mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 1529337 - Use script-src-elem/attr as effectiveDirective in CSP reports. r=freddyb,dveditz
Depends on D150965 Differential Revision: https://phabricator.services.mozilla.com/D151498
This commit is contained in:
parent
0610723e31
commit
059ff10a60
@ -201,6 +201,14 @@ bool nsCSPContext::permitsInternal(
|
||||
permits = false;
|
||||
}
|
||||
|
||||
// See the comment in nsCSPContext::GetAllowsInline.
|
||||
nsAutoString effectiveDirective(violatedDirective);
|
||||
if ((StaticPrefs::security_csp_script_src_attr_elem_enabled() &&
|
||||
(aDir == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDir == SCRIPT_SRC_ATTR_DIRECTIVE))) {
|
||||
effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDir));
|
||||
}
|
||||
|
||||
// Callers should set |aSendViolationReports| to false if this is a
|
||||
// preload - the decision may be wrong due to the inability to get the
|
||||
// nonce, and will incorrectly fail the unit tests.
|
||||
@ -221,12 +229,12 @@ bool nsCSPContext::permitsInternal(
|
||||
BlockedContentSource::eUnknown, /* a BlockedContentSource */
|
||||
aOriginalURIIfRedirect, /* in case of redirect originalURI is not
|
||||
null */
|
||||
violatedDirective, p, /* policy index */
|
||||
u""_ns, /* no observer subject */
|
||||
spec, /* source file */
|
||||
u""_ns, /* no script sample */
|
||||
lineNumber, /* line number */
|
||||
columnNumber); /* column number */
|
||||
violatedDirective, effectiveDirective, p, /* policy index */
|
||||
u""_ns, /* no observer subject */
|
||||
spec, /* source file */
|
||||
u""_ns, /* no script sample */
|
||||
lineNumber, /* line number */
|
||||
columnNumber); /* column number */
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -511,6 +519,7 @@ void nsCSPContext::reportInlineViolation(
|
||||
CSPDirective aDirective, Element* aTriggeringElement,
|
||||
nsICSPEventListener* aCSPEventListener, const nsAString& aNonce,
|
||||
const nsAString& aContent, const nsAString& aViolatedDirective,
|
||||
const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that
|
||||
uint32_t aLineNumber, uint32_t aColumnNumber) {
|
||||
nsString observerSubject;
|
||||
@ -555,6 +564,7 @@ void nsCSPContext::reportInlineViolation(
|
||||
BlockedContentSource::eInline, // aBlockedSource
|
||||
mSelfURI, // aOriginalURI
|
||||
aViolatedDirective, // aViolatedDirective
|
||||
aEffectiveDirective, // aEffectiveDirective
|
||||
aViolatedPolicyIndex, // aViolatedPolicyIndex
|
||||
observerSubject, // aObserverSubject
|
||||
sourceFile, // aSourceFile
|
||||
@ -624,9 +634,21 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, const nsAString& aNonce,
|
||||
bool reportSample = false;
|
||||
mPolicies[i]->getDirectiveStringAndReportSampleForContentType(
|
||||
aDirective, violatedDirective, &reportSample);
|
||||
// In CSP 3.0 the effective directive doesn't become the actually used
|
||||
// directive in case of a fallback from e.g. script-src-elem to
|
||||
// script-src or default-src.
|
||||
// TODO(bug 1779369): Fix this for all directive types.
|
||||
nsAutoString effectiveDirective(violatedDirective);
|
||||
if ((StaticPrefs::security_csp_script_src_attr_elem_enabled() &&
|
||||
(aDirective == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDirective == SCRIPT_SRC_ATTR_DIRECTIVE))) {
|
||||
effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDirective));
|
||||
}
|
||||
|
||||
reportInlineViolation(aDirective, aTriggeringElement, aCSPEventListener,
|
||||
aNonce, reportSample ? content : EmptyString(),
|
||||
violatedDirective, i, aLineNumber, aColumnNumber);
|
||||
violatedDirective, effectiveDirective, i,
|
||||
aLineNumber, aColumnNumber);
|
||||
}
|
||||
}
|
||||
return NS_OK;
|
||||
@ -703,6 +725,7 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission,
|
||||
nsCSPContext::BlockedContentSource::eSelf, // aBlockedSource
|
||||
nullptr, // aOriginalURI
|
||||
u"navigate-to"_ns, // aViolatedDirective
|
||||
u"navigate-to"_ns, // aEffectiveDirective
|
||||
i, // aViolatedPolicyIndex
|
||||
u""_ns, // aObserverSubject
|
||||
NS_ConvertUTF8toUTF16(spec), // aSourceFile
|
||||
@ -759,14 +782,16 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission,
|
||||
bool reportSample = false; \
|
||||
mPolicies[p]->getDirectiveStringAndReportSampleForContentType( \
|
||||
directive##_SRC_DIRECTIVE, violatedDirective, &reportSample); \
|
||||
nsAutoString effectiveDirective(violatedDirective); \
|
||||
if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL || \
|
||||
aViolationType == \
|
||||
nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL) { \
|
||||
violatedDirective = u"script-src"_ns; \
|
||||
effectiveDirective = u"script-src"_ns; \
|
||||
} \
|
||||
AsyncReportViolation(aTriggeringElement, aCSPEventListener, nullptr, \
|
||||
blockedContentSource, nullptr, violatedDirective, \
|
||||
p, NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \
|
||||
effectiveDirective, p, \
|
||||
NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \
|
||||
aSourceFile, reportSample ? aScriptSample : u""_ns, \
|
||||
aLineNum, aColumnNum); \
|
||||
} \
|
||||
@ -1034,14 +1059,14 @@ void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) {
|
||||
|
||||
nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI,
|
||||
nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex,
|
||||
nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex,
|
||||
nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum,
|
||||
uint32_t aColumnNum,
|
||||
mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit) {
|
||||
EnsureIPCPoliciesRead();
|
||||
NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
|
||||
|
||||
MOZ_ASSERT(ValidateDirectiveName(aViolatedDirective),
|
||||
MOZ_ASSERT(ValidateDirectiveName(aEffectiveDirective),
|
||||
"Invalid directive name");
|
||||
|
||||
nsresult rv;
|
||||
@ -1066,12 +1091,12 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
|
||||
// effective-directive
|
||||
// The name of the policy directive that was violated.
|
||||
aViolationEventInit.mEffectiveDirective = aViolatedDirective;
|
||||
aViolationEventInit.mEffectiveDirective = aEffectiveDirective;
|
||||
|
||||
// violated-directive
|
||||
// In CSP2, the policy directive that was violated, as it appears in the
|
||||
// policy. In CSP3, the same as effective-directive.
|
||||
aViolationEventInit.mViolatedDirective = aViolatedDirective;
|
||||
aViolationEventInit.mViolatedDirective = aEffectiveDirective;
|
||||
|
||||
// original-policy
|
||||
nsAutoString originalPolicy;
|
||||
@ -1392,9 +1417,10 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
nsIURI* aBlockedURI,
|
||||
nsCSPContext::BlockedContentSource aBlockedContentSource,
|
||||
nsIURI* aOriginalURI, uint32_t aViolatedPolicyIndex, bool aReportOnlyFlag,
|
||||
const nsAString& aViolatedDirective, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext)
|
||||
const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum,
|
||||
nsCSPContext* aCSPContext)
|
||||
: mozilla::Runnable("CSPReportSenderRunnable"),
|
||||
mTriggeringElement(aTriggeringElement),
|
||||
mCSPEventListener(aCSPEventListener),
|
||||
@ -1404,6 +1430,7 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
mViolatedPolicyIndex(aViolatedPolicyIndex),
|
||||
mReportOnlyFlag(aReportOnlyFlag),
|
||||
mViolatedDirective(aViolatedDirective),
|
||||
mEffectiveDirective(aEffectiveDirective),
|
||||
mSourceFile(aSourceFile),
|
||||
mScriptSample(aScriptSample),
|
||||
mLineNum(aLineNum),
|
||||
@ -1446,7 +1473,7 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
BlockedContentSourceToString(mBlockedContentSource, blockedContentSource);
|
||||
|
||||
rv = mCSPContext->GatherSecurityPolicyViolationEventData(
|
||||
mBlockedURI, blockedContentSource, mOriginalURI, mViolatedDirective,
|
||||
mBlockedURI, blockedContentSource, mOriginalURI, mEffectiveDirective,
|
||||
mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum,
|
||||
init);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
@ -1511,6 +1538,7 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
uint32_t mViolatedPolicyIndex;
|
||||
bool mReportOnlyFlag;
|
||||
nsString mViolatedDirective;
|
||||
nsString mEffectiveDirective;
|
||||
nsCOMPtr<nsISupports> mObserverSubject;
|
||||
nsString mSourceFile;
|
||||
nsString mScriptSample;
|
||||
@ -1552,9 +1580,9 @@ nsresult nsCSPContext::AsyncReportViolation(
|
||||
Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener,
|
||||
nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource,
|
||||
nsIURI* aOriginalURI, const nsAString& aViolatedDirective,
|
||||
uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum) {
|
||||
const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) {
|
||||
EnsureIPCPoliciesRead();
|
||||
NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
|
||||
|
||||
@ -1562,7 +1590,8 @@ nsresult nsCSPContext::AsyncReportViolation(
|
||||
aTriggeringElement, aCSPEventListener, aBlockedURI, aBlockedContentSource,
|
||||
aOriginalURI, aViolatedPolicyIndex,
|
||||
mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(), aViolatedDirective,
|
||||
aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this);
|
||||
aEffectiveDirective, aObserverSubject, aSourceFile, aScriptSample,
|
||||
aLineNum, aColumnNum, this);
|
||||
|
||||
if (XRE_IsContentProcess()) {
|
||||
if (mEventTarget) {
|
||||
|
@ -122,9 +122,10 @@ class nsCSPContext : public nsIContentSecurityPolicy {
|
||||
mozilla::dom::Element* aTriggeringElement,
|
||||
nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI,
|
||||
BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI,
|
||||
const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum);
|
||||
const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum);
|
||||
|
||||
// Hands off! Don't call this method unless you know what you
|
||||
// are doing. It's only supposed to be called from within
|
||||
@ -161,6 +162,7 @@ class nsCSPContext : public nsIContentSecurityPolicy {
|
||||
nsICSPEventListener* aCSPEventListener,
|
||||
const nsAString& aNonce, const nsAString& aContent,
|
||||
const nsAString& aViolatedDirective,
|
||||
const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex,
|
||||
uint32_t aLineNumber, uint32_t aColumnNumber);
|
||||
|
||||
|
@ -248,6 +248,7 @@ support-files =
|
||||
file_independent_iframe_csp.html
|
||||
prefs =
|
||||
security.mixed_content.upgrade_display_content=false
|
||||
security.csp.script-src-attr-elem.enabled=true
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_blob_data_schemes.html]
|
||||
|
@ -22,7 +22,7 @@ SimpleTest.waitForExplicitFinish();
|
||||
function receiveMessage(event) {
|
||||
window.removeEventListener("message", receiveMessage);
|
||||
is(event.data.blockedURI, "inline", "blockedURI");
|
||||
is(event.data.violatedDirective, "script-src", "violatedDirective")
|
||||
is(event.data.violatedDirective, "script-src-elem", "violatedDirective")
|
||||
is(event.data.originalPolicy, "script-src 'nonce-bug1550414'", "originalPolicy");
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
@ -50,7 +50,7 @@ window.checkResults = function(reportObj) {
|
||||
|
||||
is(cspReport["blocked-uri"], "inline", "Incorrect blocked-uri");
|
||||
|
||||
is(cspReport["violated-directive"], "default-src", "Incorrect violated-directive");
|
||||
is(cspReport["violated-directive"], "script-src-elem", "Incorrect violated-directive");
|
||||
|
||||
is(cspReport["original-policy"], "default-src 'none' 'report-sample'; report-uri http://mochi.test:8888/foo.sjs",
|
||||
"Incorrect original-policy");
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[blob-urls-do-not-match-self.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[default-src-inline-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[generic-0_1-script-src.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[generic-0_10_1.sub.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[generic-0_2_2.sub.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[generic-0_2_3.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[report-uri-effective-directive.html]
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[injected-inline-script-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript-window-open-blocked.html]
|
||||
[Check that a securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script-src-1_1.html]
|
||||
[Should fire policy violation events]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script-src-1_10.html]
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -1,6 +0,0 @@
|
||||
[script-src-1_2.html]
|
||||
disabled:
|
||||
if (os == "win"): bug 1172411
|
||||
[Should fire policy violation events]
|
||||
expected: FAIL
|
||||
|
@ -1,6 +0,0 @@
|
||||
[script-src-1_2_1.html]
|
||||
disabled:
|
||||
if (os == "win"): bug 1094323
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-report-only-policy-works-with-hash-policy.html]
|
||||
[Test that the securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_discard_source_expressions.html]
|
||||
[Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script-src-strict_dynamic_double_policy_different_nonce.html]
|
||||
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
|
||||
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_double_policy_report_only.html]
|
||||
[Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_javascript_uri.html]
|
||||
[Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
|
||||
[All the expected CSP violation reports have been fired.]
|
||||
expected: FAIL
|
||||
|
@ -1,32 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_parser_inserted.html]
|
||||
[Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[scripthash-unicode-normalization.sub.html]
|
||||
[Should fire securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[scriptnonce-and-scripthash.sub.html]
|
||||
[Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[scriptnonce-ignore-unsafeinline.sub.html]
|
||||
[Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[srcdoc-doesnt-bypass-script-src.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[svg-inline.sub.html]
|
||||
[Should fire violation event]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
@ -1,4 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-href_blank.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to wrong hash]
|
||||
expected: FAIL
|
@ -1,4 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-href_blank.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to wrong hash]
|
||||
expected: FAIL
|
@ -1,5 +0,0 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script_event_handlers_denied_wrong_hash.html]
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: FAIL
|
||||
|
Loading…
Reference in New Issue
Block a user