Changeset 263605 in webkit
- Timestamp:
- Jun 26, 2020 4:58:27 PM (4 years ago)
- Location:
- trunk/LayoutTests
- Files:
-
- 24 added
- 60 edited
- 1 copied
- 16 moved
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r263601 r263605 1 2020-06-26 Chris Dumez <cdumez@apple.com> 2 3 Update web-platform-tests/content-security-policy from upstream 4 https://bugs.webkit.org/show_bug.cgi?id=213664 5 6 Reviewed by Darin Adler. 7 8 Update web-platform-tests/content-security-policy from upstream b076c305a256e7fb7. 9 10 * tests-options.json: 11 1 12 2020-06-26 Jer Noble <jer.noble@apple.com> 2 13 -
trunk/LayoutTests/TestExpectations
r263594 r263605 750 750 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_eval.html 751 751 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html 752 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html753 752 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html 754 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html755 753 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html 756 754 imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html … … 781 779 imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-script-fallback.sub.html 782 780 imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html 781 782 # Sometimes logs a line about trying to connect to an external URL. 783 imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html [ Pass Failure ] 783 784 784 785 # Web platform test infrastructure unable to support insecure connection -
trunk/LayoutTests/imported/w3c/ChangeLog
r263598 r263605 1 2020-06-26 Chris Dumez <cdumez@apple.com> 2 3 Update web-platform-tests/content-security-policy from upstream 4 https://bugs.webkit.org/show_bug.cgi?id=213664 5 6 Reviewed by Darin Adler. 7 8 Update web-platform-tests/content-security-policy from upstream b076c305a256e7fb7. 9 10 * resources/resource-files.json: 11 * web-platform-tests/content-security-policy/*: Updated. 12 1 13 2020-06-26 Chris Dumez <cdumez@apple.com> 2 14 -
trunk/LayoutTests/imported/w3c/resources/resource-files.json
r262539 r263605 61 61 "web-platform-tests/beacon/navigate.iFrame.sub.html", 62 62 "web-platform-tests/content-security-policy/README.html", 63 "web-platform-tests/content-security-policy/embedded-enforcement/support/executor.html", 63 64 "web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html", 64 65 "web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html", … … 72 73 "web-platform-tests/content-security-policy/generic/support/log-pass.html", 73 74 "web-platform-tests/content-security-policy/generic/support/sandboxed-eval.sub.html", 75 "web-platform-tests/content-security-policy/inheritance/support/empty.html", 74 76 "web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html", 75 77 "web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html
r246330 r263605 46 46 "expected": IframeLoad.EXPECT_BLOCK, 47 47 "blockedURI": null}, 48 { "name": " iframe from cross origin does not load without Allow-CSP-From header.",48 { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.", 49 49 "origin": Host.CROSS_ORIGIN, 50 50 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", … … 58 58 "expected": IframeLoad.EXPECT_BLOCK, 59 59 "blockedURI": null}, 60 { "name": "Allow-CSP-From header with a star value can be returned.",60 { "name": "Allow-CSP-From header with a star value allows cross origin frame.", 61 61 "origin": Host.CROSS_ORIGIN, 62 62 "csp": "script-src 'unsafe-inline'", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html
r246330 r263605 2 2 <html> 3 3 <head> 4 <title>Embedded Enforcement: Sec-Required-CSP header.</title> 4 <title>Embedded Enforcement: Sec-Required-CSP header.</title> 5 <!-- 6 This test is creating and navigating >=70 iframes. This can exceed the 7 "short" timeout". See https://crbug.com/818324 8 --> 9 <meta name="timeout" content="long"> 10 5 11 <script src="/resources/testharness.js"></script> 6 12 <script src="/resources/testharnessreport.js"></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
r246330 r263605 9 9 <body> 10 10 <script> 11 // Note that the returned csp should always allow execution of an 12 // inline script with nonce "abc" (as returned by 13 // support/echo-policy-multiple.py), otherwise the test might 14 // return false negatives. 11 15 var tests = [ 12 16 { "name": "If there is no required csp, iframe should load.", … … 28 32 { "name": "Iframe with less restricting CSP should be blocked.", 29 33 "required_csp": "style-src 'none'; script-src 'none'", 30 "returned_csp": "style-src 'none'; script-src 'self' ",34 "returned_csp": "style-src 'none'; script-src 'self' 'nonce-abc'", 31 35 "expected": IframeLoad.EXPECT_BLOCK }, 32 36 { "name": "Iframe with a different CSP should be blocked.", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html
r246330 r263605 11 11 var tests = [ 12 12 { "name": "Exact nonce subsumes.", 13 "required_csp": "s cript-src 'nonce-abc'",14 "returned_csp_1": "s cript-src 'nonce-abc'",13 "required_csp": "style-src 'nonce-abc'", 14 "returned_csp_1": "style-src 'nonce-abc'", 15 15 "expected": IframeLoad.EXPECT_LOAD }, 16 16 { "name": "Any nonce subsumes.", … … 19 19 "expected": IframeLoad.EXPECT_LOAD }, 20 20 { "name": "A nonce has to be returned if required by the embedder.", 21 "required_csp": "s cript-src 'nonce-abc'",22 "returned_csp_1": "s cript-src http://example1.com/foo",21 "required_csp": "style-src 'nonce-abc'", 22 "returned_csp_1": "style-src http://example1.com/foo", 23 23 "expected": IframeLoad.EXPECT_BLOCK }, 24 24 { "name": "Multiples nonces returned subsume.", … … 28 28 // nonce intersection 29 29 { "name": "Nonce intersection is still done on exact match - non-matching nonces.", 30 "required_csp": "s cript-src 'nonce-abc'",31 "returned_csp_1": "s cript-src 'nonce-def'",32 "returned_csp_2": "s cript-src 'nonce-xyz'",33 "expected": IframeLoad.EXPECT_ BLOCK},30 "required_csp": "style-src 'none'", 31 "returned_csp_1": "style-src 'nonce-def'", 32 "returned_csp_2": "style-src 'nonce-xyz'", 33 "expected": IframeLoad.EXPECT_LOAD }, 34 34 { "name": "Nonce intersection is still done on exact match - matching nonces.", 35 "required_csp": "style-src 'non ce-abc'",35 "required_csp": "style-src 'none'", 36 36 "returned_csp_1": "style-src 'nonce-def'", 37 37 "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'", 38 "expected": IframeLoad.EXPECT_ LOAD},38 "expected": IframeLoad.EXPECT_BLOCK }, 39 39 // other expressions still have to work 40 40 { "name": "Other expressions still have to be subsumed - positive test.", … … 43 43 "expected": IframeLoad.EXPECT_LOAD }, 44 44 { "name": "Other expressions still have to be subsumed - negative test", 45 "required_csp": "s cript-src http://example1.com/foo/ 'nonce-abc'",46 "returned_csp_1": "s cript-src http://not-example1.com/foo/ 'nonce-xyz'",45 "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'", 46 "returned_csp_1": "style-src http://not-example1.com/foo/ 'nonce-xyz'", 47 47 "expected": IframeLoad.EXPECT_BLOCK }, 48 48 ]; -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html
r246330 r263605 10 10 <script> 11 11 var tests = [ 12 // Note that the returned csp should always allow execution of an 13 // inline script with nonce "abc" (as returned by 14 // support/echo-policy-multiple.py), otherwise the test might 15 // return false negatives. 12 16 { "name": "'strict-dynamic' is ineffective for `style-src`.", 13 17 "required_csp": "style-src http://example1.com/foo/ 'self'", … … 28 32 { "name": "'strict-dynamic' is effective only for `script-src`.", 29 33 "required_csp": "script-src http://example1.com/foo/ 'self'", 30 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html ",34 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'", 31 35 "expected": IframeLoad.EXPECT_BLOCK }, 32 { "name": "'strict-dynamic' is proper handled for finding effective policy.",36 { "name": "'strict-dynamic' is properly handled for finding effective policy.", 33 37 "required_csp": "script-src http://example1.com/foo/ 'self'", 34 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html ",38 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'", 35 39 "returned_csp_2": "script-src 'strict-dynamic' 'nonce-abc'", 36 40 "expected": IframeLoad.EXPECT_BLOCK }, -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
r246330 r263605 70 70 "returned_csp_2": null, 71 71 "expected": IframeLoad.EXPECT_BLOCK }, 72 { "name": "Returned csp whitelists a nonce.",72 { "name": "Returned csp allows a nonce.", 73 73 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 74 74 "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'", 75 75 "returned_csp_2": "style-src 'nonce-abc'", 76 76 "expected": IframeLoad.EXPECT_BLOCK }, 77 { "name": "Returned csp whitelists a hash.",77 { "name": "Returned csp allows a hash.", 78 78 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 79 79 "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
r246330 r263605 130 130 assert_equals(loaded[urlId], undefined); 131 131 }), 500); 132 assert_throws ("SecurityError", () => {132 assert_throws_dom("SecurityError", () => { 133 133 var x = i.contentWindow.location.href; 134 134 }); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/w3c-import.log
r246330 r263605 18 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-policy-multiple.py 19 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/executor.html 20 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/w3c-import.log
r246330 r263605 16 16 List of files: 17 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/allow_csp_from-header.html 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html 18 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/idlharness.window.js 19 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/iframe-csp-attribute.html -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html
r254133 r263605 18 18 // Load iframe. 19 19 var iframe = document.createElement("iframe"); 20 function iframeLoaded(ev) { 20 let timer; 21 function pollForLoadCompletion() { 22 timer = t.step_timeout(() => iframeMayBeLoaded({isPoll: true}), 10); 23 } 24 function iframeMayBeLoaded({isPoll}) { 21 25 var failed = false; 26 clearTimeout(timer); 22 27 try { 23 ev.target.contentWindow.location.href; 28 let href = iframe.contentWindow.location.href; 29 if (isPoll && (href === "about:blank" || iframe.contentDocument.readyState !== "complete")) { 30 pollForLoadCompletion(); 31 return; 32 } 24 33 failed = true; 25 34 } catch (ex) {} 26 35 t.step_func_done(() => assert_false(failed, "The IFrame should have been blocked. It wasn't."))(); 27 36 }; 28 iframe.addEventListener("load", iframeLoaded);29 iframe.addEventListener("error", iframeLoaded);37 iframe.addEventListener("load", () => iframeMayBeLoaded({isPoll: false})); 38 iframe.addEventListener("error", () => iframeMayBeLoaded({isPoll: false})); 30 39 iframe.src = "/content-security-policy/frame-ancestors/support/service-worker/frame-ancestors-none.html"; 31 40 document.body.appendChild(iframe); 41 pollForLoadCompletion(); 32 42 }); 33 43 </script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-overrides-xfo.html
r246330 r263605 19 19 var i = document.createElement('iframe'); 20 20 i.src = "support/frame-ancestors-and-x-frame-options.sub.html?policy=other-origin.com&xfo=SAMEORIGIN"; 21 i.onload = t.step_func_done(function () { 21 checkDone = t.step_func(function() { 22 clearTimeout(timer); 23 try { 24 if (i.contentWindow.location.href === "about:blank" || 25 (i.contentDocument && i.contentDocument.readyState !== "complete")) { 26 timer = t.step_timeout(checkDone, 10); 27 return; 28 } 29 } catch(e) {} 22 30 assert_equals(i.contentDocument, null); 31 t.done(); 23 32 }); 33 i.onload = checkDone; 34 let timer = t.step_timeout(checkDone, 10); 24 35 document.body.appendChild(i); 25 36 }, "A 'frame-ancestors' CSP directive overrides an 'x-frame-options' header which would allow the page."); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js
r254133 r263605 48 48 } 49 49 50 let timer; 51 function pollForLoadCompletion({iframe, expectBlock}) { 52 let fn = iframeLoaded({expectBlock, isPoll: true}); 53 timer = test.step_timeout(() => fn({target: iframe}), 10); 54 } 55 50 56 function injectIFrame(policy, sameOrigin, expectBlock) { 51 57 var iframe = document.createElement("iframe"); 52 iframe.addEventListener("load", iframeLoaded( expectBlock));53 iframe.addEventListener("error", iframeLoaded( expectBlock));58 iframe.addEventListener("load", iframeLoaded({expectBlock, isPoll: false})); 59 iframe.addEventListener("error", iframeLoaded({expectBlock, isPoll: false})); 54 60 55 61 var url = "/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=" + policy; … … 61 67 iframe.src = url; 62 68 document.body.appendChild(iframe); 69 pollForLoadCompletion({iframe, expectBlock}); 63 70 } 64 71 65 function iframeLoaded( expectBlock) {72 function iframeLoaded({isPoll, expectBlock}) { 66 73 return function(ev) { 74 clearTimeout(timer); 67 75 var failed = true; 68 76 var message = ""; 69 77 try { 70 ev.target.contentWindow.location.href; 78 let url = ev.target.contentWindow.location.href; 79 if (isPoll && (url === "about:blank" || ev.target.contentDocument.readyState !== "complete")) { 80 pollForLoadCompletion({iframe: ev.target, expectBlock}); 81 return; 82 } 71 83 if (expectBlock) { 72 84 message = "The IFrame should have been blocked (or cross-origin). It wasn't."; -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html
r263601 r263605 10 10 iframe.name = "theiframe"; 11 11 iframe.src = 12 "http://www1.{{host}} /content-security-policy/support/frame.html#0";13 let iframeLoaded = new Promise(resolve => { iframe.onload = resolve ;});12 "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?0"; 13 let iframeLoaded = new Promise(resolve => { iframe.onload = resolve }); 14 14 document.body.appendChild(iframe); 15 15 await iframeLoaded; … … 27 27 { 28 28 let violation = new Promise(resolve => { 29 window.addEventListener('securitypolicyviolation', resolve);29 window.addEventListener('securitypolicyviolation', () => resolve()); 30 30 }); 31 31 iframe.src = 32 "http://www1.{{host}} /content-security-policy/support/frame.html#1";32 "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?1"; 33 33 await violation; 34 34 } … … 40 40 }); 41 41 window.open( 42 "http://www1.{{host}} /content-security-policy/support/frame.html#2",42 "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?2", 43 43 "theiframe"); 44 44 await violation; -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html
r263601 r263605 5 5 <script> 6 6 let crossOriginUrl = 7 "http://www1.{{host}} /content-security-policy/support/frame.html";7 "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/frame.html"; 8 8 9 9 async_test(async test => { -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log
r254133 r263605 22 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html 23 23 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers 24 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html 25 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html 24 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.sub.html 26 25 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers 26 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.sub.html 27 27 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/eval-typecheck-callout-order.tentative.html
r246330 r263605 11 11 <script nonce='abc'> 12 12 test(function() { 13 assert_throws (newEvalError, function() {13 assert_throws_js(EvalError, function() { 14 14 eval("0"); 15 15 }, "eval of a string should reach host callout"); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub-expected.txt
r246330 r263605 4 4 PASS <iframe src='blob:...'>'s inherits policy. 5 5 PASS <iframe src='data:...'>'s inherits policy. 6 PASS <iframe src='javascript:...'>'s inherits policy. 6 PASS <iframe src='javascript:...'>'s inherits policy (static <img> is blocked) 7 PASS <iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked) 7 8 PASS <iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox) 8 9 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
r246330 r263605 81 81 82 82 document.body.appendChild(i); 83 }, "<iframe src='javascript:...'>'s inherits policy."); 83 }, "<iframe src='javascript:...'>'s inherits policy (static <img> is blocked)"); 84 85 // Same as the previous javascript-URL test, but instead of loading the <img> 86 // from the new document, this one is created from the initial empty document, 87 // while evaluating the javascript-url. 88 // See https://crbug.com/1064676 89 async_test(t => { 90 let url = `javascript: 91 let img = document.createElement('img'); 92 img.onload = () => window.top.postMessage('load', '*'); 93 img.onerror = () => window.top.postMessage('error', '*'); 94 img.src = '{{location[server]}}/images/red-16x16.png'; 95 document.body.appendChild(img); 96 `; 97 var i = document.createElement('iframe'); 98 i.src = encodeURI(url.replace(/\n/g, "")); 99 wait_for_error_from_frame(i, t); 100 101 document.body.appendChild(i); 102 }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked)"); 84 103 85 104 async_test(t => { -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/w3c-import.log
r246330 r263605 15 15 ------------------------------------------------------------------------ 16 16 List of files: 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/empty.html 17 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html 18 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/w3c-import.log
r246330 r263605 18 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html 19 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/frame-src-javascript-url.html 20 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html 21 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/window.html
r246330 r263605 24 24 img.onerror = t.step_func_done(_ => w.close()); 25 25 img.onload = t.unreached_func(); 26 img.src = "/images/red-16x16.png"; 26 27 w.document.body.appendChild(img); 27 img.src = "/images/red-16x16.png";28 28 }, "window.open() inherits policy."); 29 29 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js
r254133 r263605 55 55 56 56 // TODO(mkwst): A 'securitypolicyviolation' event should fire. 57 return promise_rejects (t, newTypeError, fetch(url));57 return promise_rejects_js(t, TypeError, fetch(url)); 58 58 }, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol + self.location.search); 59 59 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js
r254133 r263605 4 4 test(t => { 5 5 self.a = false; 6 assert_throws ("NetworkError",7 _ => importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"),8 "importScripts should throw `NetworkError`");6 assert_throws_dom("NetworkError", 7 _ => importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"), 8 "importScripts should throw `NetworkError`"); 9 9 assert_false(self.a); 10 10 }, "Cross-origin `importScripts()` blocked in " + self.location.protocol + self.location.search); 11 11 12 12 test(t => { 13 assert_throws (EvalError(),14 _ => eval("1 + 1"),15 "`eval()` should throw 'EvalError'.");13 assert_throws_js(EvalError, 14 _ => eval("1 + 1"), 15 "`eval()` should throw 'EvalError'."); 16 16 17 assert_throws (EvalError(),18 _ => new Function("1 + 1"),19 "`new Function()` should throw 'EvalError'.");17 assert_throws_js(EvalError, 18 _ => new Function("1 + 1"), 19 "`new Function()` should throw 'EvalError'."); 20 20 }, "`eval()` blocked in " + self.location.protocol + self.location.search); 21 21 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-expected.txt
r263601 r263605 1 async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], 'none'); })); }, "Nonces don't leak via CSS side-channels.");2 1 3 2 FAIL Reading 'nonce' content attribute and IDL attribute. assert_equals: expected Element node <script nonce="abc" id="testScript" executed="yay"> … … 12 11 FAIL setAttribute('nonce') overwrites '.nonce' upon insertion. assert_equals: expected "" but got "abc" 13 12 FAIL createElement.setAttribute. assert_equals: Post-insertion content expected "" but got "abc" 14 FAIL Custom elements expose the correct events. assert_ equals: expected 3 but got 213 FAIL Custom elements expose the correct events. assert_object_equals: AttributeChanged 2 value is undefined, expected object 15 14 FAIL Nonces don't leak via CSS side-channels. assert_equals: expected "none" but got "url(\"http://localhost:8800/security/resources/abe.png\")" 16 15 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub-expected.txt
r263601 r263605 1 async_test(t => { requestAnimationFrame(t.step_func_done(_ => { var script = document.querySelector('#cssTest'); var style = getComputedStyle(script); assert_equals(style['display'], 'block'); assert_equals(style['background-image'], "url(\"http://localhost:8800/security/resources/abe.png\")"); })); }, "Nonces leak via CSS side-channels.");2 1 3 2 PASS Reading 'nonce' content attribute and IDL attribute. -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html
r263601 r263605 73 73 s.innerText = script.innerText; 74 74 s.nonce = 'abc'; 75 assert_equals(s.nonce, 'abc'); 76 assert_equals(s.getAttribute('nonce'), null); 75 77 document.head.appendChild(s); 76 78 assert_equals(s.nonce, 'abc'); … … 120 122 </style> 121 123 <script nonce="abc" id="cssTest"> 122 async_test(t => { 123 requestAnimationFrame(t.step_func_done(_ => { 124 var script = document.querySelector('#cssTest'); 125 var style = getComputedStyle(script); 126 assert_equals(style['display'], 'block'); 127 assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")"); 128 })); 124 test(t => { 125 const script = document.querySelector('#cssTest'); 126 t.add_cleanup(() => script.remove()); 127 var style = getComputedStyle(script); 128 assert_equals(style['display'], 'block'); 129 assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")"); 129 130 }, "Nonces leak via CSS side-channels."); 130 131 </script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html
r263601 r263605 74 74 s.innerText = script.innerText; 75 75 s.nonce = 'abc'; 76 assert_equals(s.nonce, 'abc'); 77 assert_equals(s.getAttribute('nonce'), null); 76 78 document.head.appendChild(s); 77 79 assert_equals(s.nonce, 'abc'); … … 148 150 <script nonce="abc"> 149 151 test(t => { 152 assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" }, "AttributeChanged 1"); 153 assert_object_equals(eventList[1], { type: "Connected" }, "Connected"); 154 assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" }, "AttributeChanged 2"); 150 155 assert_equals(eventList.length, 3); 151 assert_object_equals(eventList[0], { type: "AttributeChanged", name: "nonce", oldValue: null, newValue: "abc" });152 assert_object_equals(eventList[1], { type: "Connected" });153 assert_object_equals(eventList[2], { type: "AttributeChanged", name: "nonce", oldValue: "abc", newValue: "" });154 156 }, "Custom elements expose the correct events."); 155 157 </script> … … 161 163 </style> 162 164 <script nonce="abc" id="cssTest"> 163 async_test(t => { 164 requestAnimationFrame(t.step_func_done(_ => { 165 var script = document.querySelector('#cssTest'); 166 var style = getComputedStyle(script); 167 assert_equals(style['display'], 'block'); 168 assert_equals(style['background-image'], 'none'); 169 })); 165 test(t => { 166 const script = document.querySelector('#cssTest'); 167 t.add_cleanup(() => script.remove()); 168 var style = getComputedStyle(script); 169 assert_equals(style['display'], 'block'); 170 assert_equals(style['background-image'], 'none'); 170 171 }, "Nonces don't leak via CSS side-channels."); 171 172 </script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-expected.txt
r263601 r263605 5 5 FAIL Cloned node retains nonce. assert_equals: IDL attribute expected (string) "abc" but got (undefined) undefined 6 6 FAIL Cloned node retains nonce when inserted. assert_equals: expected (string) "abc" but got (undefined) undefined 7 FAIL Writing 'nonce' content attribute. assert_equals: expected (string) " abc" but got (undefined) undefined7 FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "foo" but got (undefined) undefined 8 8 PASS Writing 'nonce' IDL attribute. 9 9 PASS Document-written script executes. … … 11 11 FAIL createElement.nonce. assert_equals: expected (object) null but got (string) "abc" 12 12 FAIL createElement.setAttribute. assert_equals: Post-insertion content expected "" but got "abc" 13 FAIL Nonces don't leak via CSS side-channels. assert_equals: expected "none" but got "url(\"http://localhost:8800/security/resources/abe.png\")"14 13 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub-expected.txt
r263601 r263605 4 4 FAIL Cloned node retains nonce. assert_equals: IDL attribute expected (string) "abc" but got (undefined) undefined 5 5 FAIL Cloned node retains nonce when inserted. assert_equals: expected (string) "abc" but got (undefined) undefined 6 FAIL Writing 'nonce' content attribute. assert_equals: expected (string) " abc" but got (undefined) undefined6 FAIL Writing 'nonce' content attribute. assert_equals: expected (string) "foo" but got (undefined) undefined 7 7 PASS Writing 'nonce' IDL attribute. 8 8 PASS Document-written script executes. … … 10 10 PASS createElement.nonce. 11 11 PASS createElement.setAttribute. 12 PASS Nonces don't leak via CSS side-channels.13 12 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html
r263601 r263605 50 50 script.setAttribute('nonce', 'foo'); 51 51 assert_equals(script.getAttribute('nonce'), 'foo'); 52 assert_equals(script.nonce, ' abc');52 assert_equals(script.nonce, 'foo'); 53 53 }, "Writing 'nonce' content attribute."); 54 54 … … 78 78 innerScript.nonce = 'abc'; 79 79 s.appendChild(innerScript); 80 assert_equals(innerScript.nonce, 'abc'); 81 assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce'); 80 82 document.body.appendChild(s); 81 83 assert_equals(innerScript.nonce, 'abc'); … … 97 99 }, "createElement.setAttribute."); 98 100 </script> 99 100 <!-- CSS Leakage -->101 <style>102 #cssTest { display: block; }103 #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }104 </style>105 <svg xmlns="http://www.w3.org/2000/svg">106 <script nonce="abc" id="cssTest">107 async_test(t => {108 requestAnimationFrame(t.step_func_done(_ => {109 var script = document.querySelector('#cssTest');110 var style = getComputedStyle(script);111 assert_equals(style['display'], 'block');112 assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");113 }));114 }, "Nonces don't leak via CSS side-channels.");115 </script>116 </svg> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html
r263601 r263605 50 50 script.setAttribute('nonce', 'foo'); 51 51 assert_equals(script.getAttribute('nonce'), 'foo'); 52 assert_equals(script.nonce, ' abc');52 assert_equals(script.nonce, 'foo'); 53 53 }, "Writing 'nonce' content attribute."); 54 54 … … 97 97 }, "createElement.setAttribute."); 98 98 </script> 99 100 <!-- CSS Leakage -->101 <style>102 #cssTest { display: block; }103 #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }104 </style>105 <svg xmlns="http://www.w3.org/2000/svg">106 <script nonce="abc" id="cssTest">107 async_test(t => {108 requestAnimationFrame(t.step_func_done(_ => {109 var script = document.querySelector('#cssTest');110 var style = getComputedStyle(script);111 assert_equals(style['display'], 'block');112 assert_equals(style['background-image'], 'none');113 }));114 }, "Nonces don't leak via CSS side-channels.");115 </script>116 </svg> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log
r246330 r263605 15 15 ------------------------------------------------------------------------ 16 16 List of files: 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.sub.html 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html.headers 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden-meta.sub.html 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html 23 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html 24 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-allowed.html
r246330 r263605 5 5 <script src="/resources/testharness.js"></script> 6 6 <script src="/resources/testharnessreport.js"></script> 7 <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> 7 <!-- 8 Content-Security-Policy: 9 object-src 'self'; 10 script-src 'self' 'unsafe-inline'; 11 report-uri ../support/report.py?op=put&reportID={{$id}} 12 --> 8 13 </head> 9 14 10 15 <body> 11 16 <object type="image/png" data="/content-security-policy/support/pass.png"></object> 12 13 <!-- we rely on the report because we can't rely on the onload event for 14 "allowed" tests as it is not fired for object and embed --> 15 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 17 <!-- 18 We rely on the report because we can't rely on the onload event for 19 "allowed" tests as it is not fired for object and embed 20 --> 21 <script src='../support/checkReport.sub.js?reportExists=false'></script> 16 22 </body> 17 23 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-url-embed-allowed.html
r246330 r263605 5 5 <script src="/resources/testharness.js"></script> 6 6 <script src="/resources/testharnessreport.js"></script> 7 <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} --> 7 <!-- 8 Content-Security-Policy: 9 object-src 'self'; 10 script-src 'self' 'unsafe-inline'; 11 report-uri ../support/report.py?op=put&reportID={{$id}} 12 --> 8 13 </head> 9 14 … … 11 16 <embed height="40" width="40" type="image/png" 12 17 src="/content-security-policy/support/pass.png"></embed> 13 14 <!-- we rely on the report because we can't rely on the onload event for 15 "allowed" tests as it is not fired for object and embed --> 16 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 18 <!-- 19 We rely on the report because we can't rely on the onload event for 20 "allowed" tests as it is not fired for object and embed 21 --> 22 <script src='../support/checkReport.sub.js?reportExists=false'></script> 17 23 </body> 18 24 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
r263601 r263605 2 2 <html> 3 3 <head> 4 <title>Test that report-to overrides report-uri. This tests report-uri before report-to in the policy</title>4 <title>Test that report-to ignores tokens after the first one</title> 5 5 <script src='/resources/testharness.js'></script> 6 6 <script src='/resources/testharnessreport.js'></script> … … 20 20 onload='t1.unreached_func("The image should not have loaded");' 21 21 onerror='t1.done();'> 22 <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint-->23 <script async defer src='../support/checkReport.sub.js?reportExists=false ></script>22 <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. --> 23 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 24 24 </body> 25 25 </html> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
r246330 r263605 21 21 onerror='t1.done();'> 22 22 <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> 23 <script async defer src='../support/checkReport.sub.js?reportExists=false ></script>23 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 24 24 </body> 25 25 </html> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
r246330 r263605 21 21 onerror='t1.done();'> 22 22 <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint --> 23 <script async defer src='../support/checkReport.sub.js?reportExists=false ></script>23 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 24 24 </body> 25 25 </html> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html
r246330 r263605 28 28 assert_equals(reports[0].url, document_url); 29 29 assert_equals(reports[0].body.documentURL, document_url); 30 assert_equals(reports[0].body.referrer, null);30 assert_equals(reports[0].body.referrer, ""); 31 31 assert_equals(reports[0].body.blockedURL, 32 32 base_url + "support/fail.png"); … … 35 35 "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group"); 36 36 assert_equals(reports[0].body.sourceFile, document_url); 37 assert_equals(reports[0].body.sample, null);37 assert_equals(reports[0].body.sample, ""); 38 38 assert_equals(reports[0].body.disposition, "enforce"); 39 39 assert_equals(reports[0].body.statusCode, 0); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/w3c-import.log
r246330 r263605 19 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html 20 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers 21 23 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html 22 24 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html
r246330 r263605 35 35 var i = document.createElement('img'); 36 36 var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3"); 37 createListener( "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png?t=3", t);37 createListener(url, t); 38 38 i.src = url; 39 39 }, "Block after redirect, same-origin = original URL in report"); … … 42 42 var i = document.createElement('img'); 43 43 var url = "{{location[scheme]}}://{{domains[www1]}}:{{ports[http][0]}}/common/redirect.py?location=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png?t=4"); 44 createListener( "{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}", t);44 createListener(url, t); 45 45 i.src = url; 46 46 }, "Block after redirect, cross-origin = original URL in report"); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/w3c-import.log
r246330 r263605 17 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html 18 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/generate-csp-report.html.sub.headers 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/redirect-throw-function.sub.py 19 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/set-cookie.py 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/support/throw-function.js -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log
r254133 r263605 17 17 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html 18 18 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html.sub.headers 19 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html 20 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/post-redirect-stacktrace.https.html.headers 19 21 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html 20 22 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-and-enforce.html.sub.headers … … 25 27 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html 26 28 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-blocked-uri.html.sub.headers 29 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https.html 27 30 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html 28 31 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html.sub.headers … … 35 38 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html 36 39 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers 40 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html 41 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html.sub.headers 37 42 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html 38 43 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4.html
r246330 r263605 20 20 var evalRan = false; 21 21 22 test(function() {assert_throws (new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");22 test(function() {assert_throws_js(EvalError, function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive."); 23 23 24 24 test(function() {assert_false(evalRan);}) -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2.html
r246330 r263605 20 20 21 21 test(function() { 22 assert_throws (23 new EvalError(),22 assert_throws_js( 23 EvalError, 24 24 function() { 25 25 var funq = new Function(''); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt
r254133 r263605 10 10 PASS multiple mismatched integrity 11 11 PASS partially matching integrity 12 FAIL crossorigin no integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code13 FAIL crossorigin mismatched integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code12 FAIL crossorigin no integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code 13 FAIL crossorigin mismatched integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code 14 14 FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false 15 15 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html
r254133 r263605 50 50 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', 51 51 false ], 52 [ 'crossorigin no integrity but whitelisted host',52 [ 'crossorigin no integrity but allowed host', 53 53 crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', 54 54 '', 55 55 true ], 56 [ 'crossorigin mismatched integrity but whitelisted host',56 [ 'crossorigin mismatched integrity but allowed host', 57 57 crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', 58 58 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=', -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
r263601 r263605 3 3 4 4 <head> 5 <title> Whitelists are discarded with `strict-dynamic` in the script-src directive.</title>5 <title>Source expressions are discarded with `strict-dynamic` in the script-src directive.</title> 6 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> … … 11 11 12 12 <body> 13 <h1> Whitelists are discarded with `strict-dynamic` in the script-src directive.</h1>13 <h1>Source expressions are discarded with `strict-dynamic` in the script-src directive.</h1> 14 14 <div id='log'></div> 15 15 … … 17 17 async_test(function(t) { 18 18 window.addEventListener('message', t.step_func(function(e) { 19 if (e.data === ' whitelistedScript') {20 assert_unreached(' Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');19 if (e.data === 'allowedScript') { 20 assert_unreached('Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.'); 21 21 } 22 22 })); … … 24 24 assert_equals(e.effectiveDirective, 'script-src-elem'); 25 25 })); 26 }, ' Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');26 }, 'Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.'); 27 27 </script> 28 <script id=' whitelistedScript' src='simpleSourcedScript.js'></script>28 <script id='allowedScript' src='simpleSourcedScript.js'></script> 29 29 30 30 </body> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html
r263601 r263605 3 3 4 4 <head> 5 <title> Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>5 <title>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</title> 6 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> … … 14 14 15 15 <body> 16 <h1> Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>16 <h1>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1> 17 17 <div id='log'></div> 18 18 … … 20 20 async_test(function(t) { 21 21 window.addEventListener('message', t.step_func(function(e) { 22 if (e.data === ' whitelisted-appendChild') {22 if (e.data === 'allowed-appendChild') { 23 23 t.done(); 24 24 } 25 25 })); 26 26 window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { 27 if (violation.blockedURI.split('?')[1] !== ' whitelisted-appendChild') {27 if (violation.blockedURI.split('?')[1] !== 'allowed-appendChild') { 28 28 return; 29 29 } 30 assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelistdouble policy.');30 assert_unreached('Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.'); 31 31 })); 32 32 33 33 var e = document.createElement('script'); 34 e.id = ' whitelisted-appendChild';34 e.id = 'allowed-appendChild'; 35 35 e.src = 'simpleSourcedScript.js?' + e.id; 36 36 e.onerror = t.unreached_func('Error should not be triggered.'); 37 37 document.body.appendChild(e); 38 }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelistdouble policy.');38 }, 'Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.'); 39 39 </script> 40 40 … … 42 42 async_test(function(t) { 43 43 window.addEventListener('securitypolicyviolation', t.step_func(function(violation) { 44 if (violation.blockedURI.split('?')[1] !== 'non Whitelisted-appendChild') {44 if (violation.blockedURI.split('?')[1] !== 'nonAllowed-appendChild') { 45 45 return; 46 46 } … … 51 51 52 52 var e = document.createElement('script'); 53 e.id = 'non Whitelisted-appendChild';53 e.id = 'nonAllowed-appendChild'; 54 54 e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id; 55 55 e.onload = t.unreached_func('OnLoad should not be triggered.'); 56 56 document.body.appendChild(e); 57 }, 'Non- whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelistdouble policy.');57 }, 'Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.'); 58 58 </script> 59 59 </body> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html
r246330 r263605 23 23 })); 24 24 25 assert_throws (new Error(),25 assert_throws_js(Error, 26 26 function() { 27 27 try { -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
r246330 r263605 3 3 4 4 <head> 5 <title>`strict-dynamic` does not drop whitelists in `img-src`.</title>5 <title>`strict-dynamic` does not drop allowed source expressions in `img-src`.</title> 6 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> … … 11 11 12 12 <body> 13 <h1>`strict-dynamic` does not drop whitelists in `img-src`.</h1>13 <h1>`strict-dynamic` does not drop allowed source expressions in `img-src`.</h1> 14 14 <div id='log'></div> 15 15 … … 21 21 async_test(function(t) { 22 22 var e = document.createElement('img'); 23 e.id = ' whitelistedImage';23 e.id = 'allowedImage'; 24 24 e.src = '/content-security-policy/support/pass.png'; 25 25 e.onerror = t.unreached_func('Error should not be triggered.'); 26 26 e.onload = t.step_func_done(); 27 27 document.body.appendChild(e); 28 }, '`strict-dynamic` does not drop whitelists in `img-src`.');28 }, '`strict-dynamic` does not drop allowed source expressions in `img-src`.'); 29 29 </script> 30 30 </body> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html
r246330 r263605 23 23 })); 24 24 25 assert_throws (new Error(),25 assert_throws_js(Error, 26 26 function() { 27 27 try { -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log
r254133 r263605 57 57 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html 58 58 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_and_unsafe_eval_new_function.html.headers 59 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_ whitelist.html60 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_ whitelist.html.headers59 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html 60 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers 61 61 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html 62 62 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.headers 63 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_ whitelist.sub.html64 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_ whitelist.sub.html.headers63 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html 64 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html.headers 65 65 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html 66 66 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html.headers -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields-expected.txt
r246330 r263605 2 2 PASS SecurityPolicyViolationEvent constructor should throw with no parameters 3 3 PASS SecurityPolicyViolationEvent constructor works with an init dict 4 FAIL SecurityPolicyViolationEvent constructor requires documentURI assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {4 FAIL SecurityPolicyViolationEvent constructor requires documentURI assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 5 5 // documentURI: "http://example.com", 6 6 referrer: "http://example.com", … … 16 16 columnNumber: 1, 17 17 })}" did not throw 18 FAIL SecurityPolicyViolationEvent constructor requires violatedDirective assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {18 FAIL SecurityPolicyViolationEvent constructor requires violatedDirective assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 19 19 documentURI: "http://example.com", 20 20 referrer: "http://example.com", … … 30 30 columnNumber: 1, 31 31 })}" did not throw 32 FAIL SecurityPolicyViolationEvent constructor requires effectiveDirective assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {32 FAIL SecurityPolicyViolationEvent constructor requires effectiveDirective assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 33 33 documentURI: "http://example.com", 34 34 referrer: "http://example.com", … … 44 44 columnNumber: 1, 45 45 })}" did not throw 46 FAIL SecurityPolicyViolationEvent constructor requires originalPolicy assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {46 FAIL SecurityPolicyViolationEvent constructor requires originalPolicy assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 47 47 documentURI: "http://example.com", 48 48 referrer: "http://example.com", … … 58 58 columnNumber: 1, 59 59 })}" did not throw 60 FAIL SecurityPolicyViolationEvent constructor requires disposition assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {60 FAIL SecurityPolicyViolationEvent constructor requires disposition assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 61 61 documentURI: "http://example.com", 62 62 referrer: "http://example.com", … … 72 72 columnNumber: 1, 73 73 })}" did not throw 74 FAIL SecurityPolicyViolationEvent constructor requires statusCode assert_throws : function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", {74 FAIL SecurityPolicyViolationEvent constructor requires statusCode assert_throws_js: function "function () { new SecurityPolicyViolationEvent("securitypolicyviolation", { 75 75 documentURI: "http://example.com", 76 76 referrer: "http://example.com", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/constructor-required-fields.html
r246330 r263605 5 5 // basic tests. 6 6 test(function() { 7 assert_throws (TypeError(),8 function() { new SecurityPolicyViolationEvent(); });7 assert_throws_js(TypeError, 8 function() { new SecurityPolicyViolationEvent(); }); 9 9 }, "SecurityPolicyViolationEvent constructor should throw with no parameters"); 10 10 … … 28 28 // missing required members 29 29 test(function() { 30 assert_throws (TypeError(),30 assert_throws_js(TypeError, 31 31 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 32 32 // documentURI: "http://example.com", … … 46 46 47 47 test(function() { 48 assert_throws (TypeError(),48 assert_throws_js(TypeError, 49 49 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 50 50 documentURI: "http://example.com", … … 64 64 65 65 test(function() { 66 assert_throws (TypeError(),66 assert_throws_js(TypeError, 67 67 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 68 68 documentURI: "http://example.com", … … 82 82 83 83 test(function() { 84 assert_throws (TypeError(),84 assert_throws_js(TypeError, 85 85 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 86 86 documentURI: "http://example.com", … … 100 100 101 101 test(function() { 102 assert_throws (TypeError(),102 assert_throws_js(TypeError, 103 103 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 104 104 documentURI: "http://example.com", … … 118 118 119 119 test(function() { 120 assert_throws (TypeError(),120 assert_throws_js(TypeError, 121 121 function() { new SecurityPolicyViolationEvent("securitypolicyviolation", { 122 122 documentURI: "http://example.com", -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https-expected.txt
r246330 r263605 1 1 2 FAIL Upgraded image is reported Can't find variable: generateURL3 FAIL Upgraded iframe is reported Can't find variable: generateURL4 FAIL Navigated iframe is upgraded and reported Can't find variable: generateURL5 2 3 Harness Error (TIMEOUT), message = null 4 5 TIMEOUT Upgraded image is reported Test timed out 6 TIMEOUT Upgraded iframe is reported Test timed out 7 TIMEOUT Navigated iframe is upgraded and reported Test timed out 8 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
r246330 r263605 2 2 <script src="/resources/testharness.js"></script> 3 3 <script src="/resources/testharnessreport.js"></script> 4 <script src="/ upgrade-insecure-requests/support/testharness-helper.sub.js"></script>4 <script src="/common/security-features/resources/common.sub.js"></script> 5 5 <body></body> 6 6 <script> … … 15 15 16 16 async_test(t => { 17 var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.IMAGE).url; 17 var url = getRequestURLs("img-tag", 18 "same-http-downgrade", 19 "no-redirect").testUrl; 18 20 var i = document.createElement('img'); 19 21 var loaded = false; … … 36 38 37 39 async_test(t => { 38 var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url; 40 var url = getRequestURLs("iframe-tag", 41 "same-http-downgrade", 42 "no-redirect").testUrl; 39 43 var i = document.createElement('iframe'); 40 44 var loaded = false; … … 60 64 async_test(t => { 61 65 // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported. 62 var url = generateURL(Host.SAME_ORIGIN, Protocol.SECURE, ResourceType.FRAME).url; 63 var navigate_to = generateURL(Host.CROSS_ORIGIN, Protocol.INSECURE, ResourceType.FRAME).url; 66 var url = getRequestURLs("iframe-tag", 67 "same-https", 68 "no-redirect").testUrl; 69 var navigate_to = getRequestURLs("iframe-tag", 70 "cross-http-downgrade", 71 "no-redirect").testUrl; 64 72 var upgraded = new URL(navigate_to); 65 73 upgraded.protocol = "https"; -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub.html
r246330 r263605 52 52 53 53 </script> 54 <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>54 <p>Style correctly allowed via a 'nonce-*' expression in 'style-src' should be applied to the page.</p> 55 55 <div id="log"></div> 56 56 </body> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/checkReport.sub.js
r246330 r263605 48 48 // received to conclude that no report has been generated. These timeouts must 49 49 // not exceed the test timeouts set by vendors otherwise the test would fail. 50 var timeout = document.querySelector("meta[name=timeout][content=long]") ? 2 5 : 5;50 var timeout = document.querySelector("meta[name=timeout][content=long]") ? 20 : 3; 51 51 var reportLocation = location.protocol + "//" + location.host + "/content-security-policy/support/report.py?op=retrieve_report&timeout=" + timeout + "&reportID=" + reportID; 52 52 -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/testharness-helper.js
r246330 r263605 11 11 } 12 12 13 function waitUntilCSPEventForURL (test, url) {13 function waitUntilCSPEventForURLOrLine(test, url, line) { 14 14 return new Promise((resolve, reject) => { 15 15 self.addEventListener("securitypolicyviolation", test.step_func(e => { 16 if (e.blockedURI == url )16 if (e.blockedURI == url && (!line || line == e.lineNumber)) 17 17 resolve(e); 18 18 })); … … 20 20 } 21 21 22 function waitUntilCSPEventForURL(test, url) { 23 return waitUntilCSPEventForURLOrLine(test, url); 24 } 25 22 26 function waitUntilCSPEventForEval(test, line) { 23 return new Promise((resolve, reject) => { 24 self.addEventListener("securitypolicyviolation", test.step_func(e => { 25 if (e.blockedURI == "eval" && e.lineNumber == line) 26 resolve(e); 27 })); 28 }); 27 return waitUntilCSPEventForURLOrLine(test, "eval", line); 28 } 29 30 function waitUntilCSPEventForTrustedTypes(test) { 31 return waitUntilCSPEventForURLOrLine(test, "trusted-types-sink"); 29 32 } 30 33 … … 97 100 // TODO(mkwst): We shouldn't be throwing here. We should be firing an 98 101 // `error` event on the Worker. https://crbug.com/663298 99 assert_throws ("SecurityError", function () {102 assert_throws_dom("SecurityError", function () { 100 103 var w = new Worker(url); 101 104 }); … … 116 119 // TODO(mkwst): We shouldn't be throwing here. We should be firing an 117 120 // `error` event on the SharedWorker. https://crbug.com/663298 118 assert_throws ("SecurityError", function () {121 assert_throws_dom("SecurityError", function () { 119 122 var w = new SharedWorker(url); 120 123 }); … … 134 137 assert_equals(e.effectiveDirective, "worker-src"); 135 138 })), 136 promise_rejects (t, "SecurityError", navigator.serviceWorker.register(url, { scope: url }))139 promise_rejects_dom(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url })) 137 140 ]); 138 141 }, description); -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-none.sub-expected.txt
r246330 r263605 1 1 2 FAIL Same-origin dedicated worker blocked by host-source expression. assert_throws : function "function () {2 FAIL Same-origin dedicated worker blocked by host-source expression. assert_throws_dom: function "function () { 3 3 var w = new Worker(url); 4 4 }" did not throw 5 FAIL blob: dedicated worker blocked by 'blob:'. assert_throws : function "function () {5 FAIL blob: dedicated worker blocked by 'blob:'. assert_throws_dom: function "function () { 6 6 var w = new Worker(url); 7 7 }" did not throw -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script> -
trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
r246330 r263605 5 5 <script src=/resources/testharnessreport.js></script> 6 6 <script src="../support/testharness-helper.js"></script> 7 <!-- Ideally we would use "script-src 'none'" alone but we have to whitelistthe actual script that spawns the workers, hence the nonce.-->7 <!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.--> 8 8 <meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; "> 9 9 <script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script> -
trunk/LayoutTests/platform/gtk/TestExpectations
r263465 r263605 1172 1172 1173 1173 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html [ Failure ] 1174 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html [ Failure ]1175 1174 1176 1175 webkit.org/b/206588 fast/history/page-cache-media-recorder.html [ Failure ] -
trunk/LayoutTests/platform/wpe/TestExpectations
r263451 r263605 503 503 504 504 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html [ Failure ] 505 webkit.org/b/206586 imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html [ Failure ]506 505 507 506 webkit.org/b/197473 imported/w3c/web-platform-tests/resource-timing/resource-timing-level1.sub.html [ Failure ] -
trunk/LayoutTests/tests-options.json
r263059 r263605 561 561 "slow" 562 562 ], 563 "imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/required_csp-header.html": [ 564 "slow" 565 ], 563 566 "imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html": [ 564 567 "slow"
Note: See TracChangeset
for help on using the changeset viewer.