Changeset 117006 in webkit
- Timestamp:
- May 14, 2012 2:53:58 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 9 added
- 2 deleted
- 47 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r116997 r117006 1 2012-05-14 Mike West <mike@mikewest.org> 2 3 Content Security Policy console errors include violated directive. 4 https://bugs.webkit.org/show_bug.cgi?id=86323 5 6 Sharded http/tests/security/contentSecurityPolicy/source-list-parsing.html 7 into four tests, and reworked it to have a well-defined order. 8 9 Reviewed by Adam Barth. 10 11 * http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt: 12 * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt: 13 * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: 14 * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: 15 * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: 16 * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt: 17 * http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt: 18 * http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt: 19 * http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt: 20 * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt: 21 * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt: 22 * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt: 23 * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: 24 * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt: 25 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt: 26 * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: 27 * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: 28 * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: 29 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: 30 * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: 31 * http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt: 32 * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: 33 * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: 34 * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: 35 * http/tests/security/contentSecurityPolicy/report-only-expected.txt: 36 * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: 37 * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: 38 * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: 39 * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt: 40 * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: 41 * http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt: 42 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt: 43 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt: 44 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt: 45 * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: Removed 46 * http/tests/security/contentSecurityPolicy/source-list-parsing.html: Removed 47 * http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt: Added 48 * http/tests/security/contentSecurityPolicy/source-list-parsing-01.html: Added 49 * http/tests/security/contentSecurityPolicy/source-list-parsing-02-expected.txt: Added 50 * http/tests/security/contentSecurityPolicy/source-list-parsing-02.html: Added 51 * http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt: Added 52 * http/tests/security/contentSecurityPolicy/source-list-parsing-03.html: Added 53 * http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt: Added 54 * http/tests/security/contentSecurityPolicy/source-list-parsing-04.html: Added 55 * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt: 56 * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: 57 * http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt: 58 * http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt: 59 * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: 60 * http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt: 61 * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt: 62 * media/csp-blocks-video-expected.txt: 63 * platform/chromium/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt: 64 1 65 2012-05-14 Stephen Chenney <schenney@chromium.org> 2 66 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'". 2 2 3 3 This page should neither alert "FAIL" nor generate any mixed content warnings in the console. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt
r116254 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". 4 4 5 5 This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load connect from 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to connect to connect 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because it violates the following Content Security Policy directive: "connect-src http://localhost:8000". 2 2 3 3 Pass -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load connect from 'ws://localhost:8880/websocket/tests/hybi/echo' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to connect to connect 'ws://localhost:8880/websocket/tests/hybi/echo' because it violates the following Content Security Policy directive: "connect-src ws://127.0.0.1:8880". 2 2 3 3 Pass -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load connect from 'http://localhost:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to connect to connect 'http://localhost:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src http://127.0.0.1:8000". 2 2 3 3 Pass -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". 2 2 3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". 4 4 5 5 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt
r104803 r117006 1 1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'. 2 2 3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". 4 4 5 5 This script should not execute even though there are parse errors in the policy. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt
r104803 r117006 1 1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'aaa'. 2 2 3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". 4 4 5 5 This script should not execute even though there are parse errors in the policy. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". 2 2 3 3 This script should not execute even though there are parse errors in the policy. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to evaluate script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 ALERT: PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to evaluate script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 ALERT: PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 3 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*". 2 2 3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*". 4 4 5 5 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt
r104803 r117006 1 1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'. 2 2 3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*". 4 4 5 CONSOLE MESSAGE: Refused to execute inline event handler because of Content-Security-Policy.5 CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*". 6 6 7 7 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt
r116066 r117006 5 5 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'. 6 6 7 CONSOLE MESSAGE: Refused to execute JavaScript URL because of Content-Security-Policy.7 CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*". 8 8 9 9 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". 2 2 3 3 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". 2 2 3 3 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
r116066 r117006 5 5 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'. 6 6 7 CONSOLE MESSAGE: Refused to execute JavaScript URL because of Content-Security-Policy.7 CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". 8 8 9 9 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load object from '' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the object '' because it violates the following Content Security Policy directive: "object-src 'none'". 2 2 3 3 This test passes if there is a console message saying the plugin was blocked. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load object from 'data:application/x-webkit-test-netscape,alertwhenloaded' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the object 'data:application/x-webkit-test-netscape,alertwhenloaded' because it violates the following Content Security Policy directive: "object-src 'none'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 ALERT: PASS 4 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.4 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 5 5 6 6 CSP report received: -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: [Report Only] Refused to load image from 'http://localhost:8080/security/resources/abe.png' because of Content-Security-Policy.1 CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 3 CSP report received: -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: [Report Only] Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.1 CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 3 CSP report received: -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 ALERT: PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 ALERT: PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 CSP report received: -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
r116274 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt
r104803 r117006 1 1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'. 2 2 3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'". 4 4 5 5 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to execute inline event handler because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src localhost". 2 2 3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.3 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1". 4 4 5 5 Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt
r116335 r117006 1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". 2 2 3 3 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the style 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src 'none'". 2 2 3 3 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load connect from 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to connect to connect 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'". 2 2 3 3 ALERT: xhr blocked -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 ALERT: Error: SECURITY_ERR: DOM Exception 18 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 layer at (0,0) size 800x600 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 3 Here is an image: -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 layer at (0,0) size 800x600 -
trunk/LayoutTests/media/csp-blocks-video-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load media from 'test.mp4' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the media 'test.mp4' because it violates the following Content Security Policy directive: "media-src 'none'". 2 2 3 3 END OF TEST -
trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load media from 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.ogv&mimeType=video/ogg&stallAt=100000' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the media 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.ogv&mimeType=video/ogg&stallAt=100000' because it violates the following Content Security Policy directive: "media-src 'none'". 2 2 3 3 END OF TEST -
trunk/LayoutTests/platform/chromium/media/csp-blocks-video-expected.txt
r104803 r117006 1 CONSOLE MESSAGE: Refused to load media from 'test.ogv' because of Content-Security-Policy.1 CONSOLE MESSAGE: Refused to load the media 'test.ogv' because it violates the following Content Security Policy directive: "media-src 'none'". 2 2 3 3 END OF TEST -
trunk/Source/WebCore/ChangeLog
r117005 r117006 1 2012-05-14 Mike West <mike@mikewest.org> 2 3 Content Security Policy console errors include violated directive. 4 https://bugs.webkit.org/show_bug.cgi?id=86323 5 6 Reviewed by Adam Barth. 7 8 Console errors generated when resources, inline script/style, or eval 9 are blocked by Content Security Policy directives should include the 10 text of the directive that's been violated. This gives developers more 11 of the information they need to resolve the issue. 12 13 Test: http/tests/security/contentSecurityPolicy/* 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::CSPDirectiveList::checkEvalAndReportViolation): 17 (WebCore::CSPDirectiveList::checkInlineAndReportViolation): 18 (WebCore::CSPDirectiveList::checkSourceAndReportViolation): 19 (WebCore::CSPDirectiveList::allowJavaScriptURLs): 20 (WebCore::CSPDirectiveList::allowInlineEventHandlers): 21 (WebCore::CSPDirectiveList::allowInlineScript): 22 (WebCore::CSPDirectiveList::allowInlineStyle): 23 (WebCore::CSPDirectiveList::allowEval): 24 1 25 2012-05-14 Julien Chaffraix <jchaffraix@webkit.org> 2 26 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r116842 r117006 643 643 if (!directive || directive->allowInline()) 644 644 return true; 645 reportViolation(directive->text(), consoleMessage );645 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n"); 646 646 return denyIfEnforcingPolicy(); 647 647 } … … 651 651 if (checkEval(directive)) 652 652 return true; 653 reportViolation(directive->text(), consoleMessage );653 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n"); 654 654 return denyIfEnforcingPolicy(); 655 655 } … … 659 659 if (!directive || directive->allows(url)) 660 660 return true; 661 reportViolation(directive->text(), "Refused to load " + type + " from '" + url.string() + "' because of Content-Security-Policy.\n", url); 661 String verb = type == "connect" ? "connect to" : "load the"; 662 reportViolation(directive->text(), "Refused to " + verb + " " + type + " '" + url.string() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\".\n", url); 662 663 return denyIfEnforcingPolicy(); 663 664 } … … 665 666 bool CSPDirectiveList::allowJavaScriptURLs() const 666 667 { 667 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));668 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: ")); 668 669 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 669 670 } … … 671 672 bool CSPDirectiveList::allowInlineEventHandlers() const 672 673 { 673 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));674 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")); 674 675 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 675 676 } … … 677 678 bool CSPDirectiveList::allowInlineScript() const 678 679 { 679 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));680 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: ")); 680 681 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 681 682 } … … 683 684 bool CSPDirectiveList::allowInlineStyle() const 684 685 { 685 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));686 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: ")); 686 687 return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage); 687 688 } … … 689 690 bool CSPDirectiveList::allowEval() const 690 691 { 691 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));692 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: ")); 692 693 return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 693 694 }
Note: See TracChangeset
for help on using the changeset viewer.