mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 15:23:51 +00:00
Bug 1247687 - Copy over csp related web-platform test files and metadata; r=asuth
Depends on D156102 Differential Revision: https://phabricator.services.mozilla.com/D162741
This commit is contained in:
Yulia Startsev
parent
4916e53611
commit
71d36004e1
@ -0,0 +1,24 @@
|
||||
[worker-import.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,24 @@
|
||||
[worker-import.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,24 @@
|
||||
[worker-import.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,24 @@
|
||||
[worker-import.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,26 @@
|
||||
[worker-import.http.html]
|
||||
expected:
|
||||
if (os == "android") and fission: [OK, TIMEOUT]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,26 @@
|
||||
[worker-import.https.html]
|
||||
expected:
|
||||
if (os == "android") and fission: [OK, TIMEOUT]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,26 @@
|
||||
[worker-import.http.html]
|
||||
expected:
|
||||
if (os == "android") and fission: [OK, TIMEOUT]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,26 @@
|
||||
[worker-import.https.html]
|
||||
expected:
|
||||
if (os == "android") and fission: [OK, TIMEOUT]
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,15 @@
|
||||
[dedicated-worker-import-csp.html]
|
||||
[script-src * directive should allow cross origin dynamic import.]
|
||||
expected: FAIL
|
||||
|
||||
[worker-src 'self' directive should not take effect on dynamic import.]
|
||||
expected: FAIL
|
||||
|
||||
[worker-src 'self' directive should disallow cross origin static import.]
|
||||
expected: FAIL
|
||||
|
||||
[script-src 'self' directive should disallow cross origin static import.]
|
||||
expected: FAIL
|
||||
|
||||
[worker-src 'self' directive should override script-src * directive and disallow cross origin static import.]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,82 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,82 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,82 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,82 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,83 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,83 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,83 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and keep-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and no-redirect redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-http origin and swap-origin redirection from http context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-http",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "http",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,83 @@
|
||||
<!DOCTYPE html>
|
||||
<!-- DO NOT EDIT! Generated by `common/security-features/tools/generate.py --spec content-security-policy/` -->
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="timeout" content="long">
|
||||
<meta http-equiv="Content-Security-Policy" content="worker-src 'self'">
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script src="/common/security-features/resources/common.sub.js"></script>
|
||||
<script src="../../../generic/test-case.sub.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
TestCase(
|
||||
[
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "allowed",
|
||||
"origin": "same-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects allowed for worker-import to same-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "keep-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and keep-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "no-redirect",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and no-redirect redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "cross-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to cross-https origin and swap-origin redirection from https context."
|
||||
},
|
||||
{
|
||||
"expectation": "blocked",
|
||||
"origin": "same-https",
|
||||
"redirection": "swap-origin",
|
||||
"source_context_list": [],
|
||||
"source_scheme": "https",
|
||||
"subresource": "worker-import",
|
||||
"subresource_policy_deliveries": [],
|
||||
"test_description": "Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context."
|
||||
}
|
||||
],
|
||||
new SanityChecker()
|
||||
).start();
|
||||
</script>
|
||||
<div id="log"></div>
|
||||
</body>
|
||||
</html>
|
||||
@ -0,0 +1,120 @@
|
||||
<!DOCTYPE html>
|
||||
<title>DedicatedWorker: CSP for ES Modules</title>
|
||||
<script src="/resources/testharness.js"></script>
|
||||
<script src="/resources/testharnessreport.js"></script>
|
||||
<script>
|
||||
|
||||
async function openWindow(url) {
|
||||
const win = window.open(url, '_blank');
|
||||
add_result_callback(() => win.close());
|
||||
const msg_event = await new Promise(resolve => window.onmessage = resolve);
|
||||
assert_equals(msg_event.data, 'LOADED');
|
||||
return win;
|
||||
}
|
||||
|
||||
function import_csp_test(
|
||||
cspHeader, importType, expectedImportedModules, description) {
|
||||
// Append CSP header to windowURL for static import tests since static import
|
||||
// scripts should obey Window's CSP.
|
||||
const windowURL = `resources/new-worker-window.html` +
|
||||
`${importType === 'static'
|
||||
? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
|
||||
: ''}`;
|
||||
// Append CSP header to scriptURL for dynamic import tests since dynamic
|
||||
// import scripts should obey Worker script's response's CSP.
|
||||
const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +
|
||||
`${importType === 'dynamic'
|
||||
? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
|
||||
: ''}`;
|
||||
promise_test(async () => {
|
||||
const win = await openWindow(windowURL);
|
||||
// Ask the window to start a dedicated worker.
|
||||
win.postMessage(scriptURL, '*');
|
||||
const msg_event = await new Promise(resolve => window.onmessage = resolve);
|
||||
assert_array_equals(msg_event.data, expectedImportedModules);
|
||||
}, description);
|
||||
}
|
||||
|
||||
// Tests for static import.
|
||||
//
|
||||
// Static import should obey the worker-src directive and the script-src
|
||||
// directive. If the both directives are specified, the worker-src directive
|
||||
// should be prioritized.
|
||||
//
|
||||
// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
|
||||
// request on request is "worker-src", and policy contains a directive whose
|
||||
// name is "worker-src", return "Allowed"."
|
||||
// "Note: If worker-src is present, we’ll defer to it when handling worker
|
||||
// requests."
|
||||
// https://w3c.github.io/webappsec-csp/#script-src-pre-request
|
||||
|
||||
import_csp_test(
|
||||
"worker-src 'self' 'unsafe-inline'",
|
||||
"static",
|
||||
['ERROR'],
|
||||
"worker-src 'self' directive should disallow cross origin static import.");
|
||||
|
||||
import_csp_test(
|
||||
"worker-src * 'unsafe-inline'",
|
||||
"static",
|
||||
["export-on-load-script.js"],
|
||||
"worker-src * directive should allow cross origin static import.")
|
||||
|
||||
import_csp_test(
|
||||
"script-src 'self' 'unsafe-inline'",
|
||||
"static",
|
||||
['ERROR'],
|
||||
"script-src 'self' directive should disallow cross origin static import.");
|
||||
|
||||
import_csp_test(
|
||||
"script-src * 'unsafe-inline'",
|
||||
"static",
|
||||
["export-on-load-script.js"],
|
||||
"script-src * directive should allow cross origin static import.")
|
||||
|
||||
import_csp_test(
|
||||
"worker-src *; script-src 'self' 'unsafe-inline'",
|
||||
"static",
|
||||
["export-on-load-script.js"],
|
||||
"worker-src * directive should override script-src 'self' directive and " +
|
||||
"allow cross origin static import.");
|
||||
|
||||
import_csp_test(
|
||||
"worker-src 'self'; script-src * 'unsafe-inline'",
|
||||
"static",
|
||||
['ERROR'],
|
||||
"worker-src 'self' directive should override script-src * directive and " +
|
||||
"disallow cross origin static import.");
|
||||
|
||||
// Tests for dynamic import.
|
||||
//
|
||||
// Dynamic import should obey the script-src directive instead of the worker-src
|
||||
// directive according to the specs:
|
||||
//
|
||||
// Dynamic import has the "script" destination.
|
||||
// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
|
||||
// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
|
||||
//
|
||||
// The "script" destination should obey the script-src CSP directive.
|
||||
// Step 2: "If request's destination is script-like:"
|
||||
// https://w3c.github.io/webappsec-csp/#script-src-pre-request
|
||||
|
||||
import_csp_test(
|
||||
"script-src 'self' 'unsafe-inline'",
|
||||
"dynamic",
|
||||
['ERROR'],
|
||||
"script-src 'self' directive should disallow cross origin dynamic import.");
|
||||
|
||||
import_csp_test(
|
||||
"script-src * 'unsafe-inline'",
|
||||
"dynamic",
|
||||
["export-on-load-script.js"],
|
||||
"script-src * directive should allow cross origin dynamic import.")
|
||||
|
||||
import_csp_test(
|
||||
"worker-src 'self' 'unsafe-inline'",
|
||||
"dynamic",
|
||||
["export-on-load-script.js"],
|
||||
"worker-src 'self' directive should not take effect on dynamic import.");
|
||||
|
||||
</script>
|
||||
Loading…
Reference in New Issue
Block a user