blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require blockedURI"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ // sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require sourceFile"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ // sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require sample"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ // lineNumber: 1, >+ columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require lineNumber"); >+ >+ test(function() { >+ assert_not_equals(new SecurityPolicyViolationEvent("securitypolicyviolation", { >+ documentURI: "http://example.com", >+ referrer: "http://example.com", >+ blockedURI: "http://example.com", >+ violatedDirective: "default-src", >+ effectiveDirective: "default-src", >+ originalPolicy: "default-src 'none'", >+ sourceFile: "example.js", >+ sample: "<script>alert('1');</scr" + "ipt>", >+ disposition: "enforce", >+ statusCode: 200, >+ lineNumber: 1, >+ // columnNumber: 1, >+ }), undefined); >+ }, "SecurityPolicyViolationEvent constructor does not require columnNumber"); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a7ea32791cb00693f3794a23d3284a92679c52ff >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window-expected.txt >@@ -0,0 +1,30 @@ >+ >+FAIL idl_test setup promise_test: Unhandled rejection with value: object "Got an error before parsing any named definition: Unrecognised tokens, line 1 (tokens: "{\"error\": {\"message\"") >+[ >+ { >+ "type": "{", >+ "value": "{", >+ "trivia": "" >+ }, >+ { >+ "type": "string", >+ "value": "\"error\"", >+ "trivia": "" >+ }, >+ { >+ "type": ":", >+ "value": ":", >+ "trivia": "" >+ }, >+ { >+ "type": "{", >+ "value": "{", >+ "trivia": " " >+ }, >+ { >+ "type": "string", >+ "value": "\"message\"", >+ "trivia": "" >+ } >+]" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2382913528e693b3a5d56c660a45060980b548c3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.html >@@ -0,0 +1 @@ >+<!-- This file is required for WebKit test infrastructure to run the templated test --> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.js >new file mode 100644 >index 0000000000000000000000000000000000000000..25efd0d4e1f5224cda5a74457e801d84777bbcb0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.js >@@ -0,0 +1,18 @@ >+// META: script=/resources/WebIDLParser.js >+// META: script=/resources/idlharness.js >+ >+// https://w3c.github.io/webappsec-csp/ >+ >+'use strict'; >+ >+idl_test( >+ ['CSP'], >+ ['dom', 'reporting'], >+ idl_array => { >+ idl_array.add_objects({ >+ SecurityPolicyViolationEvent: [ >+ 'new SecurityPolicyViolationEvent("securitypolicyviolation")' >+ ] >+ }) >+ } >+); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..67ffe556d49c481668f9b1dd5c6b5218eb440123 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The Content Security Policy 'img-src https:' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requests Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c63206db46432477c0621f12146d7e672831ca1e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html >@@ -0,0 +1,31 @@ >+<!doctype html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="./support/testharness-helper.sub.js"></script> >+<body></body> >+<script> >+ function waitForViolation(el, t, policy, blockedURI) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => { >+ if (e.originalPolicy == policy && e.blockedURI == blockedURI) >+ resolve(e); >+ else >+ t.unreached_func("Unexpected violation event for " + e.blockedURI)(); >+ }); >+ }); >+ } >+ >+ async_test(t => { >+ var i = document.createElement("img"); >+ var redirect = generateCrossOriginRedirectImage(); >+ i.src = redirect.url; >+ >+ // Report-only policy should trigger a violation on the redirected request. >+ waitForViolation(window, t, "img-src https:", new URL(redirect.url, window.location).href).then(t.step_func(e => { >+ t.done(); >+ })); >+ >+ document.body.appendChild(i); >+ }, "Image that redirects to http:// URL prohibited by Report-Only must generate a violation report, even with upgrade-insecure-requests"); >+</script> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..57207bbd23cf6f4cb1589bb006c5eef1050eb36f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers >@@ -0,0 +1,2 @@ >+Content-Security-Policy-Report-Only: img-src https: >+Content-Security-Policy: upgrade-insecure-requests >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..68477c122c5d260d790a65c13aa2825aa7a3200f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to connect to http://www.localhost:8800/content-security-policy/support/ping.js because it does not appear in the connect-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Blocked by Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL No SecurityPolicyViolation event fired for successful load. assert_false: expected false got true >+TIMEOUT SecurityPolicyViolation event fired on global. Test timed out >+TIMEOUT SecurityPolicyViolation event fired on global with the correct blockedURI. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0912ec2ad92658dc38a3fe2761f6e85fbeb883f1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<!-- >+ Set a policy in the document to ensure that the block is triggering >+ in the worker and not in the document. >+--> >+<meta http-equiv="content-security-policy" content="connect-src 'self'"> >+ >+<script> >+ var w = new Worker("./support/inside-worker.sub.js"); >+ >+ // Forward 'securitypolicyviolation' events from the document into the >+ // worker (we shouldn't actually see any, so the worker will assert that >+ // none are fired). >+ document.addEventListener('securitypolicyviolation', _ => { >+ w.postMessage("SecurityPolicyViolation from Document"); >+ }); >+ >+ fetch_tests_from_worker(w); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..19791100ca7531c805b035dbade2b0a49a4fcf12 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https-expected.txt >@@ -0,0 +1,7 @@ >+ >+Harness Error (TIMEOUT), message = null >+ >+PASS No SecurityPolicyViolation event fired for successful load. >+TIMEOUT SecurityPolicyViolation event fired on global. Test timed out >+TIMEOUT SecurityPolicyViolation event fired on global with the correct blockedURI. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fb691f92b60d5037b634a5d3e7543028beb8a114 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<!-- >+ Set a policy in the document to ensure that the block is triggering >+ in the worker and not in the document. >+--> >+<meta http-equiv="content-security-policy" content="connect-src 'self'"> >+ >+<script> >+ navigator.serviceWorker.register("./support/inside-worker.sub.js", { scope: "./support/" }) >+ .then(r => { >+ var sw = r.active || r.installing || r.waiting; >+ add_completion_callback(_ => r.unregister()); >+ >+ // Forward 'securitypolicyviolation' events from the document into the >+ // worker (we shouldn't actually see any, so the worker will assert that >+ // none are fired. >+ document.addEventListener('securitypolicyviolation', _ => { >+ sw.postMessage("SecurityPolicyViolation from Document"); >+ }); >+ >+ fetch_tests_from_worker(sw); >+ }); >+</script> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4fddf12a3cc5fabc76ca851dd922c60f3333f02c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html >@@ -0,0 +1,23 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+ >+<!-- >+ Set a policy in the document to ensure that the block is triggering >+ in the worker and not in the document. >+--> >+<meta http-equiv="content-security-policy" content="connect-src 'self'"> >+ >+<script> >+ var w = new SharedWorker("./support/inside-worker.sub.js"); >+ >+ // Forward 'securitypolicyviolation' events from the document into the >+ // worker (we shouldn't actually see any, so the worker will assert that >+ // none are fired. >+ document.addEventListener('securitypolicyviolation', _ => { >+ w.port.postMessage("SecurityPolicyViolation from Document"); >+ }); >+ >+ fetch_tests_from_worker(w); >+</script> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9771509ac570a306a6ff7a05aef6b551a0704da4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt >@@ -0,0 +1,19 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored. >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 94: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored. >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored. >+CONSOLE MESSAGE: line 75: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 89: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Inline script should have a sample. Test timed out >+TIMEOUT Inline event handlers should have a sample. Test timed out >+TIMEOUT JavaScript URLs in iframes should have a sample. Test timed out >+TIMEOUT eval() should have a sample. Test timed out >+TIMEOUT setInterval() should have a sample. Test timed out >+TIMEOUT setTimeout() should have a sample. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4caa30e76ac5dedbf4d06b93cfafde63f5a36921 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt >@@ -0,0 +1,14 @@ >+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 80: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 70: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 75: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Inline script should not have a sample. Test timed out >+TIMEOUT Inline event handlers should not have a sample. Test timed out >+TIMEOUT JavaScript URLs in iframes should not have a sample. Test timed out >+TIMEOUT eval()-alikes should not have a sample. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html >new file mode 100644 >index 0000000000000000000000000000000000000000..eada073dd77ec1f1326f503a948743ad967f1b15 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html >@@ -0,0 +1,80 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'; img-src 'none'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<body> >+<script nonce="abc"> >+ function waitForViolation(el) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => resolve(e)); >+ }); >+ } >+ >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = "assert_unreached('inline script block')"; >+ >+ waitForViolation(s) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, ""); >+ })); >+ >+ document.head.append(s); >+ }, "Inline script should not have a sample."); >+ >+ async_test(t => { >+ var a = document.createElement("a"); >+ a.setAttribute("onclick", "assert_unreached('inline event handler')"); >+ >+ waitForViolation(a) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, ""); >+ })); >+ >+ document.body.append(a); >+ a.click(); >+ }, "Inline event handlers should not have a sample."); >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ i.src = "javascript:'inline url'"; >+ >+ waitForViolation(i) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, ""); >+ })); >+ >+ document.body.append(i); >+ }, "JavaScript URLs in iframes should not have a sample."); >+ >+ async_test(t => { >+ var violations = 0; >+ document.addEventListener('securitypolicyviolation', t.step_func(e => { >+ if (e.blockedURI != "eval") >+ return; >+ >+ assert_equals(e.sample, ""); >+ violations++ >+ if (violations == 3) >+ t.done(); >+ })); >+ try { >+ eval("assert_unreached('eval')"); >+ assert_unreached('eval'); >+ } catch (e) { >+ } >+ try { >+ setInterval("assert_unreached('interval')", 1000); >+ assert_unreached('interval'); >+ } catch (e) { >+ } >+ try { >+ setTimeout("assert_unreached('timeout')", 1000); >+ assert_unreached('timeout'); >+ } catch (e) { >+ } >+ }, "eval()-alikes should not have a sample."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html >new file mode 100644 >index 0000000000000000000000000000000000000000..551978ffb41d61d171ffa2c104b88598f0a0c0d8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html >@@ -0,0 +1,94 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<body> >+<script nonce="abc"> >+ function waitForViolation(el) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => resolve(e)); >+ }); >+ } >+ >+ async_test(t => { >+ var s = document.createElement('script'); >+ s.innerText = "assert_unreached('inline script block')"; >+ >+ waitForViolation(s) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, "assert_unreached('inline script block')"); >+ })); >+ >+ document.head.append(s); >+ }, "Inline script should have a sample."); >+ >+ async_test(t => { >+ var a = document.createElement("a"); >+ a.setAttribute("onclick", "assert_unreached('inline event handler')"); >+ >+ waitForViolation(a) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, "assert_unreached('inline event handler')"); >+ })); >+ >+ document.body.append(a); >+ a.click(); >+ }, "Inline event handlers should have a sample."); >+ >+ async_test(t => { >+ var i = document.createElement("iframe"); >+ i.src = "javascript:'inline url'"; >+ >+ waitForViolation(i) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, "javascript:'inline url'"); >+ })); >+ >+ document.body.append(i); >+ }, "JavaScript URLs in iframes should have a sample."); >+ >+ async_test(t => { >+ document.addEventListener('securitypolicyviolation', t.step_func(e => { >+ if (e.blockedURI == "eval" && >+ e.sample == "assert_unreached('eval')") { >+ t.done(); >+ } >+ })); >+ try { >+ eval("assert_unreached('eval')"); >+ assert_unreached('eval'); >+ } catch (e) { >+ } >+ }, "eval() should have a sample."); >+ >+ async_test(t => { >+ document.addEventListener('securitypolicyviolation', t.step_func(e => { >+ if (e.blockedURI == "eval" && >+ e.sample == "assert_unreached('interval')") { >+ t.done(); >+ } >+ })); >+ try { >+ setInterval("assert_unreached('interval')", 1000); >+ assert_unreached('interval'); >+ } catch (e) { >+ } >+ }, "setInterval() should have a sample."); >+ >+ async_test(t => { >+ document.addEventListener('securitypolicyviolation', t.step_func(e => { >+ if (e.blockedURI == "eval" && >+ e.sample == "assert_unreached('timeout')") { >+ t.done(); >+ } >+ })); >+ try { >+ setTimeout("assert_unreached('timeout')", 1000); >+ assert_unreached('timeout'); >+ } catch (e) { >+ } >+ }, "setTimeout() should have a sample."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..02d5f6ed8d57b961e2c1de0d1f3245b9921f4853 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub-expected.txt >@@ -0,0 +1,6 @@ >+Blocked access to external URL http://www2.localhost:8800/content-security-policy/support/inject-image.sub.js >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Non-redirected cross-origin URLs are not stripped. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..65311c32ad6e27a744764800e43d5ddb47160e97 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/content-security-policy/support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+<body> >+<script> >+ async_test(t => { >+ waitUntilEvent(window, "securitypolicyviolation") >+ .then(t.step_func_done(e => { >+ assert_equals(e.documentURI, document.location.toString()); >+ assert_equals(e.referrer, document.referrer); >+ assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ assert_equals(e.effectiveDirective, "img-src"); >+ assert_equals(e.originalPolicy, "img-src \'none\'"); >+ assert_equals(e.disposition, "enforce"); >+ assert_equals(e.sourceFile, ""); >+ assert_equals(e.lineNumber, 0); >+ assert_equals(e.columnNumber, 0); >+ assert_equals(e.statusCode, 200); >+ })); >+ >+ var s = document.createElement("script"); >+ s.src = "{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/support/inject-image.sub.js"; >+ document.body.appendChild(s); >+ }, "Non-redirected cross-origin URLs are not stripped."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..d7f90edbad7054a60d6057ed9cec9d2b787cacdf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: Refused to load http://www.localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Non-redirected cross-origin URLs are not stripped. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..03829fe8a3686f9ce9c484b1e3fb2bdd328cc12f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/content-security-policy/support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+<body> >+<script> >+ async_test(t => { >+ waitUntilEvent(window, "securitypolicyviolation") >+ .then(t.step_func_done(e => { >+ assert_equals(e.documentURI, document.location.toString()); >+ assert_equals(e.referrer, document.referrer); >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ assert_equals(e.effectiveDirective, "img-src"); >+ assert_equals(e.originalPolicy, "img-src \'none\'"); >+ assert_equals(e.disposition, "enforce"); >+ assert_equals(e.sourceFile, ""); >+ assert_equals(e.lineNumber, 0); >+ assert_equals(e.columnNumber, 0); >+ assert_equals(e.statusCode, 200); >+ })); >+ >+ var i = document.createElement("img"); >+ i.src = "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png"; >+ }, "Non-redirected cross-origin URLs are not stripped."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e9726644d618f4b8180f84279d13114958ede081 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: Refused to load http://www.localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Non-redirected cross-origin URLs are not stripped. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0a7c2b43bff372ee4c1b9935306554068f07829f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/content-security-policy/support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+<body> >+<script> >+ async_test(t => { >+ waitUntilEvent(window, "securitypolicyviolation") >+ .then(t.step_func_done(e => { >+ assert_equals(e.documentURI, document.location.toString()); >+ assert_equals(e.referrer, document.referrer); >+ assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ assert_equals(e.effectiveDirective, "img-src"); >+ assert_equals(e.originalPolicy, "img-src \'none\'"); >+ assert_equals(e.disposition, "enforce"); >+ assert_equals(e.sourceFile, ""); >+ assert_equals(e.lineNumber, 0); >+ assert_equals(e.columnNumber, 0); >+ assert_equals(e.statusCode, 200); >+ })); >+ >+ var s = document.createElement("script"); >+ s.src = "/content-security-policy/support/inject-image.sub.js"; >+ document.body.appendChild(s); >+ }, "Non-redirected cross-origin URLs are not stripped."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..211d506c6909d33c7058fd12319adbb7035cec10 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/fail.png because it does not appear in the img-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Non-redirected same-origin URLs are not stripped. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5dd82e6ddca482bdf6be75f53753465fad166c5b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/content-security-policy/support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> >+<body> >+<script> >+ async_test(t => { >+ waitUntilEvent(window, "securitypolicyviolation") >+ .then(t.step_func_done(e => { >+ assert_equals(e.documentURI, document.location.toString()); >+ assert_equals(e.referrer, document.referrer); >+ assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png"); >+ assert_equals(e.violatedDirective, "img-src"); >+ assert_equals(e.effectiveDirective, "img-src"); >+ assert_equals(e.originalPolicy, "img-src \'none\'"); >+ assert_equals(e.disposition, "enforce"); >+ assert_equals(e.sourceFile, ""); >+ assert_equals(e.lineNumber, 0); >+ assert_equals(e.columnNumber, 0); >+ assert_equals(e.statusCode, 200); >+ })); >+ >+ var i = document.createElement("img"); >+ i.src = "/content-security-policy/support/fail.png"; >+ }, "Non-redirected same-origin URLs are not stripped."); >+</script> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..67f9f95280fcc4aa0376e34ef07145d2abf6afc8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'style-src' contains an invalid source: ''report-sample''. It will be ignored. >+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 39: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Inline style blocks should have a sample. Test timed out >+TIMEOUT Inline style attributes should have a sample. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c9aeeb8ae7b4251819d7ebac7dd0dc2d57e97bef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 39: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Inline style blocks should not have a sample. Test timed out >+TIMEOUT Inline style attributes should not have a sample. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html >new file mode 100644 >index 0000000000000000000000000000000000000000..05caaaa41464c96e2360711f00b747cfb36269ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html >@@ -0,0 +1,39 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-abc'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<body> >+<script nonce="abc"> >+ function waitForViolation(el) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => resolve(e)); >+ }); >+ } >+ >+ async_test(t => { >+ var s = document.createElement('style'); >+ s.innerText = "p { omg: yay !important; }"; >+ >+ waitForViolation(s) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, ""); >+ })); >+ >+ document.head.append(s); >+ }, "Inline style blocks should not have a sample."); >+ >+ async_test(t => { >+ var p = document.createElement('p'); >+ p.setAttribute("style", "omg: yay !important;"); >+ p.innerText = "Yay!"; >+ >+ waitForViolation(p) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, ""); >+ })); >+ >+ document.head.append(p); >+ }, "Inline style attributes should not have a sample."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2b5d90ee7d191ec274f17983511f4289e41ba5bc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html >@@ -0,0 +1,39 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-abc' 'report-sample'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<body> >+<script nonce="abc"> >+ function waitForViolation(el) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => resolve(e)); >+ }); >+ } >+ >+ async_test(t => { >+ var s = document.createElement('style'); >+ s.innerText = "p { omg: yay !important; }"; >+ >+ waitForViolation(s) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, "p { omg: yay !important; }"); >+ })); >+ >+ document.head.append(s); >+ }, "Inline style blocks should have a sample."); >+ >+ async_test(t => { >+ var p = document.createElement('p'); >+ p.setAttribute("style", "omg: yay !important;"); >+ p.innerText = "Yay!"; >+ >+ waitForViolation(p) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.sample, "omg: yay !important;"); >+ })); >+ >+ document.head.append(p); >+ }, "Inline style attributes should have a sample."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..58bd02fd9ec8c5a5fbb1bfc26ae1f45186f474e0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js >@@ -0,0 +1,57 @@ >+importScripts("{{location[scheme]}}://{{host}}:{{location[port]}}/resources/testharness.js"); >+importScripts("{{location[scheme]}}://{{host}}:{{location[port]}}/content-security-policy/support/testharness-helper.js"); >+ >+var cspEventFiredInDocument = false; >+// ServiceWorker and Worker >+self.addEventListener("message", e => { >+ if (e.data == "SecurityPolicyViolation from Document") >+ cspEventFiredInDocument = true; >+}); >+// SharedWorker >+self.addEventListener("connect", c => { >+ c.ports[0].addEventListener("message", m => { >+ if (m.data == "SecurityPolicyViolation from Document") >+ cspEventFiredInDocument = true; >+ }); >+}); >+ >+async_test(t => { >+ var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/content-security-policy/support/resource.py"; >+ assert_no_csp_event_for_url(t, url); >+ >+ fetch(url) >+ .catch(t.unreached_func("Fetch should succeed.")) >+ .then(t.step_func_done(r => { >+ assert_equals(r.status, 200); >+ assert_false(cspEventFiredInDocument); >+ })); >+}, "No SecurityPolicyViolation event fired for successful load."); >+ >+async_test(t => { >+ var url = "{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/support/resource.py"; >+ waitUntilCSPEventForURL(t, url) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, url); >+ assert_false(cspEventFiredInDocument); >+ })); >+ >+ fetch(url) >+ .then(t.unreached_func("Fetch should not succeed.")) >+ .catch(t.step_func(e => assert_true(e instanceof TypeError))); >+}, "SecurityPolicyViolation event fired on global."); >+ >+async_test(t => { >+ var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/common/redirect.py?location={{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/ping.js"; >+ waitUntilCSPEventForURL(t, url) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, url); >+ assert_false(cspEventFiredInDocument); >+ })); >+ >+ fetch(url) >+ .then(t.unreached_func("Fetch should not succeed.")) >+ .catch(t.step_func(e => assert_true(e instanceof TypeError))); >+}, "SecurityPolicyViolation event fired on global with the correct blockedURI."); >+ >+// Worker tests need an explicit `done()`. >+done(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..50ff4a5b94df68c5d20f9f46d76368f23d0d14f2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers >@@ -0,0 +1,5 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Content-Security-Policy: connect-src 'self' >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..816b88fc6e47278aa469fb275b8a9299ecec24cc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js >@@ -0,0 +1,5 @@ >+function generateCrossOriginRedirectImage() { >+ var target = "http://{{host}}:{{ports[https][0]}}/content-security-policy/support/pass.png"; >+ var url = "/common/redirect.py?location=" + encodeURIComponent(target); >+ return { url: url, target: target } >+} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..4fe842a3fe3d9b7033c11cd1a405f157e7d35b60 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/testharness-helper.sub.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4def5c7f36980245b458634345c675928378cf00 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting-expected.txt >@@ -0,0 +1,22 @@ >+CONSOLE MESSAGE: line 70: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 75: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 79: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 96: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 1: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 144: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 147: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 169: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+Click me! >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN These tests should not fail. >+FAIL Inline violations target the right element. assert_equals: expected "inline" but got "" >+TIMEOUT Correct targeting inside shadow tree (inline handler). Test timed out >+TIMEOUT Correct targeting inside shadow tree (style). Test timed out >+TIMEOUT Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document. Test timed out >+PASS Inline event handlers for disconnected elements target the document. >+PASS Inline event handlers for elements disconnected after triggering target the document. >+PASS Inline event handlers for elements in a DocumentFragment target the document. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b21273ca555cb24aab369a752192ab87355339d2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html >@@ -0,0 +1,169 @@ >+<!doctype html> >+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'"> >+<script nonce="abc" src="/resources/testharness.js"></script> >+<script nonce="abc" src="/resources/testharnessreport.js"></script> >+<script nonce="abc"> >+ var unexecuted_test = async_test("These tests should not fail."); >+ >+ async_test(t => { >+ var watcher = new EventWatcher(t, document, ['securitypolicyviolation']) >+ watcher.wait_for('securitypolicyviolation') >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, document.querySelector('#block1')); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, document.querySelector('#block2')); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, document.querySelector('#block3')); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, document.querySelector('#block4')); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, document.querySelector('#block5')); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.lineNumber, 118); >+ assert_in_array(e.columnNumber, [4, 6]); >+ assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.lineNumber, 131); >+ assert_in_array(e.columnNumber, [4, 59]); >+ assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.lineNumber, 139); >+ assert_in_array(e.columnNumber, [4, 6]); >+ assert_equals(e.target, document, "Inline event handlers for disconnected elements target the document."); >+ return watcher.wait_for('securitypolicyviolation'); >+ })) >+ .then(t.step_func(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.lineNumber, 0); >+ assert_equals(e.columnNumber, 0); >+ assert_equals(e.target, document, "Inline event handlers for elements disconnected after triggering target the document."); >+ })) >+ .then(t.step_func_done(_ => { >+ unexecuted_test.done(); >+ })); >+ }, "Inline violations target the right element."); >+ >+</script> >+<!-- Inline block with no nonce. --> >+<script id="block1"> >+ unexecuted_test.assert_unreached("This code block should not execute."); >+</script> >+ >+<!-- Inline event handler. --> >+<a id="block2" onclick="void(0)">Click me!</a> >+<script nonce='abc'>document.querySelector('#block2').click();</script> >+ >+<!-- Style block. --> >+<style id="block3"> >+ p { color: red !important; } >+</style> >+ >+<!-- Inline event handler inside Shadow DOM --> >+<div id="block4"></div> >+<script nonce='abc'> >+ async_test(t => { >+ var shadow = document.querySelector('#block4').attachShadow({"mode":"closed"}); >+ shadow.innerHTML = "<a id='block4a' onclick='void(0)'>Click!</a>"; >+ var a = shadow.querySelector('#block4a'); >+ a.addEventListener('securitypolicyviolation', t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, a); >+ })); >+ a.click(); >+ }, "Correct targeting inside shadow tree (inline handler)."); >+</script> >+ >+<!-- Inline event handler inside Shadow DOM --> >+<div id="block5"></div> >+<script nonce='abc'> >+ async_test(t => { >+ var shadow = document.querySelector('#block5').attachShadow({"mode":"closed"}); >+ var style = document.createElement('style'); >+ style.innerText = 'p { color: red; }'; >+ style.addEventListener('securitypolicyviolation', t.step_func_done(e => { >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, style); >+ })); >+ shadow.appendChild(style); >+ }, "Correct targeting inside shadow tree (style)."); >+</script> >+ >+<!-- Pushed into a same-origin Document that isn't this Document --> >+<iframe id="block6"></iframe> >+<script nonce="abc"> >+ async_test(t => { >+ var d = document.createElement("div"); >+ d.setAttribute("onclick", "void(0);"); >+ var events = 0; >+ d.addEventListener('securitypolicyviolation', t.step_func(e => { >+ events++; >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, d); >+ })); >+ document.querySelector('#block6').contentDocument.addEventListener('securitypolicyviolation', t.step_func_done(e => { >+ events++; >+ assert_equals(e.blockedURI, "inline"); >+ assert_equals(e.target, d); >+ assert_equals(events, 2); >+ })); >+ document.querySelector('#block6').contentDocument.body.appendChild(d); >+ }, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); >+</script> >+ >+<!-- Disconnected inline event handler --> >+<script nonce="abc"> >+ async_test(t => { >+ var d = document.createElement("div"); >+ d.setAttribute("onclick", "void(0);"); >+ d.addEventListener('securitypolicyviolation', t.unreached_func()); >+ d.click(); >+ t.done(); >+ }, "Inline event handlers for disconnected elements target the document."); >+</script> >+ >+<!-- Inline event handler, disconnected after click. --> >+<a id="block8" onclick="void(0)">Click me also!</a> >+<script nonce="abc"> >+ async_test(t => { >+ var a = document.querySelector('#block8'); >+ a.addEventListener('securitypolicyviolation', t.unreached_func()); >+ a.click(); >+ a.parentNode.removeChild(a); >+ t.done(); >+ }, "Inline event handlers for elements disconnected after triggering target the document."); >+</script> >+ >+<!-- Disconnected in a DocumentFragment --> >+<script nonce="abc"> >+ async_test(t => { >+ var f = new DocumentFragment(); >+ var d = document.createElement('div'); >+ d.setAttribute('onclick', 'void(0)'); >+ d.addEventListener('securitypolicyviolation', t.unreached_func()); >+ f.appendChild(d); >+ d.click(); >+ t.done(); >+ }, "Inline event handlers for elements in a DocumentFragment target the document."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..54cfc55c5914d46765a2f1b164b24d8c2660042e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt >@@ -0,0 +1,5 @@ >+ >+FAIL Upgraded image is reported Can't find variable: generateURL >+FAIL Upgraded iframe is reported Can't find variable: generateURL >+FAIL Navigated iframe is upgraded and reported Can't find variable: generateURL >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bf655a2e1b9512065fe19bd0e8f099b70c13eb5c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html >@@ -0,0 +1,92 @@ >+<!doctype html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/upgrade-insecure-requests/support/testharness-helper.sub.js"></script> >+<body></body> >+<script> >+ function waitForViolation(el, effective_directive) { >+ return new Promise(resolve => { >+ el.addEventListener('securitypolicyviolation', e => { >+ if (e.effectiveDirective == effective_directive) >+ resolve(e); >+ }); >+ }); >+ } >+ >+ async_test(t => { >+ var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.IMAGE).url; >+ var i = document.createElement('img'); >+ var loaded = false; >+ var reported = false; >+ waitForViolation(window, "img-src") >+ .then(t.step_func(e => { >+ reported = true; >+ if (loaded) >+ t.done(); >+ })); >+ i.onload = t.step_func(_ => { >+ loaded = true; >+ if (reported) >+ t.done(); >+ }); >+ i.onerror = t.unreached_func(url + " should load successfully."); >+ i.src = url; >+ document.body.appendChild(i); >+ }, "Upgraded image is reported"); >+ >+ async_test(t => { >+ var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url; >+ var i = document.createElement('iframe'); >+ var loaded = false; >+ var reported = false; >+ waitForViolation(window, "frame-src") >+ .then(t.step_func(e => { >+ reported = true; >+ if (loaded) >+ t.done(); >+ })); >+ window.addEventListener("message", t.step_func(e => { >+ if (e.source == i.contentWindow) { >+ i.remove(); >+ loaded = true; >+ if (reported) >+ t.done(); >+ } >+ })); >+ i.src = url; >+ document.body.appendChild(i); >+ }, "Upgraded iframe is reported"); >+ >+ async_test(t => { >+ // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported. >+ var url = generateURL(Host.SAME_ORIGIN, Protocol.SECURE, ResourceType.FRAME).url; >+ var navigate_to = generateURL(Host.CROSS_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url; >+ var upgraded = new URL(navigate_to); >+ upgraded.protocol = "https"; >+ >+ var i = document.createElement('iframe'); >+ var loaded = false; >+ var reported = false; >+ >+ window.addEventListener("message", t.step_func(e => { >+ if (e.source == i.contentWindow) { >+ if (e.data.location == url) { >+ waitForViolation(window, "frame-src") >+ .then(t.step_func(e => { >+ reported = true; >+ if (loaded) >+ t.done(); >+ })); >+ i.contentWindow.location.href = navigate_to; >+ } else if (e.data.location == upgraded) { >+ loaded = true; >+ if (reported) >+ t.done(); >+ } >+ } >+ })); >+ i.src = url; >+ document.body.appendChild(i); >+ }, "Navigated iframe is upgraded and reported"); >+</script> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..b8bec0b95e3955cada8d5ddbd8af354cc60026f0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers >@@ -0,0 +1,2 @@ >+Content-Security-Policy-Report-Only: frame-src https:; img-src https: >+Content-Security-Policy: upgrade-insecure-requests >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..99390175d5be165764b7d6bac5c3e6c34a5ca05e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/w3c-import.log >@@ -0,0 +1,36 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/idlharness.window.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-shared-worker.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c3039695f9ca338694640a08ccd2ca035e5851e4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Should apply the style attribute assert_true: expected true got false >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..567e22496ccbd15df87a44b602461a221639204c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-attr 'unsafe-inline'; >+ style-src 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Should apply the style attribute"); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event")); >+ </script> >+</head> >+ >+<body style="background: green"> >+ <script> >+ t.step(function() { >+ assert_true(document.body.style.length > 0); >+ t.done(); >+ }); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..202b05aa0d90f83bed5f4c4858127d1b874b7ce6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-attr'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation event >+FAIL The attribute style should not be applied assert_equals: expected 0 but got 10 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..622c3bf76486cee122f317d9096eb4ce0455696a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-attr 'none'; >+ style-src 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Should fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+</head> >+ >+<body style="background: green"> >+ <script> >+ async_test(function(test) { >+ assert_equals(document.body.style.length, 0); >+ test.done(); >+ }, "The attribute style should not be applied"); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..259f38b1f93cab04f103c8973174e82567e343f0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'. >+ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-attr'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation for the attribute >+FAIL The attribute style should not be applied and the inline style should be applied assert_equals: expected 0 but got 10 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..279600ea2e18a56d0c429bccd0c19d311e932387 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline'; >+ style-src-attr 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Should fire a security policy violation for the attribute"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+</head> >+ >+<body style="background: green"> >+ <style> >+ body {background: blue;} >+ </style> >+ >+ <script> >+ async_test(function(test) { >+ assert_equals(document.body.style.length, 0); >+ assert_equals(document.styleSheets.length, 1); >+ test.done(); >+ }, "The attribute style should not be applied and the inline style should be applied"); >+ </script> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6f1d94eced0f4445ded24ca6caa8c60b21dbc53e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Inline style should be applied assert_equals: expected 1 but got 0 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c15cf0bcf64cb535de38235bf1971cd7e4e7f1d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-elem 'unsafe-inline'; >+ style-src 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Inline style should be applied"); >+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have fired a spv event")); >+ </script> >+</head> >+ >+<body> >+ <style> >+ body {background: green;} >+ </style> >+ <script> >+ t.step(function() { >+ assert_equals(document.styleSheets.length, 1); >+ t.done(); >+ }); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..527ac485bd4e684fc16ccfa384c80f5e76feea44 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'. >+ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation for the inline block >+FAIL The inline style should not be applied and the attribute style should be applied assert_equals: expected 0 but got 1 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a42c9de9b84d2a30669742c3a1e7a423a572ac53 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none'; >+ script-src-attr 'unsafe-inline'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Should fire a security policy violation for the inline block"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+</head> >+ >+<body style="background: green"> >+ <style> >+ body {background: blue;} >+ </style> >+ >+ <script> >+ async_test(function(test) { >+ assert_true(document.body.style.length > 0); >+ assert_equals(document.styleSheets.length, 0); >+ test.done(); >+ }, "The inline style should not be applied and the attribute style should be applied"); >+ </script> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bfb581e7fb1a01e7c162c65716b621e3d022377e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire a security policy violation event >+FAIL The inline style should not be applied assert_equals: expected 0 but got 1 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bf5014a45842f6d7e8ef888c5049a1c139fa5c69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src-elem 'none'; >+ style-src 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Should fire a security policy violation event"); >+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+</head> >+ >+<body> >+ <style> >+ body {background: green;} >+ </style> >+ <script> >+ async_test(function(test) { >+ assert_equals(document.styleSheets.length, 0); >+ test.done(); >+ }, "The inline style should not be applied"); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..cbd2c087db9c26da26e63c592a8c9129cc1356c7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/w3c-import.log >@@ -0,0 +1,22 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..59b2ce79b81d387d9d40a4016b7736b837d47021 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS: 2 stylesheets on the page."] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e91c4e46ac7df40e98791155d53e9f3a947b45cd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>injected-inline-style-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS: 2 stylesheets on the page."]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ >+ <div id="test1"> >+ FAIL 1/2 >+ </div> >+ >+ <div id="test2"> >+ FAIL 2/2 >+ </div> >+ >+ <script src="support/inject-style.js"></script> >+ <script> >+ if (document.styleSheets.length === 2) >+ log("PASS: 2 stylesheets on the page."); >+ else >+ log("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2)."); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7e77146342d9e96dbf19750d425cdd438732ad9d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt >@@ -0,0 +1,5 @@ >+PASS 1/2 >+PASS 2/2 >+ >+FAIL Expecting logs: ["violated-directive=style-src-elem","PASS"] assert_unreached: Logging timeout, expected logs violated-directive=style-src-elem not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..978671223e85996112fd5429969eb35e7eda09d5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>injected-inline-style-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-elem","PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ >+ <div id="test1"> >+ PASS 1/2 >+ </div> >+ <div id="test2"> >+ PASS 2/2 >+ </div> >+ >+ <script src="support/inject-style.js"></script> >+ <script> >+ log(document.styleSheets.length == 0 ? "PASS" : "FAIL"); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7f6deac0801d89631e83583cd83d6bbf32f96bb3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt >@@ -0,0 +1,37 @@ >+CONSOLE MESSAGE: line 118: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+This test ensures that styles can be set by object.cloneNode() >+ >+This is a div (nodes) >+This is a div. (node 1 or 2) >+This is a div. (node 1 or 2) >+This is a div. (node 3 or 4) >+Node #4 >+Yet another div. >+Yet another div. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that violation report event was fired >+PASS inline-style-allowed-while-cloning-objects >+FAIL inline-style-allowed-while-cloning-objects 1 null is not an object (evaluating 'node2.style.background.match(/yellow/)[0]') >+PASS inline-style-allowed-while-cloning-objects 2 >+FAIL inline-style-allowed-while-cloning-objects 3 null is not an object (evaluating 'node4.style.background.match(/blue/)[0]') >+PASS inline-style-allowed-while-cloning-objects 4 >+PASS inline-style-allowed-while-cloning-objects 5 >+PASS inline-style-allowed-while-cloning-objects 6 >+PASS inline-style-allowed-while-cloning-objects 7 >+PASS inline-style-allowed-while-cloning-objects 8 >+PASS inline-style-allowed-while-cloning-objects 9 >+PASS inline-style-allowed-while-cloning-objects 10 >+PASS inline-style-allowed-while-cloning-objects 11 >+PASS inline-style-allowed-while-cloning-objects 12 >+PASS inline-style-allowed-while-cloning-objects 13 >+PASS inline-style-allowed-while-cloning-objects 14 >+PASS inline-style-allowed-while-cloning-objects 15 >+PASS inline-style-allowed-while-cloning-objects 16 >+PASS inline-style-allowed-while-cloning-objects 17 >+FAIL inline-style-allowed-while-cloning-objects 18 assert_equals: expected "rgb(238, 130, 238) none repeat scroll 0% 0% / auto padding-box border-box" but got "rgba(0, 0, 0, 0) none repeat scroll 0% 0% / auto padding-box border-box" >+FAIL inline-style-allowed-while-cloning-objects 19 assert_equals: expected "rgb(238, 130, 238) none repeat scroll 0% 0% / auto padding-box border-box" but got "rgba(0, 0, 0, 0) none repeat scroll 0% 0% / auto padding-box border-box" >+PASS inline-style-allowed-while-cloning-objects 20 >+PASS inline-style-allowed-while-cloning-objects 21 >+Yet another div. >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7fdd5f6fb0c5bc50fe1fe84715c785d1d5380feb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html >@@ -0,0 +1,127 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>inline-style-allowed-while-cloning-objects</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t = async_test("Test that violation report event was fired"); >+ window.addEventListener("securitypolicyviolation", t.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "style-src"); >+ })); >+ window.onload = function() { >+ window.nodes = document.getElementById('nodes'); >+ window.node1 = document.getElementById('node1'); >+ window.node1.style.background = "yellow"; >+ window.node1.style.color = "red"; >+ window.node2 = document.getElementById('node1').cloneNode(true); >+ window.node2.id = "node2"; >+ window.node3 = document.getElementById('node3'); >+ window.node3.style.background = "blue"; >+ window.node3.style.color = "green"; >+ window.node4 = document.getElementById('node3').cloneNode(false); >+ window.node4.id = "node4"; >+ window.node4.innerHTML = "Node #4"; >+ nodes.appendChild(node1); >+ nodes.appendChild(node2); >+ nodes.appendChild(node3); >+ nodes.appendChild(node4); >+ test(function() { >+ assert_equals(node1.style.background.match(/yellow/)[0], "yellow") >+ }); >+ test(function() { >+ assert_equals(node2.style.background.match(/yellow/)[0], "yellow") >+ }); >+ test(function() { >+ assert_equals(node3.style.background.match(/blue/)[0], "blue") >+ }); >+ test(function() { >+ assert_equals(node4.style.background.match(/blue/)[0], "blue") >+ }); >+ test(function() { >+ assert_equals(node1.style.color, "red") >+ }); >+ test(function() { >+ assert_equals(node2.style.color, "red") >+ }); >+ test(function() { >+ assert_equals(node3.style.color, "green") >+ }); >+ test(function() { >+ assert_equals(node4.style.color, "green") >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(node1).background, window.getComputedStyle(node2).background) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(node3).background, window.getComputedStyle(node4).background) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(node1).color, window.getComputedStyle(node2).color) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(node3).color, window.getComputedStyle(node4).color) >+ }); >+ window.ops = document.getElementById('ops'); >+ ops.style.color = 'red'; >+ window.clonedOps = ops.cloneNode(true); >+ window.violetOps = document.getElementById('violetOps'); >+ violetOps.style.background = 'rgb(238, 130, 238)'; >+ document.getElementsByTagName('body')[0].appendChild(clonedOps); >+ test(function() { >+ assert_equals(ops.style.background, "") >+ }); >+ test(function() { >+ assert_equals(ops.style.color, "red") >+ }); >+ test(function() { >+ assert_equals(clonedOps.style.background, "") >+ }); >+ test(function() { >+ assert_equals(violetOps.style.background.match(/rgb\(238, 130, 238\)/)[0], "rgb(238, 130, 238)") >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(ops).background) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(clonedOps).color, window.getComputedStyle(ops).color) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(ops).background, window.getComputedStyle(violetOps).background) >+ }); >+ test(function() { >+ assert_equals(window.getComputedStyle(clonedOps).background, window.getComputedStyle(violetOps).background) >+ }); >+ test(function() { >+ assert_equals(ops.id, "ops") >+ }); >+ test(function() { >+ assert_equals(ops.id, clonedOps.id) >+ }); >+ }; >+ >+ </script> >+</head> >+ >+<body> >+ <p> >+ This test ensures that styles can be set by object.cloneNode() >+ </p> >+ <div id="nodes"> >+ This is a div (nodes) >+ <div id="node1"> This is a div. (node 1 or 2)</div> >+ <div id="node3"> This is a div. (node 3 or 4)</div> >+ </div> >+ <div id="ops" style="background: rgb(238, 130, 238)"> >+ Yet another div. >+ </div> >+ <div id="violetOps"> >+ Yet another div. >+ </div> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b0aa211b94dcc5a5de004fd4a7a930ea3265eb58 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>inline-style-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ >+ <style> >+ .target { >+ background-color: blue; >+ } >+ >+ </style> >+</head> >+ >+<body class="target"> >+ <script> >+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..048e4067c5ecb3caa7fa0e808754b354b864bf96 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>inline-style-attribute-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body style="background-color: blue;"> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ >+ <script> >+ log(document.body.style.length > 0 ? 'PASS' : 'FAIL'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9e69de833cb017259de043ded67e8a56ea737395 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["violated-directive=style-src-attr","PASS"] assert_unreached: Logging timeout, expected logs violated-directive=style-src-attr not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..71e5a88b7a554a9c99caad4d00b944f1c4bd915f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>inline-style-attribute-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=style-src-attr","PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+</head> >+<body style="background-color: blue;"> >+ >+ <script> >+ log(document.body.style.length > 0 ? 'FAIL' : 'PASS'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c747d4914ed76d256115137ce4d2c584521cf370 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub-expected.txt >@@ -0,0 +1,5 @@ >+Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element. >+ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..91faf091663d8984ee9476eae9abc44e8461a4b0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+</script> >+<html style="background-color: blue;"> >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'"> >+ <title>inline-style-attribute-on-html</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <p>Even though this page has a CSP policy the blocks inline style, the style attribute on the HTML element still takes effect because it preceeds the meta element. >+ </p> >+ <script> >+ log(document.documentElement.style.length > 0 ? 'PASS' : 'FAIL'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3f34437dffdef631d065dbbfe1c696659a733fb1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>inline-style-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <style> >+ .target { >+ background-color: blue; >+ } >+ >+ </style> >+</head> >+ >+<body class="target"> >+ <script> >+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/allowed.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/allowed.css >new file mode 100644 >index 0000000000000000000000000000000000000000..35a89982175fc3fb1b7bec78c886c9bb9bd62154 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/allowed.css >@@ -0,0 +1,3 @@ >+#test { >+ color: green; >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-import.sub.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-import.sub.css >new file mode 100644 >index 0000000000000000000000000000000000000000..bd1d6ac7eabea87c50d2dccaa8841335cdd948d9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-import.sub.css >@@ -0,0 +1 @@ >+@import "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/style-src.css"; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-inject-style.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-inject-style.js >new file mode 100644 >index 0000000000000000000000000000000000000000..99a9c2a46450a5324668790f66f0fd9f873cd616 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-inject-style.js >@@ -0,0 +1,5 @@ >+document.write("<style>#content { margin-left: 2px; }</style>"); >+ >+var s = document.createElement('style'); >+s.innerText = "#content { margin-right: 2px; }"; >+document.getElementsByTagName('body')[0].appendChild(s); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src.css >new file mode 100644 >index 0000000000000000000000000000000000000000..d76606eb6df1d550a7f6cce5a2c450c93d3e3c77 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src.css >@@ -0,0 +1 @@ >+#content { margin-left: 2px; } >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..9223b74b98c9f1c509f4710777d24af6d317da75 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/w3c-import.log >@@ -0,0 +1,20 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/allowed.css >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-import.sub.css >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src-inject-style.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/resources/style-src.css >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fd4dfe63a88edb622704efced86fb93b26fdbc1d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src *; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>style-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ </script> >+ <link rel="stylesheet" href="resources/blue.css"> >+</head> >+ >+<body> >+ <script> >+ log(document.styleSheets.length > 0 ? 'PASS' : 'FAIL'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b4f6372371bd6fb3a172937dcc078944af2c4a57 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["violated-directive=style-src","PASS"] assert_unreached: Logging timeout, expected logs violated-directive=style-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4e590722d57a8708ecca4bc6b564fdaee1675748 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-inline'; connect-src 'self';"> >+ <title>style-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=style-src","PASS"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ </script> >+ <link rel="stylesheet" href="resources/blue.css"> >+</head> >+ >+<body> >+ <script> >+ log(document.styleSheets.length > 0 ? 'FAIL' : 'PASS'); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2d7bb0604c476a7582bdb7a3dcb4215a4f7d3e70 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/style-src/resources/style-src.css because it does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/style-src/resources/style-src.css because it does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 29: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test error event fires on stylesheet link >+NOTRUN Test error event fires on inline style >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2c788b550c02f86979d6c26b4405ecb0602a6e0c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html >@@ -0,0 +1,34 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ function styleError(t) { >+ t.done(); >+ } >+ >+ function styleLoad(t) { >+ t.unreached_func("Should not be able to load style"); >+ } >+ >+ var t1 = async_test("Test error event fires on stylesheet link"); >+ var t2 = async_test("Test error event fires on inline style") >+ </script> >+ >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <link onerror="styleError(t1)" onload="styleLoad(t1)" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css> >+ >+ <style onerror="styleError(t2)" onload="styleLoad(t2)"> >+ #content { margin-left: 2px; } >+ </style> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1522760732026189716bf79c2a548dc8ba826b80 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS All style elements should load because they have proper hashes >+Lorem ipsum >+Lorem ipsum >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8128f2f1d3acb5289cd7f711beb2c75977c753d7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed.html >@@ -0,0 +1,42 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src >+ 'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU=' >+ 'sha384-OliBBQtittDq3qDaEttMlHG1viNf50PLjSlvXirHZHpeKApMClrTJz+7VB5RTWdN' >+ 'sha512-4/SpqCV0WGbb2QZXBViFlnms4M0I+aUGg9/tIhr10twU89nlMSBLOhi3cVli39kyBZbUAlzk9xcVTMy+JDY+VA=='"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("All style elements should load because they have proper hashes"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <style>#content1 { margin-left: 2px; }</style> >+ <style>#content2 { margin-left: 2px; }</style> >+ <style>#content3 { margin-left: 2px; }</style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content1">Lorem ipsum</div> >+ <div id="content2">Lorem ipsum</div> >+ <div id="content3">Lorem ipsum</div> >+ >+ <script> >+ function make_assert(contentId) { >+ var contentEl = document.getElementById(contentId); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px") >+ } >+ t.step(function() { >+ make_assert("content1"); >+ make_assert("content2"); >+ make_assert("content3"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4d4d57e1be467563be002e130b62c783eafc87ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt >@@ -0,0 +1,6 @@ >+ >+PASS Should load the style with a correct hash >+PASS Should not load style that does not match hash >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='" but got "style-src-elem" >+Lorem ipsum >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..dec3b6e853b2a95dfad499a824f41bb529440075 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked.html >@@ -0,0 +1,48 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src >+ 'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU='"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t1 = async_test("Should load the style with a correct hash"); >+ var t2 = async_test("Should not load style that does not match hash"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ >+ <style>#content1 { margin-left: 2px; }</style> >+ <style>#content2 { margin-left: 2px; }</style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content1">Lorem ipsum</div> >+ <div id="content2">Lorem ipsum</div> >+ >+ <script> >+ function make_assert(contentId, assertTrue) { >+ var contentEl = document.getElementById(contentId); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ if (assertTrue) assert_true(marginLeftVal == "2px"); >+ else assert_false(marginLeftVal == "2px"); >+ } >+ >+ t1.step(function() { >+ make_assert("content1", true); >+ t1.done(); >+ }); >+ >+ t2.step(function() { >+ make_assert("content2", false); >+ t2.done(); >+ }); >+ >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1522760732026189716bf79c2a548dc8ba826b80 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed-expected.txt >@@ -0,0 +1,5 @@ >+ >+PASS All style elements should load because they have proper hashes >+Lorem ipsum >+Lorem ipsum >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4f970cec71ddd909e8553952e4051182f5aa8b64 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html >@@ -0,0 +1,42 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src >+ 'sha256-7kQ1KhZCpEzWtsa0RSpbIL7FU3kPNhE3IJMaNeTclMU=' >+ 'sha384-OliBBQtittDq3qDaEttMlHG1viNf50PLjSlvXirHZHpeKApMClrTJz+7VB5RTWdN' >+ 'sha512-4/SpqCV0WGbb2QZXBViFlnms4M0I+aUGg9/tIhr10twU89nlMSBLOhi3cVli39kyBZbUAlzk9xcVTMy+JDY+VA=='"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("All style elements should load because they have proper hashes") >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <style>#content1 { margin-left: 2px; }</style> >+ <style>#content2 { margin-left: 2px; }</style> >+ <style>#content3 { margin-left: 2px; }</style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content1">Lorem ipsum</div> >+ <div id="content2">Lorem ipsum</div> >+ <div id="content3">Lorem ipsum</div> >+ >+ <script> >+ function make_assert(contentId) { >+ var contentEl = document.getElementById(contentId); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px") >+ } >+ t.step(function() { >+ make_assert("content1"); >+ make_assert("content2"); >+ make_assert("content3"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6e2e2ae517b3b9e702089f92869f3a5487b032ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub-expected.txt >@@ -0,0 +1,4 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/style-src/style-src.css >+ >+PASS Imported style that violates policy should not load >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3f57e30e0f890ad28ca36a2c62d58331810cda71 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html >@@ -0,0 +1,30 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self' http://{{domains[www1]}}:{{ports[http][0]}}"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Imported style that violates policy should not load"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <link href="/content-security-policy/style-src/resources/style-src-import.sub.css" rel=stylesheet type=text/css> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px") >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1688dab757cb4c901c70dadf56e8ca7f4bd55cf0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS @import stylesheet should not load because it does not match style-src >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e5016c2382f461cddc21c585bb5b49f2ecaedd7d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked.html >@@ -0,0 +1,38 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("@import stylesheet should not load because it does not match style-src"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ >+ var l = document.createElement("link"); >+ l.setAttribute("href", "/content-security-policy/style-src/resources/style-src-import.sub.css"); >+ l.setAttribute("rel", "stylesheet"); >+ l.setAttribute("type", "text/css"); >+ document.head.appendChild(l); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9c01a6d7d1ce0c60c24735b7dc8980410f7f3fe4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Injected inline style should load with 'unsafe-inline' >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4893e56031445771f447e2680153d22645291385 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'unsafe-inline'"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Injected inline style should load with 'unsafe-inline'"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script src='/content-security-policy/style-src/resources/style-src-inject-style.js'></script> >+ >+ <script> >+ t.step(function() { >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ var marginRightVal = getComputedStyle(contentEl).getPropertyValue('margin-right'); >+ assert_true(marginRightVal == "2px"); >+ }); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..95221697dc4d1ba961797a99efca98800ccfcee6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Injected style attributes should not be applied >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fd27938f0674270f0f0d489204c21215777ac85c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self'"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Injected style attributes should not be applied"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script src='/content-security-policy/style-src/resources/style-src-inject-style.js'></script> >+ >+ <script> >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ >+ // the 'style-src-inject-style.js' script attempts to set attributes in two ways, >+ // once the left and once the right margin >+ // this is why in this test we check both to make sure neither way worked >+ >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ var marginRightVal = getComputedStyle(contentEl).getPropertyValue('margin-right'); >+ assert_false(marginRightVal == "2px"); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9a54caefb033ad71a779d6e1c4f591eb6ee8ce66 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub-expected.txt >@@ -0,0 +1,4 @@ >+Blocked access to external URL http://www1.localhost:8800/content-security-policy/style-src/resources/style-src.css >+ >+FAIL Programatically injected stylesheet should load assert_true: expected true got false >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..aa5e0bde8a1d17f44bd7bd78cb886f0e59053c87 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html >@@ -0,0 +1,35 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src http://{{domains[www1]}}:{{ports[http][0]}};"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Programatically injected stylesheet should load"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <script> >+ var head = document.getElementsByTagName('head')[0]; >+ var link = document.createElement('link'); >+ link.setAttribute('rel', 'stylesheet'); >+ link.setAttribute('type', 'text/css'); >+ link.setAttribute('href', 'http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/resources/style-src.css'); >+ >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ }); >+ >+ head.appendChild(link); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..eaf482727a9291b94bfdbb95a0f7f72a22dcf162 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Programatically injected stylesheet should not load >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6191bb2d555dc130747c84d51993193d16eae2a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html >@@ -0,0 +1,39 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Programatically injected stylesheet should not load"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ >+ <script> >+ var head = document.getElementsByTagName('head')[0]; >+ var link = document.createElement('link'); >+ link.setAttribute('rel', 'stylesheet'); >+ link.setAttribute('type', 'text/css'); >+ link.setAttribute('href', 'http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/style-src/resources/style-src.css'); >+ >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ }); >+ >+ head.appendChild(link); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0a9d84749b7077481f4ccbedf6d63f576dc72386 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Inline style should apply with 'unsafe-inline' >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..633fa0297bc24cb809e0eafcb202abd536ee3c2b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed.html >@@ -0,0 +1,34 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Inline style should apply with 'unsafe-inline'"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <style> >+ #content { >+ margin-left: 2px; >+ } >+ </style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ t.done(); >+ }, "Inline style should not be applied"); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..cb8429862144b65052e17a042947a62f22cfb154 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Inline style attribute should apply with 'unsafe-inline' >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3c767905f9308ddd61d3e1e0c83002d694b417e0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html >@@ -0,0 +1,24 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Inline style attribute should apply with 'unsafe-inline'"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ }); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content" style="margin-left: 2px">Lorem ipsum</div> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b00ba88851d06edf36050b80172c212f81e0f8c1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Inline style attribute should not be applied without 'unsafe-inline' >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self'" but got "style-src-attr" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5072a2c8e2b2db1709afa2b108c085724110c597 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self';"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+ >+ <script> >+ var t = async_test("Inline style attribute should not be applied without 'unsafe-inline'"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-attr", e.violatedDirective); >+ })); >+ onload = t.step_func_done(function(e) { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ }); >+ </script> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content" style="margin-left: 2px">Lorem ipsum</div> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c13f85ef0dbd34a67f9fd863bd74665da6f27123 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Inline style element should not load without 'unsafe-inline' >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1baff387ae8f0734b95e00a1dad41162dfdf70f8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked.html >@@ -0,0 +1,38 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Inline style element should not load without 'unsafe-inline'"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ <style> >+ /* none of this should be applied */ >+ #content { >+ margin-left: 2px; >+ } >+ </style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1c4264a2d6ecfca8e7c76524edd57a73ef089247 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Style with correct nonce should load >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cf4282fcf73e9f3b39118a21c56a75d7c941d276 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html >@@ -0,0 +1,34 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Style with correct nonce should load"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <style nonce="nonceynonce"> >+ #content { >+ margin-left: 2px; >+ } >+ </style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..57a5e9277412b5fa139cd236ce8c834fb2767882 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: line 16: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'nonce-nonceynonce'" but got "style-src-elem" >+NOTRUN Test that paragraph remains unmodified and error events received. >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html >new file mode 100644 >index 0000000000000000000000000000000000000000..83eaabaa9b15a4295b0b19220586806fbd65ca1b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html >@@ -0,0 +1,71 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ <style id="style1" nonce="not-nonceynonce" >+ onerror="styleError();"> >+ #content { >+ margin-left: 2px; >+ } >+ </style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ function verifyStep1() { >+ var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left'); >+ assert_false(marginLeft == '2px', "Content still does not have a 2px margin-left after initial style."); >+ } >+ >+ function setupStep2() { >+ var sty = document.createElement("style"); >+ sty.nonce = "not-nonceynonce"; >+ sty.innerHTML = "#content { margin-left: 2px; }"; >+ sty.onerror = styleError; >+ document.body.appendChild(sty); >+ } >+ function verifyStep2() { >+ var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left'); >+ assert_false(marginLeft == '2px', "Content still does not have a 2px margin-left after inserted style."); >+ } >+ >+ function setupStep3() { >+ var e = document.getElementById('style1'); >+ e.innerHTML = "#content { margin-left: 2px; }"; >+ } >+ function verifyStep3() { >+ var marginLeft = getComputedStyle(document.querySelector("#content")).getPropertyValue('margin-left'); >+ assert_false(marginLeft == '2px', "Content still does not have a 2px margin-left after changing style."); >+ test.done(); >+ } >+ >+ var verifySteps = [ verifyStep1, verifyStep2, verifyStep3 ]; >+ var setupSteps = [ setupStep2, setupStep3 ]; >+ >+ var test = async_test("Test that paragraph remains unmodified and error events received."); >+ >+ function styleError() { >+ test.step(function() { >+ verifySteps.shift()(); >+ var nextSetup = setupSteps.shift(); >+ if (nextSetup) >+ nextSetup(); >+ }); >+ } >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..569bb53a535c2e06431bcb04010fcd84baa4eb69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Should not load inline style element with invalid nonce >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'self' 'nonce-nonceynonce'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..016b4ebdc4939562e819fd2d3d70e1e6c7208501 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html >@@ -0,0 +1,37 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-nonceynonce'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Should not load inline style element with invalid nonce"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ <style nonce="not-nonceynonce"> >+ #content { >+ margin-left: 2px; >+ } >+ </style> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html >new file mode 100644 >index 0000000000000000000000000000000000000000..027c61d8c632f2387408b8fb6869dee69bb8913d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html >@@ -0,0 +1,20 @@ >+<!DOCTYPE HTML> >+<html> >+<head> >+ <title>Multiple policies with different hashing algorithms still work.</title> >+ <meta name="timeout" content="long"> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+<body> >+ <script> >+ var t = async_test("Test that style loads if allowed by proper hash values"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not have triggered a security event")); >+ </script> >+ >+ <!-- test will time out if this style is not allowed to load --> >+ <style onload="t.done();" onerror="t.unreached_func('Should have loaded the style');">p {color:blue;}</style> >+ >+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..8d83a34751363362e0fc9104f65caa5a42768418 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >@@ -0,0 +1,7 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: style-src-multiple-policies-multiple-hashing-algorithms={{$id:uuid()}}; Path=/content-security-policy/style-src/ >+Content-Security-Policy: style-src 'sha256-rB6kiow2O3eFUeTNyyLeK3wV0+l7vNB90J1aqllKvjg='; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >+Content-Security-Policy: style-src 'sha384-DAShdG5sejEaOdWfT+TQMRP5mHssKiUNjFggNnElIvIoj048XQlacVRs+za2AM1a'; script-src 'unsafe-inline' 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..095bfaf7043bc0cf11ccb2456f19962b81d9c7c2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Should not stylesheet when style-src is 'none' >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'none'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2a80b827c8c32e594ce0b5cf3f8f02f0b3b0813e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked.html >@@ -0,0 +1,33 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'none';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Should not stylesheet when style-src is 'none'"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ <link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c72f5829ab8ffec70d54e148ada8704c0117847c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS * should allow any style >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b13c70f35192911b5cc9b97aec168ecdd104a593 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed.html >@@ -0,0 +1,29 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src *;"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("* should allow any style"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <link href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fc2cc550d7bd2a87c2b8cc02ceb1546b7d648fa8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Stylesheet link should load with correct nonce >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..16df5100b59a80178cab59ff703c250042d628b1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html >@@ -0,0 +1,30 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Stylesheet link should load with correct nonce"); >+ document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation")); >+ </script> >+ >+ <link nonce="nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_true(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2b0f4fa1c8f866956fa7ce9f1fb21123b45570ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Should not load stylesheet without correct nonce >+FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'nonce-nonceynonce'" but got "style-src-elem" >+Lorem ipsum >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a076eafd559c80bb510aa3c43669be563646adb8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html >@@ -0,0 +1,33 @@ >+<!doctype html> >+<html> >+<head> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-nonceynonce';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ >+ <script> >+ var t = async_test("Should not load stylesheet without correct nonce"); >+ var t_spv = async_test("Should fire a securitypolicyviolation event"); >+ >+ document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals("style-src-elem", e.violatedDirective); >+ })); >+ </script> >+ <link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css> >+</head> >+<body> >+ <div id='log'></div> >+ >+ <div id="content">Lorem ipsum</div> >+ >+ <script> >+ t.step(function() { >+ var contentEl = document.getElementById("content"); >+ var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left'); >+ assert_false(marginLeftVal == "2px"); >+ t.done(); >+ }); >+ </script> >+ >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0e799c9ec50b2058073596f8cbaa104cb1fae5b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub-expected.txt >@@ -0,0 +1,11 @@ >+This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired. >+ >+This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired. >+ >+This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired. >+ >+This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired. >+ >+ >+PASS Expecting alerts: ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.","PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.","PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.","PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..90b647aa7618cd2022049e66c59479672160dfb9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub.html >@@ -0,0 +1,81 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>stylehash-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("Fail"); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS (1/4): The \'#p1\' element\'s text is green, which means the style was correctly applied.","PASS (2/4): The \'#p2\' element\'s text is green, which means the style was correctly applied.","PASS (3/4): The \'#p3\' element\'s text is green, which means the style was correctly applied.","PASS (4/4): The \'#p4\' element\'s text is green, which means the style was correctly applied."]'); >+ var expected_alerts = ["PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied.", "PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied.", "PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied.", "PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <!-- enforcing policy: >+style-src 'sha256-pAKi9r4/WB7fHydbE3F3t8i8602ij2JN8zHJpL2T5BM=' 'sha256-hndjYvzUzy2Ykuad81Cwsl1FOXX/qYs/aDVyUyNZwBw=' 'sha384-bSVm1i3sjPBRM4TwZtYTDjk9JxZMExYHWbFmP1SxDhJH4ue0Wu9OPOkY5hcqRcSt' 'sha512-440MmBLtj9Kp5Bqloogn9BqGDylY8vFsv5/zXL1zH2fJVssCoskRig4gyM+9KqwvCSapSz5CVoUGHQcxv43UQg=='; script-src 'self' 'unsafe-inline'; connect-src 'self'; >+--> >+</head> >+ >+<body> >+ <p id="p1">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p1 is fired.</p> >+ <p id="p2">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p2 is fired.</p> >+ <p id="p3">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p3 is fired.</p> >+ <p id="p4">This tests the result of a valid style hash. It passes if this text is green, and a "PASS" alert for p4 is fired.</p> >+ <style>p#p1 { color: green; }</style> >+ <style>p#p2 { color: green; }</style> >+ <style>p#p3 { color: green; }</style> >+ <style>p#p4 { color: green; }</style> >+ <script> >+ var color = window.getComputedStyle(document.querySelector('#p1')).color; >+ if (color === "rgb(0, 128, 0)") >+ alert_assert("PASS (1/4): The '#p1' element's text is green, which means the style was correctly applied."); >+ else >+ alert_assert("FAIL (1/4): The '#p1' element's text is " + color + ", which means the style was incorrectly applied."); >+ var color = window.getComputedStyle(document.querySelector('#p2')).color; >+ if (color === "rgb(0, 128, 0)") >+ alert_assert("PASS (2/4): The '#p2' element's text is green, which means the style was correctly applied."); >+ else >+ alert_assert("FAIL (2/4): The '#p2' element's text is " + color + ", which means the style was incorrectly applied."); >+ var color = window.getComputedStyle(document.querySelector('#p3')).color; >+ if (color === "rgb(0, 128, 0)") >+ alert_assert("PASS (3/4): The '#p3' element's text is green, which means the style was correctly applied."); >+ else >+ alert_assert("FAIL (3/4): The '#p3' element's text is " + color + ", which means the style was incorrectly applied."); >+ var color = window.getComputedStyle(document.querySelector('#p4')).color; >+ if (color === "rgb(0, 128, 0)") >+ alert_assert("PASS (4/4): The '#p4' element's text is green, which means the style was correctly applied."); >+ else >+ alert_assert("FAIL (4/4): The '#p4' element's text is " + color + ", which means the style was incorrectly applied."); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..9abb6733d03db3071a8223f385a85498fad50d40 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt >@@ -0,0 +1,10 @@ >+CONSOLE MESSAGE: line 42: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 43: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+CONSOLE MESSAGE: line 44: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"] Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6bfd5019e1bd92f48ac55ece5f6353caf00b8bcd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html >@@ -0,0 +1,62 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-FSRZotz4y83Ib8ZaoVj9eXKaeWXVUawM8zAPfYeYySs='; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>stylehash-basic-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ alert_assert("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var t_alert = async_test('Expecting alerts: ["PASS: The \'p\' element\'s text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]'); >+ var expected_alerts = ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]; >+ >+ function alert_assert(msg) { >+ t_alert.step(function() { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ } >+ >+ </script> >+ <style>p { color: green; }</style> >+ <style>p { color: red; }</style> >+ <style>p { color: purple; }</style> >+ <style>p { color: blue; }</style> >+</head> >+ >+<body> >+ <p> >+ This tests the effect of a valid style-hash value, with one valid style and several invalid ones. It passes if the valid style is applied and a CSP violation is generated. >+ </p> >+ <script> >+ var color = window.getComputedStyle(document.querySelector('p')).color; >+ if (color === "rgb(0, 128, 0)") >+ alert_assert("PASS: The 'p' element's text is green, which means the style was correctly applied."); >+ else >+ alert_assert("FAIL: The 'p' element's text is " + color + ", which means the style was incorrectly applied."); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2bbe87c3c320c4d8b7b80a0eb574b753e4bccd80 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub-expected.txt >@@ -0,0 +1,5 @@ >+Test >+ >+ >+PASS stylehash allowed from default-src >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c7604b297230757a9511ce42849d7e6a5f478f68 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE html> >+<html> >+ <head> >+ <title>stylehash allowed from default-src</title> >+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'sha256-SXMrww9+PS7ymkxYbv91id+HfXeO7p1uCY0xhNb4MIw='; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ test(function() { assert_unreached("securitypolicyviolat was fired")}); >+ }); >+ </script> >+ </head> >+ >+ <body> >+ <p id="p">Test</p> >+ <style>p#p { color: green; }</style> >+ <script> >+ var color = window.getComputedStyle(document.querySelector('#p')).color; >+ assert_equals(color, "rgb(0, 128, 0)"); >+ done(); >+ </script> >+ >+ <div id="log"></div> >+ </body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b3c88adabbcc4e8a4a5657f9232f8bb5aecb1e77 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt >@@ -0,0 +1,14 @@ >+CONSOLE MESSAGE: line 26: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+This text should be green. >+ >+This text should also be green. >+ >+Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire securitypolicyviolation >+PASS stylenonce-allowed >+PASS stylenonce-allowed 1 >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e190b84e8579caad5b9fa61b60ee241e65cbe7f1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html >@@ -0,0 +1,58 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'nonce-noncynonce' 'nonce-noncy+/nonce='; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>stylenonce-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ var t_spv = async_test("Should fire securitypolicyviolation"); >+ window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "style-src-elem"); >+ })); >+ >+ </script> >+ >+ <style nonce="noncynonce"> >+ #test1 { >+ color: green; >+ } >+ >+ </style> >+ <style> >+ #test1 { >+ color: red; >+ } >+ >+ </style> >+ <style nonce="noncynonce"> >+ #test2 { >+ color: green; >+ } >+ >+ </style> >+</head> >+ >+<body> >+ <p id="test1">This text should be green.</p> >+ <p id="test2">This text should also be green.</p> >+ <script> >+ var el = document.querySelector('#test1'); >+ test(function() { >+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") >+ }); >+ var el = document.querySelector('#test2'); >+ test(function() { >+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") >+ }); >+ >+ </script> >+ <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2a2764559364e7d0e2b70df48c82a00510ce3fb5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt >@@ -0,0 +1,11 @@ >+CONSOLE MESSAGE: line 19: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+This text should be green. >+ >+Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire securitypolicyviolation >+PASS stylenonce-blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4b2381fc33d5a80c8d1affd6bec6dae14896a6f4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub.html >@@ -0,0 +1,40 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="style-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>stylenonce-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <link rel="stylesheet" type="text/css" href="../style-src/resources/allowed.css"> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ var t_spv = async_test("Should fire securitypolicyviolation"); >+ window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "style-src-elem"); >+ })); >+ </script> >+ <style nonce="noncynonce"> >+ #test { >+ color: red; >+ } >+ >+ </style> >+</head> >+ >+<body> >+ <p id="test">This text should be green.</p> >+ <script> >+ var el = document.querySelector('#test'); >+ test(function() { >+ assert_equals(window.getComputedStyle(el).color, "rgb(0, 128, 0)") >+ }); >+ >+ </script> >+ <p>Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.</p> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/inject-style.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/inject-style.js >new file mode 100644 >index 0000000000000000000000000000000000000000..532645a455f3be449c21089e8ac2d507fc9c6e9e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/inject-style.js >@@ -0,0 +1,5 @@ >+document.write("<style>#test1 { display: none; }</style>"); >+ >+var s = document.createElement('style'); >+s.textContent = "#test2 { display: none; }"; >+document.body.appendChild(s); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..72e644d30dac64acdd6965ac0cf9745f3891cc04 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/w3c-import.log >@@ -0,0 +1,17 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/support/inject-style.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7275a57c4aaba012643f1a83d7df9d4846cb80fb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/w3c-import.log >@@ -0,0 +1,54 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-on-html.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-default-src-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-star-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-default-src.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alert-pass.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alert-pass.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d3f811ec1b0894d439a9536d468293a1c3b3f6bc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alert-pass.js >@@ -0,0 +1 @@ >+alert_assert("PASS"); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alertAssert.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alertAssert.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..ee9e54ea79fa1e56e62b3d2198910ae085c437be >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alertAssert.sub.js >@@ -0,0 +1,43 @@ >+// note, this template substitution is XSS, but no way to avoid it in this framework >+var expected_alerts = {{GET[alerts]}}; >+var timeout= "{{GET[timeout]}}"; >+if (timeout == "") { >+ timeout = 2; >+} >+ >+if(expected_alerts.length == 0) { >+ function alert_assert(msg) { >+ test(function () { assert_unreached(msg) }); >+ } >+} else { >+ var t_alert = async_test('Expecting alerts: {{GET[alerts]}}'); >+ step_timeout(function() { >+ if(t_alert.phase != t_alert.phases.COMPLETE) { >+ t_alert.step(function() { assert_unreached('Alert timeout, expected alerts ' + expected_alerts + ' not fired.') }); >+ t_alert.done(); >+ } >+ }, timeout * 1000); >+ var alert_assert = function (msg) { >+ t_alert.step(function () { >+ if(msg && msg instanceof Error) { >+ msg = msg.message; >+ } >+ if (msg && msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_alert.done(); >+ } >+ for (var i = 0; i < expected_alerts.length; i++) { >+ if (expected_alerts[i] == msg) { >+ assert_true(expected_alerts[i] == msg); >+ expected_alerts.splice(i, 1); >+ if (expected_alerts.length == 0) { >+ t_alert.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected alert: ' + msg); >+ t_log.done(); >+ }); >+ }.bind(this); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1ecfa5f52c481cf3ba98236bc21104b33fcdac84 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js >@@ -0,0 +1,130 @@ >+(function () { >+ >+ // Get values from the substitution engine. >+ // We can't just pull these from the document context >+ // because this script is intended to be transcluded into >+ // another document, and we want the GET values used to request it, >+ // not the values for the including document >+ >+ // XXX these are unencoded, so there's an unavoidable >+ // injection vulnerability in constructing this file... >+ // need to upgrade the template engine. >+ var reportField = "{{GET[reportField]}}"; >+ var reportValue = "{{GET[reportValue]}}"; >+ var reportExists = "{{GET[reportExists]}}"; >+ var noCookies = "{{GET[noCookies]}}"; >+ var reportCookieName = "{{GET[reportCookieName]}}" >+ var testName = "{{GET[testName]}}" >+ var cookiePresent = "{{GET[cookiePresent]}}" >+ var reportCount = "{{GET[reportCount]}}" >+ >+ var location = window.location; >+ if (reportCookieName == "") { >+ // fallback on test file name if cookie name not specified >+ reportCookieName = location.pathname.split('/')[location.pathname.split('/').length - 1].split('.')[0]; >+ } >+ >+ var reportID = "{{GET[reportID]}}"; >+ >+ if (reportID == "") { >+ var cookies = document.cookie.split(';'); >+ for (var i = 0; i < cookies.length; i++) { >+ var cookieName = cookies[i].split('=')[0].trim(); >+ var cookieValue = cookies[i].split('=')[1].trim(); >+ >+ if (cookieName == reportCookieName) { >+ reportID = cookieValue; >+ var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=" + document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1); >+ document.cookie = cookieToDelete; >+ break; >+ } >+ } >+ } >+ >+ // There is no real way to test (in this particular layer) that a CSP report >+ // has *not* been sent, at least not without some major reworks and >+ // involvement from all the platform participants. So the current "solution" >+ // is to wait for some reasonable amount of time and if no report has been >+ // received to conclude that no report has been generated. These timeouts must >+ // not exceed the test timeouts set by vendors otherwise the test would fail. >+ var timeout = document.querySelector("meta[name=timeout][content=long]") ? 25 : 5; >+ var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=retrieve_report&timeout=" + timeout + "&reportID=" + reportID; >+ >+ if (testName == "") testName = "Violation report status OK."; >+ var reportTest = async_test(testName); >+ >+ function assert_field_value(field, value, field_name) { >+ assert_true(field.indexOf(value.split(" ")[0]) != -1, >+ field_name + " value of \"" + field + "\" did not match " + >+ value.split(" ")[0] + "."); >+ } >+ >+ reportTest.step(function () { >+ >+ var report = new XMLHttpRequest(); >+ report.onload = reportTest.step_func(function () { >+ >+ var data = JSON.parse(report.responseText); >+ >+ if (data.error) { >+ assert_equals("false", reportExists, data.error); >+ } else { >+ if(reportExists != "" && reportExists == "false" && data["csp-report"]) { >+ assert_unreached("CSP report sent, but not expecting one: " + JSON.stringify(data["csp-report"])); >+ } >+ // Firefox expands 'self' or origins in a policy to the actual origin value >+ // so "www.example.com" becomes "http://www.example.com:80". >+ // Accomodate this by just testing that the correct directive name >+ // is reported, not the details... >+ >+ if(data["csp-report"] != undefined && data["csp-report"][reportField] != undefined) { >+ assert_field_value(data["csp-report"][reportField], reportValue, reportField); >+ } else if (data[0] != undefined && data[0]["body"] != undefined && data[0]["body"][reportField] != undefined) { >+ assert_field_value(data[0]["body"][reportField], reportValue, reportField); >+ } else { >+ assert_equals("", reportField, "Expected report field could not be found in report"); >+ } >+ } >+ >+ reportTest.done(); >+ }); >+ >+ report.open("GET", reportLocation, true); >+ report.send(); >+ }); >+ >+ if (noCookies || cookiePresent) { >+ var cookieTest = async_test("Test report cookies."); >+ var cookieReport = new XMLHttpRequest(); >+ cookieReport.onload = cookieTest.step_func(function () { >+ var data = JSON.parse(cookieReport.responseText); >+ if (noCookies) { >+ assert_equals(data.reportCookies, "None", "Report should not contain any cookies"); >+ } >+ >+ if (cookiePresent) { >+ assert_true(data.reportCookies.hasOwnProperty(cookiePresent), "Report should contain cookie: " + cookiePresent); >+ } >+ cookieTest.done(); >+ }); >+ var cReportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=retrieve_cookies&timeout=" + timeout + "&reportID=" + reportID; >+ cookieReport.open("GET", cReportLocation, true); >+ cookieReport.send(); >+ } >+ >+ if (reportCount != "") { >+ var reportCountTest = async_test("Test number of sent reports."); >+ var reportCountReport = new XMLHttpRequest(); >+ reportCountReport.onload = reportCountTest.step_func(function () { >+ var data = JSON.parse(reportCountReport.responseText); >+ >+ assert_equals(data.report_count, reportCount, "Report count was not what was expected."); >+ >+ reportCountTest.done(); >+ }); >+ var cReportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=retrieve_count&timeout=" + timeout + "&reportID=" + reportID; >+ reportCountReport.open("GET", cReportLocation, true); >+ reportCountReport.send(); >+ } >+ >+})(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/dedicated-worker-helper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/dedicated-worker-helper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8441ab0de72286a37b1443c8de82ce88fafa77de >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/dedicated-worker-helper.js >@@ -0,0 +1,5 @@ >+var url = new URL("../support/ping.js", document.baseURI).toString(); >+if (document.getElementById("foo").hasAttribute("blocked-worker")) >+ assert_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >+else >+ assert_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/document-write-alert-fail.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/document-write-alert-fail.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5e78ca0dac312eb56556d123d9ecfedaef026e69 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/document-write-alert-fail.js >@@ -0,0 +1 @@ >+document.write("<script>test(function () { assert_unreached('FAIL inline script from document.write ran') });</script>"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/echo-policy.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/echo-policy.py >new file mode 100644 >index 0000000000000000000000000000000000000000..ebde3dc5a4bf75c268d591c33a31cb2d38dfc5f4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/echo-policy.py >@@ -0,0 +1,3 @@ >+def main(request, response): >+ policy = request.GET.first("policy"); >+ return [("Content-Type", "text/html"), ("Content-Security-Policy", policy)], "<!DOCTYPE html><title>Echo.</title>" >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.asis b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.asis >new file mode 100644 >index 0000000000000000000000000000000000000000..96196615bd4cbb540506d36cdf1b5b3d7667e24b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.asis >@@ -0,0 +1,5 @@ >+HTTP/1.1 200 OK >+Content-Type: text/plain >+Access-Control-Allow-Origin: * >+ >+FAIL >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fedcc31bd3da124cd298e7255467c4854778f04b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.html >@@ -0,0 +1,3 @@ >+<script> >+ test(function() { assert_unreached("FAIL")}); >+</script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.js >new file mode 100644 >index 0000000000000000000000000000000000000000..9632567a6e71cb2ee359f468c492c572e0ab8144 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.js >@@ -0,0 +1 @@ >+test(function() { assert_unreached("FAIL")}); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.png b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.png >new file mode 100644 >index 0000000000000000000000000000000000000000..b5933803338f770bdb1e6a7d433aeb640be85b08 >GIT binary patch >literal 759 >zcmeAS@N?(olHy`uVBq!ia0vp^D}dO6gAGXb#n?mxDb50q$YKTtZeb8+WSBKa0w~B{ >z;_2(kewB-dL*MksU){?<A=whwh!W@g+}zZ>5(ej@)Wnk16ovB4k_?5Aj8p}8Pv3y| >zDXMu43{1J6E{-7;x8BaS%@zq1aX7D`vWR1%iBiXn6*D4KmuwVRZ6Y@7kiW;G{|+bk >zH+(2R(xCX?L14><2`o)qT*vrDTwFI^a1&6Pwe^JVJZH0W=iZ!aso>+;WB&Wzxp#Lr >ze=qv3obAXxQTG&|vjUgaq6Lc<D8VTZ1IUB(p|T);=_RegoMT__+?v_dzw*?q|1CMu >z|1;N}F+Od!^Q~lo(#-V?&Z2U`VTrwxA^(z0)YT6ZCY-sTkrAHddT_C9_~egKvp+9d >z(0hSD#_O5+q>ru%(-ng*s9CbV>HaAFK<$IsGv)&=AQ8{gKVnP_i>FoY{*hPqF?ILD >z<^#JcwAVAXH}p%-vFF*dz1zI`+Sw4HrPYe+2iPCf2_4mRUb-N3bLLF`m&+%A%z3x% >z=AB(W3w1uGde<z>c=Bv{1H0irHW`Mn;=6yJFKM)zyJq{5*^b${ePTsLLZ4Y@s~Tqr >z`(C<tqOUs1j>+a`!d;FJ8prG#{vIedULm>V`W*i!HMiXS8ji22cjw<Ay(8hpnFXaO >z7upY;6uKVs=eV8mil(r-h5ZccwPL<&e28+?{a9+^?)yfZHTSe%g3-+ROK+@Sa89LK >z?Qxxp<L+}7ujiLD)iAyjxl?Ywt1jvPj)fr?;--JEd=P%Hc7NmTX_d2=#F=?EA5dSQ >z|LpLA&wT63c`5`S&!6bIKP+dGRh{eE1-GYbcg{I2dy4aeP()Xue8J5LS{dt4{a!oi >z`^0y<(>!!PCb5YI1_-i>vH~eE14@DTScEzMF$fuUDMZWzCR`x!boFyt=akR{0Mx!f >AX#fBK > >literal 0 >HcmV?d00001 > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/file-prefetch-allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/file-prefetch-allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..bd60d262ad8a9741404c8f48bcf71bf2f072eabc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/file-prefetch-allowed.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <!-- CSP directive 'prefetch-src' is not supported via meta tag though --> >+ <meta http-equiv="Content-Security-Policy" content="prefetch-src 'self'"> >+</head> >+<body> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fonts.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fonts.css >new file mode 100644 >index 0000000000000000000000000000000000000000..848961c8dce0476e577fc736c5402acc2c562caf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fonts.css >@@ -0,0 +1,8 @@ >+@font-face { >+ font-family: 'Ahem'; >+ src: url('/fonts/Ahem.ttf'); >+} >+ >+body { >+ font-family: 'Ahem', Fallback, sans-serif; >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/import-scripts.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/import-scripts.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8325ebb3fba3b7dd74d266ce29de77f89f665f52 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/import-scripts.js >@@ -0,0 +1,3 @@ >+self.a = false; >+importScripts('/content-security-policy/support/var-a.js'); >+postMessage({ 'executed': self.a }); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.js >new file mode 100644 >index 0000000000000000000000000000000000000000..a10d50a9839507cc926cd1f2061ea56bb4c7b9d7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.js >@@ -0,0 +1,4 @@ >+// This script block will trigger a violation report. >+var i = document.createElement('img'); >+i.src = '/content-security-policy/support/fail.png'; >+document.body.appendChild(i); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..acf04f325f7d3fd5c959cd46d8b18cae0c6d8948 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.sub.js >@@ -0,0 +1,3 @@ >+var i = document.createElement('img'); >+i.src = "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"; >+document.body.appendChild(i); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/logTest.sub.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/logTest.sub.js >new file mode 100644 >index 0000000000000000000000000000000000000000..f712252cef531182cc4780210529301bb5475e16 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/logTest.sub.js >@@ -0,0 +1,41 @@ >+// note, this template substitution is XSS, but no way to avoid it in this framework >+var expected_logs = {{GET[logs]}}; >+var timeout = "{{GET[timeout]}}"; >+if (timeout == "") { >+ timeout = 2; >+} >+ >+if (expected_logs.length == 0) { >+ function log_assert(msg) { >+ test(function () { assert_unreached(msg) }); >+ } >+} else { >+ var t_log = async_test('Expecting logs: {{GET[logs]}}'); >+ step_timeout(function() { >+ if(t_log.phase != t_log.phases.COMPLETE){ >+ t_log.step(function () { assert_unreached('Logging timeout, expected logs ' + expected_logs + ' not sent.') }); >+ t_log.done(); >+ } >+ }, timeout * 1000); >+ function log(msg) { >+ //cons/**/ole.log(msg); >+ t_log.step(function () { >+ if (msg.match(/^FAIL/i)) { >+ assert_unreached(msg); >+ t_log.done(); >+ } >+ for (var i = 0; i < expected_logs.length; i++) { >+ if (expected_logs[i] == msg) { >+ assert_true(expected_logs[i] == msg); >+ expected_logs.splice(i, 1); >+ if (expected_logs.length == 0) { >+ t_log.done(); >+ } >+ return; >+ } >+ } >+ assert_unreached('unexpected log: ' + msg); >+ t_log.done(); >+ }); >+ } >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/manifest.json b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/manifest.json >new file mode 100644 >index 0000000000000000000000000000000000000000..97da19c5ca2c7e4b767eae7d2e178dcbfc627afa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/manifest.json >@@ -0,0 +1,5 @@ >+{ >+ "name": "Dummy manifest", >+ "start_url": "/start.html" >+} >+ >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/flash.swf b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/flash.swf >new file mode 100644 >index 0000000000000000000000000000000000000000..80bf47e207c00e5c532591630ba0bcb1bc2aee75 >GIT binary patch >literal 638 >zcmV-^0)hQQS5pt01pokeoTZepZqq;jhA&9810WTlN?j0EIv^pO^Ig)|vC^oKok$%b >zP@92;;c8zRtG3U&vzt^5-O5YAjKsju4VG@OGVm0LcQ9u+PMS89QU*)D^Z$Rk`|ji+ >zc(MhSzXPyV0`|i-0KoC1mAe2mxjQg-?5;8n{7{&3v{@d;ab!X`8jUKWYK8HAh#HLs >z)G)+Yl?hcGg)tecp;#}sl$>Bw;czdCJr*k2nC!76-Yl0V*l`d|v7x9Cm+jGt!vZ)a >z5kwUYW*iwZElx?yc%L!9)y`5%*C%4AyyR>^g^+mSE7opZQI);K^IfH8peDTByuhNi >zd|FsTRaMhfw9!XZ6F1E2h8&ujcA<NoJg@d>Ok5I^`EtFFHcYK%qPg;1c2Z}qH#oXc >zd6ra~@RG@!xpkeX+9=_EeqOEvsZRqM#zN{vxn9>X2aE?KZjmVRJ%?mKI9A1wIR_(h >zNYz26x(R2&+b&7&tk=8#z=Hr5X%X+x!S!j;KZ+>ap@Jpcp)$TcxiGz+xgCm_gbv-d >zTXLe}d9K+t^e#erP1CVfHxM!~Zd-MugX?V@b+DbgpRX1)n>k75Z9;SZfp(!<&|YwF >z-;-B%0aZhWcA08p-LkA|t<%+UL0y2Du9b4{kh)#Yg8URB!UfGtZI%mFnWo&Y=`GNt >z|7~Mess+ux&4#X23mW?$O@Blv(}S6LT70G9<R{otfORKL)3eok@&{Q0yABPhf&e%J >zRz5MrkBtZ4UV+le=PxHe@4tEabs3}pJWEsXTD}~EH2nxb`XiMuavrR#etMU@J?*?d >Yef}%_aFBqLrKOVOfGzp)H+5piC-#&zDF6Tf > >literal 0 >HcmV?d00001 > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..b7a941c3394204e514940116b8f980fc7bc2766f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/w3c-import.log >@@ -0,0 +1,17 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/media/flash.swf >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/nonce-should-be-blocked.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/nonce-should-be-blocked.js >new file mode 100644 >index 0000000000000000000000000000000000000000..501f7a92088ec4dfd5197c5378e207d9007abe2f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/nonce-should-be-blocked.js >@@ -0,0 +1 @@ >+t.unreached_func(document.currentScript.getAttribute('src') + " should not execute.")(); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass.png b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass.png >new file mode 100644 >index 0000000000000000000000000000000000000000..2fa1e0ac0663a65deae6602621521cc2844b93de >GIT binary patch >literal 1689 >zcmZ{lX*3&n7smf;t))z9sgk5hM+alnTMSWZso0lN)UJe5)ig;FstDDQvBcI2qNSm= >zjeV*WYKe6;5{-sx^pH_gOD457Z_qdM{hbfbea`uvd+wKe?sI?faC1<QRhI<-C^#bQ >zyhQ#?Bx{*NqAGTwL0)8sZz25A0LUr-BQZd#P!mCEjH9c)G)q=q#_$y9dqJ}ZX=3dC >zFt+h=agjGM!1i`z7$!0TmT(;t4fBqUggH36dhjB2ZUP{s=xBG*J8^EE6zfvttCqIF >zl%qAvYS}b+!ye?!uhv_u+UN`-{HCC1Y$a8Ky3#f?a@1?eNsoUSRea#7?a^bW+)k6r >z$&r6l?Tklg9xti(D3Kj?Rch&6PpzPYQ9AacBY#Y;3W<O7GcUpIzue@$-B@RQ6%ard >zGofNR4j%A~#qU(|A16xCPU}K0@@4)7*&G{=!m1CZ4ze#c1;00C)~$KY)W;B@$4#km >zZMU+ToVy?dt4oWT$1L(V7BNdRWDR=flUSYJ!jEPB(?PWs#ueEewv{{!pZ)sbH^VP? >zUXo@=T?Z!FpAG`1E;LvLkdDRMq&LD=uasV@GqMn_WIOa5;~g7Uy!7F{Q}^@JN)6s{ >zpzT$Yp#lB^<H_`Hzt7K!XUE|siQ{W;wGOmuus~)@MrHD-KQ%NgJnRiqqhVQtOrUVa >z_xmy7U%K}wsm=+61flz`bXxJ0%5{84edoA#Y!KW0=!ydFdy?`ABDK_?t!o5B*$zn^ >zwOUOrHJtbj=gFE`Flp388nYo9icsGwCA!inceN$urPqP_+sn?>*@4kWRO}2ZGdWBA >zb+;A0Nr0VP@sE1hj(atiyDkNU^*fpmECINC`fg7kXLN+fzoQ=#)ceQ16JY*EcNyl? >z*nrc>a`^MQ*J()DE3NV&PmbrAcD>_`u$dCeaoav<%wKV0z_)94TvE><5Y1nsX|wO3 >zPx_#DxYda<^T|p162T#fxxSw$3SQ!BPZhk1Q0*>QveTi+{KC&+Yh(6&<-59S2aIpY >z?%R2rgwyW3UP)&`u}Se~1so{&>Lf8Ou@qF7{H$E!qA~s%xt|=U;;wKli<h`ygoB^g >zFTtRX(e;9<$&$cuf!edbX9CO^6<)TNn@S4?h6a9~UUq5RbAhSSE~gE0HS#QOe0ieG >z9AF|m_FC9x(Z5a)Frz~c&YSb{;o@q*dQ{ou8#`tDeM4Eb3qzkMH%R-Ov^GX-=HPtk >zq8+{H@vCB6hO8gHr3k~L>Xv>8@h&t&y18Jlo(Eg<yMLnvPz-c<N6<=XWi_#orXSiO >zoHyQeKMhr5oWSJ#NUQ9!ct{ScPw{jltLIJH^N~XV!`vV@lC}=5$NEak^OWh863Gd< >zbG?6nwCOL?&mRsOd?mJ@R&+Yzl%j)_!?!t<Vf9wWr}d7|?fEK0RVlY_qXo#NxXDNq >z>pe^3j5Ns18o*)qS7<immW@~DK#h4MNpo9$O5X29TPP`1F#l(Gx><(mcON0vbqojk >z#!KodVx8ztBrJ~X6Kn51?W6oox#APR^kA}Q&2T1`aOz6A7AQy<9dyggb$xixP?0Y$ >zmX_;ldYq*?n|M_9KB2(S<xzP7gt%cu69@94N~#1`oLu&&MPtrP)qggc`%bQF#$8i} >z1ZlW#BW~XKy^VYBiwVjTg<{csii!w9RGmZf;x{_nf+cgQPu92cwvd5zSgRk5+!3e} >ze|TbHe727~^>%yL3Lrj^JLcVGm-=EW-D>JGYYWW&vSI#N_i!Yj>?hMF`rY!t%jWXV >zL6>jTl;>PD=hr0dmid$Ba8+L7=8$k?vpWT>Brc$u1f;AI(_+)N_!#gJE#M#Ui|>>T >zR1~UKIV?)AE1oeB^{--uYc=iAZKy%x+Y^{5Zq%JiJZ=AX<-eV*^A7Oote?YSsnyPm >znT1-2hhmIWC(a;yjE~+d`s#GfzAW`-YDDXpbGl_Wo8{ipkdT0ir^iGw{DBe%zJhvp >zZDREk{n0`(LjtH*-mjYAK{jf)N{F*v^JLMvDo0>PW5R=Wt|D3H0G=e|9yAES>+1GG >ze9_r;3gi0ijb-g`h46IrT#+a@yebW^>$VzExM7amH3aa3_Ff1nb(fM%%FyLKlL@wa >z?C?0hK{0<~sqKY}Ioi)+5BYa)wX^4kt9N_(DMD)@TkfARkbbX!i`JU|m$+Q?vf+E( >W*}}$Mf`aIW07rW_yJnlvjQ;_C?lE%! > >literal 0 >HcmV?d00001 > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass2.png b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass2.png >new file mode 100644 >index 0000000000000000000000000000000000000000..2fa1e0ac0663a65deae6602621521cc2844b93de >GIT binary patch >literal 1689 >zcmZ{lX*3&n7smf;t))z9sgk5hM+alnTMSWZso0lN)UJe5)ig;FstDDQvBcI2qNSm= >zjeV*WYKe6;5{-sx^pH_gOD457Z_qdM{hbfbea`uvd+wKe?sI?faC1<QRhI<-C^#bQ >zyhQ#?Bx{*NqAGTwL0)8sZz25A0LUr-BQZd#P!mCEjH9c)G)q=q#_$y9dqJ}ZX=3dC >zFt+h=agjGM!1i`z7$!0TmT(;t4fBqUggH36dhjB2ZUP{s=xBG*J8^EE6zfvttCqIF >zl%qAvYS}b+!ye?!uhv_u+UN`-{HCC1Y$a8Ky3#f?a@1?eNsoUSRea#7?a^bW+)k6r >z$&r6l?Tklg9xti(D3Kj?Rch&6PpzPYQ9AacBY#Y;3W<O7GcUpIzue@$-B@RQ6%ard >zGofNR4j%A~#qU(|A16xCPU}K0@@4)7*&G{=!m1CZ4ze#c1;00C)~$KY)W;B@$4#km >zZMU+ToVy?dt4oWT$1L(V7BNdRWDR=flUSYJ!jEPB(?PWs#ueEewv{{!pZ)sbH^VP? >zUXo@=T?Z!FpAG`1E;LvLkdDRMq&LD=uasV@GqMn_WIOa5;~g7Uy!7F{Q}^@JN)6s{ >zpzT$Yp#lB^<H_`Hzt7K!XUE|siQ{W;wGOmuus~)@MrHD-KQ%NgJnRiqqhVQtOrUVa >z_xmy7U%K}wsm=+61flz`bXxJ0%5{84edoA#Y!KW0=!ydFdy?`ABDK_?t!o5B*$zn^ >zwOUOrHJtbj=gFE`Flp388nYo9icsGwCA!inceN$urPqP_+sn?>*@4kWRO}2ZGdWBA >zb+;A0Nr0VP@sE1hj(atiyDkNU^*fpmECINC`fg7kXLN+fzoQ=#)ceQ16JY*EcNyl? >z*nrc>a`^MQ*J()DE3NV&PmbrAcD>_`u$dCeaoav<%wKV0z_)94TvE><5Y1nsX|wO3 >zPx_#DxYda<^T|p162T#fxxSw$3SQ!BPZhk1Q0*>QveTi+{KC&+Yh(6&<-59S2aIpY >z?%R2rgwyW3UP)&`u}Se~1so{&>Lf8Ou@qF7{H$E!qA~s%xt|=U;;wKli<h`ygoB^g >zFTtRX(e;9<$&$cuf!edbX9CO^6<)TNn@S4?h6a9~UUq5RbAhSSE~gE0HS#QOe0ieG >z9AF|m_FC9x(Z5a)Frz~c&YSb{;o@q*dQ{ou8#`tDeM4Eb3qzkMH%R-Ov^GX-=HPtk >zq8+{H@vCB6hO8gHr3k~L>Xv>8@h&t&y18Jlo(Eg<yMLnvPz-c<N6<=XWi_#orXSiO >zoHyQeKMhr5oWSJ#NUQ9!ct{ScPw{jltLIJH^N~XV!`vV@lC}=5$NEak^OWh863Gd< >zbG?6nwCOL?&mRsOd?mJ@R&+Yzl%j)_!?!t<Vf9wWr}d7|?fEK0RVlY_qXo#NxXDNq >z>pe^3j5Ns18o*)qS7<immW@~DK#h4MNpo9$O5X29TPP`1F#l(Gx><(mcON0vbqojk >z#!KodVx8ztBrJ~X6Kn51?W6oox#APR^kA}Q&2T1`aOz6A7AQy<9dyggb$xixP?0Y$ >zmX_;ldYq*?n|M_9KB2(S<xzP7gt%cu69@94N~#1`oLu&&MPtrP)qggc`%bQF#$8i} >z1ZlW#BW~XKy^VYBiwVjTg<{csii!w9RGmZf;x{_nf+cgQPu92cwvd5zSgRk5+!3e} >ze|TbHe727~^>%yL3Lrj^JLcVGm-=EW-D>JGYYWW&vSI#N_i!Yj>?hMF`rY!t%jWXV >zL6>jTl;>PD=hr0dmid$Ba8+L7=8$k?vpWT>Brc$u1f;AI(_+)N_!#gJE#M#Ui|>>T >zR1~UKIV?)AE1oeB^{--uYc=iAZKy%x+Y^{5Zq%JiJZ=AX<-eV*^A7Oote?YSsnyPm >znT1-2hhmIWC(a;yjE~+d`s#GfzAW`-YDDXpbGl_Wo8{ipkdT0ir^iGw{DBe%zJhvp >zZDREk{n0`(LjtH*-mjYAK{jf)N{F*v^JLMvDo0>PW5R=Wt|D3H0G=e|9yAES>+1GG >ze9_r;3gi0ijb-g`h46IrT#+a@yebW^>$VzExM7amH3aa3_Ff1nb(fM%%FyLKlL@wa >z?C?0hK{0<~sqKY}Ioi)+5BYa)wX^4kt9N_(DMD)@TkfARkbbX!i`JU|m$+Q?vf+E( >W*}}$Mf`aIW07rW_yJnlvjQ;_C?lE%! > >literal 0 >HcmV?d00001 > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/ping.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/ping.js >new file mode 100644 >index 0000000000000000000000000000000000000000..750ae45f969491ea29eaa47c85f96f97d94b415f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/ping.js >@@ -0,0 +1,12 @@ >+if (typeof ServiceWorkerGlobalScope === "function") { >+ self.onmessage = function (e) { e.source.postMessage("ping"); }; >+} else if (typeof SharedWorkerGlobalScope === "function") { >+ onconnect = function (e) { >+ var port = e.ports[0]; >+ >+ port.onmessage = function () { port.postMessage("ping"); } >+ port.postMessage("ping"); >+ }; >+} else if (typeof DedicatedWorkerGlobalScope === "function") { >+ self.postMessage("ping"); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/post-message.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/post-message.js >new file mode 100644 >index 0000000000000000000000000000000000000000..69daa31d2f1b645d394ca41dab119924209d4871 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/post-message.js >@@ -0,0 +1 @@ >+postMessage("importScripts allowed"); >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-fail.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-fail.html >new file mode 100644 >index 0000000000000000000000000000000000000000..a0308ad98b4c75f2e50861191c7778c421ede413 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-fail.html >@@ -0,0 +1,4 @@ >+<script> >+ window.parent.postMessage('FAIL', '*'); >+ >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass-to-opener.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass-to-opener.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e1bdf7102f2995fffcd567ae50190a55f0dde9b2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass-to-opener.html >@@ -0,0 +1,3 @@ >+<script> >+ window.top.opener.postMessage('PASS', '*'); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass.html >new file mode 100644 >index 0000000000000000000000000000000000000000..700167b5db84ae35e507afccad183680fd6d5064 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass.html >@@ -0,0 +1,4 @@ >+<script> >+ window.parent.postMessage('PASS', '*'); >+ >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-helper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-helper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..db6d87593df17e93c3672a65141d46b0ec89bdb7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-helper.js >@@ -0,0 +1,65 @@ >+test(t => { >+ assert_true(document.createElement('link').relList.supports('prefetch')); >+}, "Browser supports prefetch."); >+ >+test(t => { >+ assert_true(!!window.PerformanceResourceTiming); >+}, "Browser supports performance APIs."); >+ >+async function waitUntilResourceDownloaded(url) { >+ await new Promise((resolve, reject) => { >+ if (performance.getEntriesByName(url).length >= 1) >+ resolve(); >+ >+ let observer = new PerformanceObserver(list => { >+ list.getEntries().forEach(entry => { >+ if (entry.name == url) { >+ resolve(); >+ } >+ }); >+ }); >+ }); >+} >+ >+async function assert_resource_not_downloaded(test, url) { >+ if (performance.getEntriesByName(url).length >= 1) { >+ (test.unreached_func(`'${url}' should not have downloaded.`))(); >+ } >+} >+ >+function assert_link_prefetches(test, link) { >+ assert_no_csp_event_for_url(test, link.href); >+ >+ link.onerror = test.unreached_func('onerror should not fire.'); >+ >+ // Test is finished when either the `load` event fires, or we get a performance >+ // entry showing that the resource loaded successfully. >+ link.onload = test.step_func(test.step_func_done()); >+ waitUntilResourceDownloaded(link.href).then(test.step_func_done()); >+ >+ document.head.appendChild(link); >+} >+ >+function assert_link_does_not_prefetch(test, link) { >+ let cspEvent = false; >+ let errorEvent = false; >+ >+ waitUntilCSPEventForURL(test, link.href) >+ .then(test.step_func(e => { >+ cspEvent = true; >+ assert_equals(e.violatedDirective, "prefetch-src"); >+ assert_equals(e.effectiveDirective, "prefetch-src"); >+ >+ if (errorEvent) >+ test.done(); >+ })); >+ >+ link.onerror = test.step_func(e => { >+ errorEvent = true; >+ if (cspEvent) >+ test.done(); >+ }); >+ link.onload = test.unreached_func('onload should not fire.'); >+ >+ document.head.appendChild(link); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css >new file mode 100644 >index 0000000000000000000000000000000000000000..4c4fa4644208b1433eaadf74576b480fe53cc14d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css >@@ -0,0 +1,3 @@ >+/* This CSS file sends some headers: >+ * Link: </content-security-policy/support/fail.png>;rel=prefetch >+ */ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..eaf7b1663850063a03f89d40b1f072d9e3a29749 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css.headers >@@ -0,0 +1 @@ >+Link: </content-security-policy/support/fail.png>;rel=prefetch >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/report.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/report.py >new file mode 100644 >index 0000000000000000000000000000000000000000..3b249f30b3e2ca86b2a6d3d43e547cd50bf58ec8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/report.py >@@ -0,0 +1,62 @@ >+import time >+import json >+import re >+ >+def retrieve_from_stash(request, key, timeout, default_value): >+ t0 = time.time() >+ while time.time() - t0 < timeout: >+ time.sleep(0.5) >+ value = request.server.stash.take(key=key) >+ if value is not None: >+ return value >+ >+ return default_value >+ >+def main(request, response): >+ op = request.GET.first("op"); >+ key = request.GET.first("reportID") >+ cookie_key = re.sub('^....', 'cccc', key) >+ count_key = re.sub('^....', 'dddd', key) >+ >+ try: >+ timeout = request.GET.first("timeout") >+ except: >+ timeout = 0.5 >+ timeout = float(timeout) >+ >+ if op == "retrieve_report": >+ return [("Content-Type", "application/json")], retrieve_from_stash(request, key, timeout, json.dumps({'error': 'No such report.' , 'guid' : key})) >+ >+ if op == "retrieve_cookies": >+ return [("Content-Type", "application/json")], "{ \"reportCookies\" : " + str(retrieve_from_stash(request, cookie_key, timeout, "\"None\"")) + "}" >+ >+ if op == "retrieve_count": >+ return [("Content-Type", "application/json")], json.dumps({'report_count': str(retrieve_from_stash(request, count_key, timeout, 0))}) >+ >+ # save cookies >+ if hasattr(request, 'cookies') and len(request.cookies.keys()) > 0: >+ # convert everything into strings and dump it into a dict so it can be jsoned >+ temp_cookies_dict = {} >+ for dict_key in request.cookies.keys(): >+ temp_cookies_dict[str(dict_key)] = str(request.cookies.get_list(dict_key)) >+ with request.server.stash.lock: >+ request.server.stash.take(key=cookie_key) >+ request.server.stash.put(key=cookie_key, value=json.dumps(temp_cookies_dict)) >+ >+ # save latest report >+ report = request.body >+ report.rstrip() >+ with request.server.stash.lock: >+ request.server.stash.take(key=key) >+ request.server.stash.put(key=key, value=report) >+ >+ with request.server.stash.lock: >+ # increment report count >+ count = request.server.stash.take(key=count_key) >+ if count is None: >+ count = 0 >+ count += 1 >+ request.server.stash.put(key=count_key, value=count) >+ >+ # return acknowledgement report >+ return [("Content-Type", "text/plain")], "Recorded report " + report >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/resource.py b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/resource.py >new file mode 100644 >index 0000000000000000000000000000000000000000..1e3a0bf7b0e00283e9da45df737e27a892d917ae >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/resource.py >@@ -0,0 +1,5 @@ >+def main(request, response): >+ headers = [] >+ headers.append(("Access-Control-Allow-Origin", "*")) >+ >+ return headers, "{ \"result\": \"success\" }" >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/service-worker-helper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/service-worker-helper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..b5f65c96a0cc022906ab2e31b7a5b20ff7efbefa >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/service-worker-helper.js >@@ -0,0 +1,5 @@ >+var url = new URL("../support/ping.js", document.baseURI).toString(); >+if (document.getElementById("foo").hasAttribute("blocked-worker")) >+ assert_service_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >+else >+ assert_service_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/shared-worker-helper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/shared-worker-helper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..2a3873873f38b24297bc6e8f159ac30668aa40d0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/shared-worker-helper.js >@@ -0,0 +1,5 @@ >+var url = new URL("../support/ping.js", document.baseURI).toString(); >+if (document.getElementById("foo").hasAttribute("blocked-worker")) >+ assert_shared_worker_is_blocked(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >+else >+ assert_shared_worker_is_loaded(url, document.getElementById("foo").getAttribute("data-desc-fallback")); >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/siblingPath.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/siblingPath.js >new file mode 100644 >index 0000000000000000000000000000000000000000..f4012f04ddaf24bd0a2e888fe8ddbd502d1d1de3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/siblingPath.js >@@ -0,0 +1,5 @@ >+ buildSiblingPath = function(hostPrefix, relativePath, newPort) { >+ var port = newPort ? newPort : document.location.port; >+ var path = document.location.pathname.substring(0, document.location.pathname.lastIndexOf('/') + 1); >+ return (document.location.protocol + '//' + hostPrefix + "." + document.location.hostname + ':' + port + path + relativePath); >+}; >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d475d05115a59d0d4630894227e7c0a1ae4304ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js >@@ -0,0 +1,139 @@ >+function assert_no_csp_event_for_url(test, url) { >+ self.addEventListener("securitypolicyviolation", test.step_func(e => { >+ if (e.blockedURI !== url) >+ return; >+ assert_unreached("SecurityPolicyViolation event fired for " + url); >+ })); >+} >+ >+function assert_no_event(test, obj, name) { >+ obj.addEventListener(name, test.unreached_func("The '" + name + "' event should not have fired.")); >+} >+ >+function waitUntilCSPEventForURL(test, url) { >+ return new Promise((resolve, reject) => { >+ self.addEventListener("securitypolicyviolation", test.step_func(e => { >+ if (e.blockedURI == url) >+ resolve(e); >+ })); >+ }); >+} >+ >+function waitUntilCSPEventForEval(test, line) { >+ return new Promise((resolve, reject) => { >+ self.addEventListener("securitypolicyviolation", test.step_func(e => { >+ if (e.blockedURI == "eval" && e.lineNumber == line) >+ resolve(e); >+ })); >+ }); >+} >+ >+function waitUntilEvent(obj, name) { >+ return new Promise((resolve, reject) => { >+ obj.addEventListener(name, resolve); >+ }); >+} >+ >+// Given the URL of a worker that pings its opener upon load, this >+// function builds a test that asserts that the ping is received, >+// and that no CSP event fires. >+function assert_worker_is_loaded(url, description) { >+ async_test(t => { >+ assert_no_csp_event_for_url(t, url); >+ var w = new Worker(url); >+ assert_no_event(t, w, "error"); >+ waitUntilEvent(w, "message") >+ .then(t.step_func_done(e => { >+ assert_equals(e.data, "ping"); >+ })); >+ }, description); >+} >+ >+function assert_shared_worker_is_loaded(url, description) { >+ async_test(t => { >+ assert_no_csp_event_for_url(t, url); >+ var w = new SharedWorker(url); >+ assert_no_event(t, w, "error"); >+ waitUntilEvent(w.port, "message") >+ .then(t.step_func_done(e => { >+ assert_equals(e.data, "ping"); >+ })); >+ w.port.start(); >+ }, description); >+} >+ >+function assert_service_worker_is_loaded(url, description) { >+ promise_test(t => { >+ assert_no_csp_event_for_url(t, url); >+ return Promise.all([ >+ waitUntilEvent(navigator.serviceWorker, "message") >+ .then(e => { >+ assert_equals(e.data, "ping"); >+ }), >+ navigator.serviceWorker.register(url, { scope: url }) >+ .then(r => { >+ var sw = r.active || r.installing || r.waiting; >+ t.add_cleanup(_ => r.unregister()); >+ sw.postMessage("pong?"); >+ }) >+ ]); >+ }, description); >+} >+ >+// Given the URL of a worker that pings its opener upon load, this >+// function builds a test that asserts that the constructor throws >+// a SecurityError, and that a CSP event fires. >+function assert_worker_is_blocked(url, description) { >+ async_test(t => { >+ // If |url| is a blob, it will be stripped down to "blob" for reporting. >+ var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; >+ waitUntilCSPEventForURL(t, reportedURL) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, reportedURL); >+ assert_equals(e.violatedDirective, "worker-src"); >+ assert_equals(e.effectiveDirective, "worker-src"); >+ })); >+ >+ // TODO(mkwst): We shouldn't be throwing here. We should be firing an >+ // `error` event on the Worker. https://crbug.com/663298 >+ assert_throws("SecurityError", function () { >+ var w = new Worker(url); >+ }); >+ }, description); >+} >+ >+function assert_shared_worker_is_blocked(url, description) { >+ async_test(t => { >+ // If |url| is a blob, it will be stripped down to "blob" for reporting. >+ var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; >+ waitUntilCSPEventForURL(t, reportedURL) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, reportedURL); >+ assert_equals(e.violatedDirective, "worker-src"); >+ assert_equals(e.effectiveDirective, "worker-src"); >+ })); >+ >+ // TODO(mkwst): We shouldn't be throwing here. We should be firing an >+ // `error` event on the SharedWorker. https://crbug.com/663298 >+ assert_throws("SecurityError", function () { >+ var w = new SharedWorker(url); >+ }); >+ }, description); >+} >+ >+function assert_service_worker_is_blocked(url, description) { >+ promise_test(t => { >+ assert_no_event(t, navigator.serviceWorker, "message"); >+ // If |url| is a blob, it will be stripped down to "blob" for reporting. >+ var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; >+ return Promise.all([ >+ waitUntilCSPEventForURL(t, reportedURL) >+ .then(t.step_func_done(e => { >+ assert_equals(e.blockedURI, reportedURL); >+ assert_equals(e.violatedDirective, "worker-src"); >+ assert_equals(e.effectiveDirective, "worker-src"); >+ })), >+ promise_rejects(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url })) >+ ]); >+ }, description); >+} >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/var-a.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/var-a.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5fc5fde2044032608949bac1ad4524bd188b4afb >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/var-a.js >@@ -0,0 +1 @@ >+self.a = true; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..87ffc2fdafabf19e39da0665736ac4315536bca4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/w3c-import.log >@@ -0,0 +1,51 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alert-pass.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/alertAssert.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/dedicated-worker-helper.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/document-write-alert-fail.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/echo-policy.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.asis >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fail.png >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/file-prefetch-allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/fonts.css >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/import-scripts.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/logTest.sub.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/manifest.json >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/nonce-should-be-blocked.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass.png >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass2.png >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/ping.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/post-message.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-fail.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass-to-opener.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/postmessage-pass.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-helper.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/prefetch-subresource.css.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/report.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/resource.py >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/service-worker-helper.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/shared-worker-helper.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/siblingPath.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/var-a.js >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg >new file mode 100644 >index 0000000000000000000000000000000000000000..51215d90440e4cb1aefed9b2c7aae7ee5e5a8b15 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg >@@ -0,0 +1,19 @@ >+<?xml version="1.0" standalone="no"?> >+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" >+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> >+<svg width="6cm" height="5cm" viewBox="0 0 600 500" >+ xmlns="http://www.w3.org/2000/svg" version="1.1" >+ xmlns:xlink="http://www.w3.org/1999/xlink"> >+ <desc>using SVG as a resource doc should apply this doc's CSP</desc> >+ >+ <use xlink:href="scripted.svg#postmessagescript" /> >+ >+ <circle cx="300" cy="225" r="100" fill="lawngreen"/> >+ >+ <text x="300" y="250" >+ font-family="Verdana" >+ font-size="50" >+ text-anchor="middle"> >+ PASS >+ </text> >+</svg> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..0f3f281d9020b7235f22f8f0a73705117217631e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: including={{$id:uuid()}}; Path=/content-security-policy/svg >+Content-Security-Policy: script-src 'none'; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5ea96e4996e9939e6a8afed31879a3466bc45be9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+FAIL Should throw a securitypolicyviolation assert_equals: expected "object-src" but got "object-src 'none'" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..aa4f15695307e6de3050e482e9ed6ba3240899e3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>Object inside SVG foreignobject respect csp</title> >+ <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ async_test(function(t) { >+ document.addEventListener("securitypolicyviolation", t.step_func(function(e) { >+ if (e.blockedURI != "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/media/flash.swf") >+ return; >+ >+ assert_equals(e.violatedDirective, "object-src"); >+ t.done(); >+ })); >+ }, "Should throw a securitypolicyviolation"); >+ </script> >+</head> >+<body> >+ <svg> >+ <foreignObject> >+ <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf"> >+ </foreignObject> >+ </svg> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a9b0ec2bdec498e58518a0ce4dd606d5f4132782 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: line 8: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+layer at (0,0) size 1280x960 >+ RenderView at (0,0) size 1280x960 >+layer at (0,0) size 227x189 >+ RenderSVGRoot {svg} at (75,47) size 77x76 >+ RenderSVGEllipse {circle} at (75,47) size 77x76 [fill={[type=SOLID] [color=#7CFC00]}] [cx=300.00] [cy=225.00] [r=100.00] >+ RenderSVGText {text} at (233,198) size 134x63 contains 1 chunk(s) >+ RenderSVGInlineText {#text} at (0,0) size 134x63 >+ chunk 1 (middle anchor) text run 1 at (233.29,250.00) startOffset 0 endOffset 4 width 133.41: "PASS" >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg >new file mode 100644 >index 0000000000000000000000000000000000000000..5482831fa85969621a286e161ed7ecd035f75c2a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg >@@ -0,0 +1,20 @@ >+<?xml version="1.0" standalone="no"?> >+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" >+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> >+<svg width="6cm" height="5cm" viewBox="0 0 600 500" >+ xmlns="http://www.w3.org/2000/svg" version="1.1"> >+ <desc>Example script01 - redirect</desc> >+ >+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[ >+ location = "/content-security-policy/support/postmessage-fail.html"; >+ ]]> </script> >+ >+ <circle cx="300" cy="225" r="100" fill="lawngreen"/> >+ >+ <text x="300" y="250" >+ font-family="Verdana" >+ font-size="50" >+ text-anchor="middle"> >+ PASS >+ </text> >+</svg> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg.sub.headers >new file mode 100644 >index 0000000000000000000000000000000000000000..0e90e147ad2b9ec692eab6e168b8eff3b8510bd0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg.sub.headers >@@ -0,0 +1,6 @@ >+Expires: Mon, 26 Jul 1997 05:00:00 GMT >+Cache-Control: no-store, no-cache, must-revalidate >+Cache-Control: post-check=0, pre-check=0, false >+Pragma: no-cache >+Set-Cookie: scripted={{$id:uuid()}}; Path=/content-security-policy/svg >+Content-Security-Policy: script-src 'none'; >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..15cbf5ea37f0c7f46e3c53125537fca47d122cc2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid-expected.txt >@@ -0,0 +1,6 @@ >+Tests that an SVG loaded in an iframe with a policy enforces it, not the policy enforced by this parent frame. The SVG should render and not redirect to a different resource. >+ >+ >+ >+PASS Expecting logs: ["TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid.html >new file mode 100644 >index 0000000000000000000000000000000000000000..962cd880363681b8ec4f98e2877724287c9f05d7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid.html >@@ -0,0 +1,51 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>svg-from-guid</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ log("TEST COMPLETE"); >+ }, 1); >+ }); >+ </script> >+</head> >+ >+<body> >+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not >+ the policy enforced by this parent frame. The SVG should render and >+ not redirect to a different resource.</p> >+ <!-- >+<?xml version="1.0" standalone="no"?> >+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" >+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> >+<svg width="6cm" height="5cm" viewBox="0 0 600 500" >+ xmlns="http://www.w3.org/2000/svg" version="1.1"> >+ <desc>Example script01 - redirect</desc> >+ >+ <script id="postmessagescript" type="application/ecmascript"> <![CDATA[ >+ location = "/content-security-policy/support/postmessage-fail.html"; >+ ]]> </script> >+ >+ <circle cx="300" cy="225" r="100" fill="lawngreen"/> >+ >+ <text x="300" y="250" >+ font-family="Verdana" >+ font-size="50" >+ text-anchor="middle"> >+ PASS >+ </text> >+</svg> >+ --> >+ <iframe name="test_target" id="test_iframe" src="data:image/svg+xml;charset=utf-8;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pg0KPCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIg0KICAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj4NCjxzdmcgd2lkdGg9IjZjbSIgaGVpZ2h0PSI1Y20iIHZpZXdCb3g9IjAgMCA2MDAgNTAwIg0KICAgICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZlcnNpb249IjEuMSI+DQogIDxkZXNjPkV4YW1wbGUgc2NyaXB0MDEgLSByZWRpcmVjdDwvZGVzYz4NCg0KICA8c2NyaXB0IGlkPSJwb3N0bWVzc2FnZXNjcmlwdCIgdHlwZT0iYXBwbGljYXRpb24vZWNtYXNjcmlwdCI+IDwhW0NEQVRBWw0KICAgIGxvY2F0aW9uID0gIi9jb250ZW50LXNlY3VyaXR5LXBvbGljeS9ibGluay1jb250cmliL3Jlc291cmNlcy9wb3N0bWVzc2FnZS1mYWlsLmh0bWwiOw0KICBdXT4gPC9zY3JpcHQ+DQoNCiAgPGNpcmNsZSBjeD0iMzAwIiBjeT0iMjI1IiByPSIxMDAiIGZpbGw9Imxhd25ncmVlbiIvPg0KDQogIDx0ZXh0IHg9IjMwMCIgeT0iMjUwIg0KICAgICAgICBmb250LWZhbWlseT0iVmVyZGFuYSINCiAgICAgICAgZm9udC1zaXplPSI1MCINCiAgICAgICAgdGV4dC1hbmNob3I9Im1pZGRsZSI+DQogICAgICBQQVNTDQogICAgPC90ZXh0Pg0KPC9zdmc+"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..38202226e1d1c6485c8ea94b301d7901ffce6e5b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: Refused to load http://www1.localhost:8800/content-security-policy/support/.js because it does not appear in the script-src directive of the Content Security Policy. >+Tests that an SVG loaded in an iframe with a policy enforces it, not the policy enforced by this parent frame. The SVG should render and not redirect to a different resource. >+ >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Should fire violation event >+PASS >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..16d03407fd9eb5831b6cb17fa718875450c498dd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub.html >@@ -0,0 +1,41 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>svg-policy-with-resource</title> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script> >+ var t_spv = async_test("Should fire violation event"); >+ window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, "script-src-elem"); >+ })); >+ </script> >+ >+</head> >+ >+<body> >+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not >+ the policy enforced by this parent frame. The SVG should render and >+ not redirect to a different resource.</p> >+ <div id="log"></div> >+ <?xml version="1.0" standalone="no"?> >+ >+ <svg width="6cm" height="5cm" viewBox="0 0 600 500" >+ xmlns="http://www.w3.org/2000/svg" version="1.1"> >+ >+ <script type="application/ecmascript" >+ xlink:href="http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/.js"> >+ </script> >+ >+ <circle cx="300" cy="225" r="100" fill="lawngreen"/> >+ >+ <text x="300" y="250" >+ font-family="Verdana" >+ font-size="50" >+ text-anchor="middle"> >+ PASS >+ </text> >+ </svg> >+</body> >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..15cbf5ea37f0c7f46e3c53125537fca47d122cc2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes-expected.txt >@@ -0,0 +1,6 @@ >+Tests that an SVG loaded in an iframe with a policy enforces it, not the policy enforced by this parent frame. The SVG should render and not redirect to a different resource. >+ >+ >+ >+PASS Expecting logs: ["TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3ca62624058e63875114ce404da5ee8ede64796e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>svg-policy-with-resource</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ </script> >+</head> >+ >+<body> >+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not >+ the policy enforced by this parent frame. The SVG should render and >+ not redirect to a different resource.</p> >+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..4a796f0df0067b1d9a61dfb3891af26b17b0bc49 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource-expected.txt >@@ -0,0 +1,6 @@ >+Tests that an SVG loaded in an iframe with a policy enforces it, not the policy enforced by this parent frame. The SVG should render and not redirect to a different resource. >+ >+ >+ >+PASS Expecting logs: ["TEST COMPLETE"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource.html >new file mode 100644 >index 0000000000000000000000000000000000000000..88ba0b3e65ce1b5099f23cf8b81448ee7a26fdc7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+<head> >+ <title>svg-policy-with-resource</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["TEST COMPLETE"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+ <script> >+ window.addEventListener("message", function(event) { >+ alert_assert(event.data); >+ }, false); >+ window.addEventListener('load', function() { >+ setTimeout(function() { >+ log("TEST COMPLETE"); >+ }, 0); >+ }); >+ </script> >+</head> >+ >+<body> >+ <p>Tests that an SVG loaded in an iframe with a policy enforces it, not >+ the policy enforced by this parent frame. The SVG should render and >+ not redirect to a different resource.</p> >+ <iframe name="test_target" id="test_iframe" src="scripted.svg"></iframe> >+ <object type="image/svg+xml" data="scripted.svg"></object> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..f217305c8ea071ac82f34d337e287a25f691755c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/w3c-import.log >@@ -0,0 +1,25 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg.sub.headers >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-from-guid.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-resource-doc-includes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-policy-with-resource.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..7f46306c357b71e27d8969dad6bae218e1244073 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting alerts: ["PASS (1 of 2)","PASS (2 of 2)"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..186996311b707e1fc646885c847e082797847a9b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <title>eval-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src="../support/logTest.sub.js?logs=[]"></script> >+ <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ eval("alert_assert('PASS (1 of 2)')"); >+ >+ window.eval("alert_assert('PASS (2 of 2)')"); >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e4559e1f5989c9663a6e897f5a6684b37c705b30 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..998a616652a26c780b1f106eec80456b668775e2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>eval-blocked-and-sends-report</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked.","violated-directive=script-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ eval("alert_assert('FAIL')"); >+ } catch (e) { >+ log('PASS: eval() blocked.'); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..94e2db8cdea1e27dc1fae731f2b3782d6c6b1637 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt >@@ -0,0 +1,6 @@ >+Eval should be blocked in the iframe, but inline script should be allowed. >+ >+ >+ >+FAIL Expecting logs: ["violated-directive=script-src","PASS"] assert_unreached: Logging timeout, expected logs violated-directive=script-src,PASS not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..95b3d566ced45aecd150bc48243db766ab3952bf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html >@@ -0,0 +1,34 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>eval-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["violated-directive=script-src","PASS"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ >+<p>Eval should be blocked in the iframe, but inline script should be allowed.</p> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ window.onmessage = function(e) { >+ log(e.data); >+ } >+ window.onload = function() { >+ frames[0].document.write("<script>eval('window.parent.postMessage(\"FAIL\", \"*\");'); window.parent.postMessage(\"PASS\", \"*\");</sc" + "ript>"); >+ frames[0].document.close(); >+ } >+ >+</script> >+<iframe src="about:blank"></iframe> >+ >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..11f13e272decf8cd88f78ea5e048b46fab73a1c8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7546082ee4126ea67d1e57532256ddafd859b4ef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>eval-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError", "violated-directive=script-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ eval("alert_assert('FAIL (1 of 2)')"); >+ } catch (e) { >+ log("PASS EvalError"); >+ } >+ >+ try { >+ window.eval("alert_assert('FAIL (1 of 2)')"); >+ } catch (e) { >+ log("PASS EvalError"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ab9e76137dde2497bbee604ac647d27f54cc2f07 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+ >+PASS Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ee888eaa4957d9e0df7443cc59ff7039489f2853 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html >@@ -0,0 +1,33 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> >+ <title>eval-scripts-setInterval-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<pre> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ var id_string = setInterval("clearInterval(id_string); log('PASS 1 of 2')", 0); >+ if (id_string == 0) >+ log('FAIL: Return value for string (should not be 0): ' + id_string); >+ >+ var id_function = setInterval(function() { >+ clearInterval(id_function); >+ log('PASS 2 of 2'); >+ }, 0); >+ >+ if (id_function == 0) >+ log('FAIL'); >+</script> >+</pre> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fade5a1043cfcad691add2a3abd06ab1adc2e07e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0d65e294f751899a6dc249be23c38c029c58f37e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>eval-scripts-setInterval-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var id = setInterval("alert_assert('FAIL')", 0); >+ if (id != 0) >+ log('FAIL: Return value for string (should be 0): ' + id); >+ >+ var id = setInterval(function() { >+ clearInterval(id); >+ log('PASS'); >+ }, 0); >+ >+ if (id == 0) >+ log('FAIL'); >+</script> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ca4298c87278863ce5ad4aaf2e4fbbc46d97d681 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS 1 of 2","PASS 2 of 2"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ff85a867489b3648b30f89d9a73029b18b30334e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> >+ <title>eval-scripts-setTimeout-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ var id = setTimeout("log('PASS 1 of 2')", 0); >+ if (id == 0) >+ log('FAIL'); >+ var id = setTimeout(function() { >+ log('PASS 2 of 2'); >+ }, 0); >+ if (id == 0) >+ log('FAIL'); >+</script> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fade5a1043cfcad691add2a3abd06ab1adc2e07e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..21737ce8cb226dafbfc55501e2d4b3108a13368f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>eval-scripts-setTimeout-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+<script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ var id = setTimeout("alert_assert('FAIL')", 0); >+ if (id != 0) >+ log('FAIL'); >+ >+ var id = setTimeout(function() { >+ log('PASS'); >+ }, 0); >+ >+ if (id == 0) >+ log('FAIL'); >+</script> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..70bc2cda491939c14428e19cbaff031dfe3d822a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Expecting logs: ["PASS"] >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..8e6661b21c60c70cfe64ceecb1bfd83ef5329b59 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> >+ <title>function-constructor-allowed</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS"]'></script> >+ <script src='../support/alertAssert.sub.js?alerts=[]'></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("Fail"); >+ }); >+ >+ (new Function("log('PASS')"))(); >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..047462cec58d375e97cd21081d3551b6db328dc6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Expecting logs: ["PASS EvalError","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..eb610ff542f870a3edf699e77c2fe6193312d8c4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE html> >+<html> >+ >+<head> >+ <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> >+ <title>function-constructor-blocked</title> >+ <script src="/resources/testharness.js"></script> >+ <script src="/resources/testharnessreport.js"></script> >+ <script src='../support/logTest.sub.js?logs=["PASS EvalError","violated-directive=script-src"]'></script> >+ <script src="../support/alertAssert.sub.js?alerts=[]"></script> >+</head> >+ >+<body> >+ <script> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ log("violated-directive=" + e.violatedDirective); >+ }); >+ >+ try { >+ (new Function("log('FAIL')"))(); >+ } catch (e) { >+ log("PASS EvalError"); >+ } >+ >+ </script> >+ <div id="log"></div> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7fefa5caf0c02e7ca05ef3caf9e963dcf910b057 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/w3c-import.log >@@ -0,0 +1,26 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b90c5688886edc62a02385a8e53b99b5c1cace25 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 23: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html >new file mode 100644 >index 0000000000000000000000000000000000000000..76e9576e8b11856695b12bd2516fa8507940c57e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> >+ <!-- >+ 'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a href='javascript:t1.done();' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b90c5688886edc62a02385a8e53b99b5c1cace25 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 23: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d1c2b38f247a0a11ecff8ead40eff2152545f461 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=';"> >+ <!-- >+ 'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=' ==> 'javascript:opener.t1.done();' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a target="_blank" href='javascript:opener.t1.done();' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..895bb0368b194e4c1386a9466eb86cce4b2591a2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7dfb7b572f975e3116c8003770089c986b8c073f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is allowed to run"); >+ >+ window.onmessage = t1.step_func_done(function(e) { >+ assert_equals(e.data, "pass"); >+ }); >+ >+ window.open('support/child_window_location_navigate.sub.html' + >+ '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") + >+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6d1ca5c1b3daaefe32e885d92fbdf31174c69592 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html >new file mode 100644 >index 0000000000000000000000000000000000000000..970290e3f6f8e8135e9f9c4a53d1e24f03890491 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';"> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is allowed to run"); >+ >+ window.onmessage = t1.step_func_done(function(e) { >+ assert_equals(e.data, "pass"); >+ }); >+ >+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); >+ >+ window.open("javascript:opener.postMessage('pass', '*')"); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6c9eb72ef82a9a1cbdb7bf2c97f4f857400af176 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 26: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html >new file mode 100644 >index 0000000000000000000000000000000000000000..991200ac0daaa047a7637753b31d38ca7d99320b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';"> >+ <!-- >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..be42f2dc266c9dda4482d7cece57968cd285c0a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 26: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html >new file mode 100644 >index 0000000000000000000000000000000000000000..66ec9e1678c6ac5dc34f962bee2830d67853d763 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> >+ <!-- >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..024674aea6bed5396f1a9476087fa2e67bd132b6 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c014bd1554a8d8ded3c700da07d542c0842adfb1 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.onmessage = t1.step_func_done(function(e) { >+ assert_equals(e.data, "fail"); >+ }); >+ >+ window.open('support/child_window_location_navigate.sub.html' + >+ '?csp=' + encodeURI("script-src 'nonce-abc' 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y='") + >+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..af1d50a4bea233dfbbb3ecf12c416f9f947fb64a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html >new file mode 100644 >index 0000000000000000000000000000000000000000..12c9b099857294e85cbe2efe2d4a3b7d60836cda >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=';"> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.onmessage = t1.unreached_func("Should have not received any message"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ window.open("javascript:opener.postMessage('pass', '*')"); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..be42f2dc266c9dda4482d7cece57968cd285c0a9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 26: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html >new file mode 100644 >index 0000000000000000000000000000000000000000..944b72774c8b15870f403941a38c705075046c16 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> >+ <!-- >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6c9eb72ef82a9a1cbdb7bf2c97f4f857400af176 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 26: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html >new file mode 100644 >index 0000000000000000000000000000000000000000..84491f83fbb1f3f5908fce22afad6a6370379ac5 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';"> >+ <!-- >+ 'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ document.getElementById('test').click(); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..846bd03515ced79c04d23a00440f2a2ef16d25f3 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 15: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cfb8d6b958e077a27d49acb64b1b60f2d97c0f49 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.onmessage = t1.step_func_done(function(e) { >+ assert_equals(e.data, "fail"); >+ }); >+ >+ window.open('support/child_window_location_navigate.sub.html' + >+ '?csp=' + encodeURI("script-src 'unsafe-hashes' 'nonce-abc' 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg='") + >+ '&url=' + encodeURI("javascript:opener.postMessage('pass', '*')")); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..0134cbbff5ab90078a7ca580a60afaea4873096f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the javascript: src is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c653d4f617e3c3519e73de560f27c555db649730 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' >+ 'sha256-VjH6k67F4kobUnNDOBE85QiJ9cuZMiYT6desKXvezVg=';"> >+ <!-- >+ 'sha256-IIiAJ8UuliU8o1qAv6CV4P3R8DeTf/v3MrsCwXW171Y=' ==> 'javascript:opener.postMessage('pass', '*')' >+ --> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the javascript: src is not allowed to run"); >+ >+ window.onmessage = t1.unreached_func("Should have not received any message"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-elem'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ window.open("javascript:opener.postMessage('pass', '*')"); >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c65288afb35e5b7c4383d8f80fefbdeaf00e4257 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 19: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the inline event handler is allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cd7855998faab1074fe2fd135298ec672f152e91 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html >@@ -0,0 +1,22 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='; img-src *;"> >+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the inline event handler is allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); >+ </script> >+ <img src='../support/pass.png' >+ onload='t1.done();'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2789dd72f424d21f15b51e4d98761dbf8891e1da >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 23: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the inline event handler is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..7ba9d30bcfd8d1d35426ca8abc3ab42018bb9c3c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html >@@ -0,0 +1,26 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'sha256-Cb9N8BP42Neca22vQ9VaXlPU8oPF8HPxZHxRVcnLZJ4='; img-src *;"> >+ <title>Event handlers should not be allowed if a matching hash is present without 'unsafe-hashes'</title> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+ >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the inline event handler is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+ <img src='../support/pass.png' >+ onload='t1.unreached_func("Should not have executed handler");'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8a72807972b6cde5b00f3b1ae3d30e0536345551 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 22: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the inline event handler is not allowed to run >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html >new file mode 100644 >index 0000000000000000000000000000000000000000..2de6a48eb219df9230e4ba5e6523bbd549d53676 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;"> >+ <title>Event handlers should be not allowed if a matching hash is not present</title> >+ <script src='/resources/testharness.js' nonce='abc'></script> >+ <script src='/resources/testharnessreport.js' nonce='abc'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script nonce='abc'> >+ var t1 = async_test("Test that the inline event handler is not allowed to run"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'script-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ </script> >+ <img src='../support/pass.png' >+ onload='t1.unreached_func("Should not have executed handler");'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..600a57d9b8db6145f780f65e489465779005a6ea >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Test that the inline style attribute is loaded assert_equals: expected "" but got "green" >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html >new file mode 100644 >index 0000000000000000000000000000000000000000..568c469b063c0faaed83cf9551b56a3bf7d2b3d9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html >@@ -0,0 +1,30 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src *; >+ style-src 'unsafe-hashes' 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';"> >+ <!-- >+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' >+ --> >+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script> >+ var t1 = async_test("Test that the inline style attribute is loaded"); >+ >+ self.check_for_style = t1.step_func_done(function() { >+ assert_equals("green", document.getElementById('test').style.background); >+ }); >+ >+ window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); >+ </script> >+ <img src='../support/pass.png' id='test' style='background: green' >+ onload='check_for_style()'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..06ee7c1a0cd2980013deaa9503768cc249ae528b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: line 26: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the inline style attribute is blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e8070acba90bfff548d971375f3061a62bd1432c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src *; >+ style-src 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=';"> >+ <!-- >+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' >+ --> >+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script> >+ var t1 = async_test("Test that the inline style attribute is blocked"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ </script> >+ <img src='../support/pass.png' id='test' style='background: green'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..cb492c4aa30126eb801c2c675947fb67e3110b8f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: The source list for Content Security Policy directive 'style-src' contains an invalid source: ''unsafe-hashes''. It will be ignored. >+CONSOLE MESSAGE: line 26: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+NOTRUN Test that the inline style attribute is blocked >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html >new file mode 100644 >index 0000000000000000000000000000000000000000..be27637224249d99c28c214c2af9e65a07f27dfd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="img-src *; >+ style-src 'unsafe-hashes' 'sha256-UI8QfroYhb0WX073XBuM+RTPntpjZfkyFLsMw5vQfd0=';"> >+ <!-- >+ 'sha256-S0VSqEOmzmyOifPfat2sJ7ELOgkldAEbaXlvi5iMqjc=' ==> 'background: green' >+ --> >+ <title>Event handlers should be allowed if a matching hash and 'unsafe-hashes' are present</title> >+ <script src='/resources/testharness.js'></script> >+ <script src='/resources/testharnessreport.js'></script> >+</head> >+ >+<body> >+ <div id='log'></div> >+ <script> >+ var t1 = async_test("Test that the inline style attribute is blocked"); >+ >+ window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { >+ assert_equals(e.violatedDirective, 'style-src-attr'); >+ assert_equals(e.blockedURI, 'inline'); >+ })); >+ >+ </script> >+ <img src='../support/pass.png' id='test' style='background: green'> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b6e60467b648336fc1fd72bc220b17c14e447536 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE HTML> >+<html> >+ >+<head> >+ <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}"> >+</head> >+ >+<body> >+ <script nonce='abc'> >+ window.addEventListener('securitypolicyviolation', function(e) { >+ opener.postMessage('fail', '*'); >+ }); >+ >+ window.location.href = "{{GET[url]}}"; >+ </script> >+</body> >+ >+</html> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..db069d12774b4367dbb3e5e5107119caf6dec158 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/w3c-import.log >@@ -0,0 +1,17 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..db203d4eed58bd93b10c398b7925d03d0a7ae87e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/w3c-import.log >@@ -0,0 +1,34 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..abe6fded33cba84e0bd6ba846893cbe2a76a74df >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/w3c-import.log >@@ -0,0 +1,19 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/META.yml >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.css >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.html >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e9fe3987222498c328b31d1493093915816bd922 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Same-origin dedicated worker allowed by host-source expression. >+PASS blob: dedicated worker allowed by 'blob:'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cff8f953af1baca07011b1fe1c58251c12d7a5ad >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="child-src http://{{host}}:{{ports[http][0]}} blob:"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression."); >+ >+ var b = new Blob(["postMessage('ping');"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..2b89c11ecac6211f0a95263d4c428cb95e813c30 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+FAIL Same-origin dedicated worker allowed by host-source expression. The operation is insecure. >+FAIL blob: dedicated worker allowed by 'blob:'. The operation is insecure. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..25602573fbd47db50af11d114b19a7b6e21c4cbf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:; child-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression."); >+ >+ var b = new Blob(["postMessage('ping');"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..e9fe3987222498c328b31d1493093915816bd922 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub-expected.txt >@@ -0,0 +1,4 @@ >+ >+PASS Same-origin dedicated worker allowed by host-source expression. >+PASS blob: dedicated worker allowed by 'blob:'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..fc4f91232472c7fdc5dd6f2f38bbf537b9e7ec05 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by host-source expression."); >+ >+ var b = new Blob(["postMessage('ping');"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8160aa2ee41ef9bd35002df7e607281694ba2ba2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt >@@ -0,0 +1,8 @@ >+ >+FAIL Same-origin dedicated worker blocked by host-source expression. assert_throws: function "function () { >+ var w = new Worker(url); >+ }" did not throw >+FAIL blob: dedicated worker blocked by 'blob:'. assert_throws: function "function () { >+ var w = new Worker(url); >+ }" did not throw >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..62c550788a2b7cecb056b65dca2d3648846a5c15 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_worker_is_blocked(url, "Same-origin dedicated worker blocked by host-source expression."); >+ >+ var b = new Blob(["postMessage('ping');"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_worker_is_blocked(url, "blob: dedicated worker blocked by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f86ff809be3490ce56aff172be97a9b61cf9483b >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin dedicated worker allowed by 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ba0cd1bb43b652d51f0ef9837dec9ed9d22e32d4 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..a11ee6be02610c58c47d5a20f98255188e2cd562 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub-expected.txt >@@ -0,0 +1,6 @@ >+CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/support/ping.js because it does not appear in the child-src directive of the Content Security Policy. >+ >+Harness Error (TIMEOUT), message = null >+ >+TIMEOUT Same-origin dedicated worker allowed by worker-src 'self'. Test timed out >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f9f68fe74985c7f48f494f76581f3e327e83e038 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for dedicated worker allowed by worker-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; "> >+<script src="../support/dedicated-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..82a089ab5a18cd6b9a24d66db07c082f10cb1fdc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin dedicated worker allowed by child-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9c37dfb6301406e462780ae30245f25fe44408ef >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for dedicated worker allowed by child-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..deab9e54a056114fa359d561a04f4c4ceec8c8bf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin dedicated worker allowed by default-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5bded3f59a05f28bdfc676bb08284aeb5ed28e00 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for dedicated worker allowed by default-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> >+<script src="../support/dedicated-worker-helper.js" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by default-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..6f6328d6d839cc5dafaaa0bb35986e5dedec3da9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Same-origin dedicated worker allowed by script-src 'self'. The operation is insecure. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ca922076762c1deaa17e9ece03a0f0b030c95a5c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for dedicated worker allowed by script-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; "> >+<script src="../support/dedicated-worker-helper.js" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by script-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8559618436d944d123e73cc5611eb004924ff053 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Same-origin dedicated worker allowed by worker-src 'self'. The operation is insecure. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..06e79db006286c0ed4f436b3fc57b9cf257a5a48 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for dedicated worker allowed by worker-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bf0a275209d7b9cfb5d88ea20b3f39e38debf62d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by host-source expression. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3315a554b317633cfb1649c31ed5400654c5d17c >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub.html >@@ -0,0 +1,10 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="child-src https://{{host}}:{{ports[https][0]}}"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression."); >+</script> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bf0a275209d7b9cfb5d88ea20b3f39e38debf62d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by host-source expression. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..314d8831d8aa5e664d4811bae99fcf729824dfbc >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src https://{{host}}:{{ports[https][0]}}; child-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..bf0a275209d7b9cfb5d88ea20b3f39e38debf62d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by host-source expression. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9e2cd903f235d26165249dc1db7f22c3c39a1d67 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src https://{{host}}:{{ports[https][0]}}"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_service_worker_is_loaded(url, "Same-origin service worker allowed by host-source expression."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..df70f92cfe478e28ee5c61f715c8ce1be577568f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Same-origin service worker blocked by 'none'. assert_unreached: Should have rejected: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..467a8ce2cf4f1c26de4400a7eed88f7dc027007a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_service_worker_is_blocked(url, "Same-origin service worker blocked by 'none'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..3dd770da254fc62c5a12f9e287015a819983b7ec >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d725e730129188de379c672730b87489916b7fc8 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub.html >@@ -0,0 +1,9 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_service_worker_is_loaded(url, "Same-origin service worker allowed by 'self'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..aea7c1e7a9d4531b3c674d50cc8e6667ff253e94 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+FAIL Same-origin service worker allowed by child-src 'self'. assert_unreached: Should have rejected: undefined Reached unreachable code >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..979abd580dcbac6209d9329b9ec5586f0c94c315 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for service worker allowed by child-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; "> >+<script src="../support/service-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..abf5dd6797adcda228b4d29ffadf602dbb5ee5ce >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by child-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0053b1098aa06246161ba788bd312fa7de06aee7 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for service worker allowed by child-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..01978e922a77a7b745999bb6f6df716b0785438a >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by default-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..f9df743909f380c90e17fe22e6848afc12e47a14 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for service worker allowed by default-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> >+<script src="../support/service-worker-helper.js" id="foo" data-desc-fallback="Same-origin service worker allowed by default-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..767afd5dd88b228e2ac7c720d06eb97c8d853238 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by script-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ce03f24f176b4d6c98b79ae59ab98c2f5ee851cf >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for service worker allowed by script-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; "> >+<script src="../support/service-worker-helper.js" id="foo" data-desc-fallback="Same-origin service worker allowed by script-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..68a82390be944df2bd27e0b9be45aa5b0f4a5637 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Same-origin service worker allowed by worker-src 'self'. >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..58bc8cdb7a7a92bf8798ee4c023c4a2d9bc02019 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for service worker allowed by worker-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-child.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-child.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..93dd38b6f8ed073605bbcfe26647165d379881d9 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-child.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="child-src http://{{host}}:{{ports[http][0]}} blob:"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'."); >+ >+ var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cfe9190a43eafc0ca6f3c0b4ec03047978e6600d >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:; child-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'."); >+ >+ var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-list.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-list.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..6c985c76eb64b4f54aa90d133d44f77ebd547cfd >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-list.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src http://{{host}}:{{ports[http][0]}} blob:"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'."); >+ >+ var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_shared_worker_is_loaded(url, "blob: dedicated worker allowed by 'blob:'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-none.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-none.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b443f321d3cc458fc9674b30c560ee82ba52ead2 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-none.sub.html >@@ -0,0 +1,13 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'none'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_shared_worker_is_blocked(url, "Same-origin shared worker blocked by 'none'."); >+ >+ var b = new Blob(["onconnect = e => { e.ports[0].postMessage('ping'); }"], {type: "text/javascript"}); >+ var url = URL.createObjectURL(b); >+ assert_shared_worker_is_blocked(url, "blob: shared worker blocked by 'none'."); >+</script> >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-self.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-self.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..e6b368aab1817cc5ea7be31b9a62d4798bcef57f >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-self.sub.html >@@ -0,0 +1,10 @@ >+<!DOCTYPE html> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'"> >+<script> >+ var url = new URL("../support/ping.js", document.baseURI).toString(); >+ assert_shared_worker_is_loaded(url, "Same-origin dedicated worker allowed by 'self'."); >+</script> >+ >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..00dbdb4fc2dc8875d953cdaa274db250fb86ee84 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for shared worker allowed by child-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+ >+<meta http-equiv="Content-Security-Policy" content="child-src 'none'; script-src 'self'; default-src 'none'; "> >+<script src="../support/shared-worker-helper.js" blocked-worker id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..53510852ef0d18b3d611d35f99f07249d64b6e1e >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for shared worker allowed by child-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4a07db76aaeb614504769a23aa978fe8a2878a00 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for shared worker allowed by default-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> >+<script src="../support/shared-worker-helper.js" id="foo" data-desc-fallback="Same-origin shared worker allowed by default-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0a854da3ad2260f0d70297a20326fb6ae5ddbda0 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html >@@ -0,0 +1,8 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for shared worker allowed by script-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; default-src 'none'; "> >+<script src="../support/shared-worker-helper.js" id="foo" data-desc-fallback="Same-origin shared worker allowed by script-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html >new file mode 100644 >index 0000000000000000000000000000000000000000..353a3a0d51b3532e6ef92c2341a863771b072b35 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html >@@ -0,0 +1,9 @@ >+<!doctype html> >+<meta charset=utf-8> >+<title>Web platform test for shared worker allowed by worker-src self</title> >+<script src=/resources/testharness.js></script> >+<script src=/resources/testharnessreport.js></script> >+<script src="../support/testharness-helper.js"></script> >+<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.--> >+<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> >+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script> >\ No newline at end of file >diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/w3c-import.log b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/w3c-import.log >new file mode 100644 >index 0000000000000000000000000000000000000000..7c1d122660723d8841b933c7d6f70cd298e51112 >--- /dev/null >+++ b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/w3c-import.log >@@ -0,0 +1,46 @@ >+The tests in this directory were imported from the W3C repository. >+Do NOT modify these tests directly in WebKit. >+Instead, create a pull request on the WPT github: >+ https://github.com/web-platform-tests/wpt >+ >+Then run the Tools/Scripts/import-w3c-tests in WebKit to reimport >+ >+Do NOT modify or remove this file. >+ >+------------------------------------------------------------------------ >+Properties requiring vendor prefixes: >+None >+Property values requiring vendor prefixes: >+None >+------------------------------------------------------------------------ >+List of files: >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-child.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-list.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-default-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-script-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-child.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-fallback.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-list.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-none.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-self.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-child.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-list.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-none.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-self.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-default-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html >+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html >diff --git a/LayoutTests/platform/mac-wk1/TestExpectations b/LayoutTests/platform/mac-wk1/TestExpectations >index 324e7ef73db4134b2640afd827f4d406e12ec714..65e9eedb5279ca368710c08155b4c722e19e0a73 100644 >--- a/LayoutTests/platform/mac-wk1/TestExpectations >+++ b/LayoutTests/platform/mac-wk1/TestExpectations >@@ -102,6 +102,9 @@ http/tests/inspector/network/beacon-type.html [ Skip ] > http/wpt/beacon/ [ Skip ] > imported/blink/fast/beacon/ [ Skip ] > imported/w3c/web-platform-tests/beacon/ [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html [ Skip ] > http/tests/security/contentSecurityPolicy/connect-src-beacon-allowed.html [ Skip ] > http/tests/security/contentSecurityPolicy/connect-src-beacon-blocked.html [ Skip ] > http/tests/security/contentSecurityPolicy/report-only-connect-src-beacon-redirect-blocked.php [ Skip ] >@@ -224,17 +227,23 @@ fast/events/ghostly-mousemoves-in-subframe.html [ Skip ] > http/wpt/loading/redirect-headers.html [ Skip ] > > # No service worker implementation for WK1 >-imported/w3c/web-platform-tests/service-workers [ Skip ] >-http/wpt/service-workers [ Skip ] >-http/wpt/cache-storage [ Skip ] >-http/tests/cache-storage [ Skip ] >-imported/w3c/web-platform-tests/streams/readable-byte-streams/detached-buffers.serviceworker.https.html [ Skip ] > http/tests/appcache/main-resource-redirect-with-sw.html [ Skip ] >+http/tests/cache-storage [ Skip ] > http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html [ Skip ] > http/tests/cookies/same-site/fetch-in-same-origin-service-worker.html [ Skip ] >-imported/w3c/web-platform-tests/server-timing/service_worker_idl.html [ Skip ] >+http/wpt/cache-storage [ Skip ] >+http/wpt/service-workers [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html [ Skip ] > imported/w3c/web-platform-tests/fetch/api/request/destination [ Skip ] > imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy [ Skip ] >+imported/w3c/web-platform-tests/server-timing/service_worker_idl.html [ Skip ] >+imported/w3c/web-platform-tests/service-workers [ Skip ] >+imported/w3c/web-platform-tests/streams/readable-byte-streams/detached-buffers.serviceworker.https.html [ Skip ] > > # Quota check missing in WK1 > http/tests/IndexedDB/storage-limit.https.html [ Skip ] >diff --git a/LayoutTests/platform/win/TestExpectations b/LayoutTests/platform/win/TestExpectations >index 69e52fb3d8e7c8e90aefd28dd465cf2718b530bc..74a0449caa5e74db9658a3ed5198c838dd578249 100644 >--- a/LayoutTests/platform/win/TestExpectations >+++ b/LayoutTests/platform/win/TestExpectations >@@ -3746,6 +3746,9 @@ http/tests/inspector/network/beacon-type.html [ Skip ] > http/wpt/beacon/ [ Skip ] > imported/blink/fast/beacon/ [ Skip ] > imported/w3c/web-platform-tests/beacon/ [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html [ Skip ] > http/tests/security/contentSecurityPolicy/connect-src-beacon-allowed.html [ Skip ] > http/tests/security/contentSecurityPolicy/connect-src-beacon-blocked.html [ Skip ] > http/tests/security/contentSecurityPolicy/report-only-connect-src-beacon-redirect-blocked.php [ Skip ] >@@ -3765,21 +3768,27 @@ webkit.org/b/174801 fast/text/line-height-minimumFontSize.html [ Failure ] > webkit.org/b/93589 svg/dom/SVGScriptElement/script-change-externalResourcesRequired-while-loading.svg [ Pass Timeout ] > > # No service worker implementation for WK1 >+http/tests/appcache/main-resource-redirect-with-sw.html [ Skip ] >+http/tests/cache-storage [ Skip ] >+http/tests/inspector/network/resource-response-service-worker.html [ Skip ] > http/tests/workers/service [ Skip ] >+http/wpt/cache-storage [ Skip ] > http/wpt/service-workers [ Skip ] >-http/tests/inspector/network/resource-response-service-worker.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-default-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-script-fallback.https.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html [ Skip ] > imported/w3c/web-platform-tests/fetch/api/policies/referrer-no-referrer-service-worker.https.html [ Skip ] > imported/w3c/web-platform-tests/fetch/api/policies/referrer-origin-service-worker.https.html [ Skip ] > imported/w3c/web-platform-tests/fetch/api/policies/referrer-origin-when-cross-origin-service-worker.https.html [ Skip ] > imported/w3c/web-platform-tests/fetch/api/policies/referrer-unsafe-url-service-worker.https.html [ Skip ] >+imported/w3c/web-platform-tests/fetch/api/request/destination [ Skip ] >+imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy [ Skip ] > imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-serviceworker.https.html [ Skip ] > imported/w3c/web-platform-tests/server-timing/service_worker_idl.html [ Skip ] > imported/w3c/web-platform-tests/service-workers [ Skip ] >-http/tests/cache-storage [ Skip ] >-http/wpt/cache-storage [ Skip ] >-http/tests/appcache/main-resource-redirect-with-sw.html [ Skip ] >-imported/w3c/web-platform-tests/fetch/api/request/destination [ Skip ] >-imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy [ Skip ] > > # No header filtering for WK1 > http/wpt/loading/redirect-headers.html [ Skip ] >@@ -4103,10 +4112,13 @@ webkit.org/b/188169 http/tests/security/canvas-remote-read-remote-video-hls.html > > webkit.org/b/188600 editing/input/press-tab-during-ime-composition.html [ Failure ] > >-http/tests/websocket [ Skip ] > http/tests/security/mixedContent/websocket [ Skip ] >-imported/blink/http/tests/websocket [ Skip ] >+http/tests/websocket [ Skip ] > imported/blink/http/tests/security/mixedContent/websocket [ Skip ] >+imported/blink/http/tests/websocket [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html [ Skip ] >+imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html [ Skip ] > > # Feature flag only enabled for wk2 > css-custom-properties-api [ Skip ] >diff --git a/LayoutTests/tests-options.json b/LayoutTests/tests-options.json >index 63008c24dd8e77d3420039e925e4d99e86fc466a..4a2419a12233f068b916f1b3e246bfca4a686291 100644 >--- a/LayoutTests/tests-options.json >+++ b/LayoutTests/tests-options.json >@@ -413,6 +413,45 @@ > "imported/w3c/web-platform-tests/beacon/beacon-navigate.html": [ > "slow" > ], >+ "imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-allowed.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-allowed.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-2_1.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-2_2.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html": [ >+ "slow" >+ ], >+ "imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html": [ >+ "slow" >+ ], > "imported/w3c/web-platform-tests/cors/status-async.htm": [ > "slow" > ],
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371793">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198676
:
371616
|
371621
|
371625
|
371635
|
371637
|
371639
|
371640
|
371793
|
371802
|
371817
|
371855
|
371863
|
371865
|
371868