mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-02-25 11:58:55 +00:00
Backed out 2 changesets (bug 1529337) for awaiting decision on implementing other CSP 3 features
Backed out changeset 12cd014c46e8 (bug 1529337) Backed out changeset f1489d7cf1a1 (bug 1529337)
This commit is contained in:
smolnar
parent
a5bbfdd85a
commit
bd8c576702
@ -1043,7 +1043,7 @@ nsresult EventListenerManager::SetEventHandler(nsAtom* aName,
|
||||
if (csp) {
|
||||
bool allowsInlineScript = true;
|
||||
rv = csp->GetAllowsInline(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE,
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE,
|
||||
u""_ns, // aNonce
|
||||
true, // aParserCreated (true because attribute event handler)
|
||||
aElement,
|
||||
|
||||
@ -62,8 +62,6 @@ interface nsIContentSecurityPolicy : nsISerializable
|
||||
SANDBOX_DIRECTIVE = 19,
|
||||
WORKER_SRC_DIRECTIVE = 20,
|
||||
NAVIGATE_TO_DIRECTIVE = 21,
|
||||
SCRIPT_SRC_ELEM_DIRECTIVE = 22,
|
||||
SCRIPT_SRC_ATTR_DIRECTIVE = 23,
|
||||
};
|
||||
|
||||
/**
|
||||
|
||||
@ -137,11 +137,9 @@ static bool AllowedByCSP(nsIContentSecurityPolicy* aCSP,
|
||||
return true;
|
||||
}
|
||||
|
||||
// javascript: is a "navigation" type, so script-src-elem applies.
|
||||
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
|
||||
bool allowsInlineScript = true;
|
||||
nsresult rv =
|
||||
aCSP->GetAllowsInline(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE,
|
||||
aCSP->GetAllowsInline(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE,
|
||||
u""_ns, // aNonce
|
||||
true, // aParserCreated
|
||||
nullptr, // aElement,
|
||||
|
||||
@ -35,22 +35,17 @@ ignoringDuplicateSrc = Ignoring duplicate source %1$S
|
||||
# LOCALIZATION NOTE (ignoringSrcFromMetaCSP):
|
||||
# %1$S defines the ignored src
|
||||
ignoringSrcFromMetaCSP = Ignoring source ‘%1$S’ (Not supported when delivered via meta element).
|
||||
# LOCALIZATION NOTE (ignoringSrcWithinNonceOrHashDirective):
|
||||
# %1$S is the ignored src (e.g. "unsafe-inline")
|
||||
# %2$S is the directive (e.g. "script-src-elem")
|
||||
ignoringSrcWithinNonceOrHashDirective = Ignoring “%1$S” within %2$S: nonce-source or hash-source specified
|
||||
# LOCALIZATION NOTE (ignoringScriptSrcForStrictDynamic):
|
||||
# LOCALIZATION NOTE (ignoringSrcWithinScriptStyleSrc):
|
||||
# %1$S is the ignored src
|
||||
# %1$S is the directive src (e.g. "script-src-elem")
|
||||
# 'strict-dynamic' should not be localized
|
||||
ignoringScriptSrcForStrictDynamic = Ignoring “%1$S” within %2$S: ‘strict-dynamic’ specified
|
||||
# script-src and style-src are directive names and should not be localized
|
||||
ignoringSrcWithinScriptStyleSrc = Ignoring “%1$S” within script-src or style-src: nonce-source or hash-source specified
|
||||
# LOCALIZATION NOTE (ignoringSrcForStrictDynamic):
|
||||
# %1$S is the ignored src
|
||||
# script-src, as well as 'strict-dynamic' should not be localized
|
||||
ignoringSrcForStrictDynamic = Ignoring “%1$S” within script-src: ‘strict-dynamic’ specified
|
||||
# LOCALIZATION NOTE (ignoringStrictDynamic):
|
||||
# %1$S is the ignored src
|
||||
ignoringStrictDynamic = Ignoring source “%1$S” (Only supported within script-src).
|
||||
# LOCALIZATION NOTE (ignoringUnsafeEval):
|
||||
# %1$S is the csp directive (e.g. script-src-elem)
|
||||
# 'unsafe-eval' and 'wasm-unsafe-eval' should not be localized
|
||||
ignoringUnsafeEval = Ignoring ‘unsafe-eval’ or ‘wasm-unsafe-eval’ inside “%1$S”.
|
||||
# LOCALIZATION NOTE (strictDynamicButNoHashOrNonce):
|
||||
# %1$S is the csp directive that contains 'strict-dynamic'
|
||||
# 'strict-dynamic' should not be localized
|
||||
|
||||
@ -788,6 +788,8 @@ bool ScriptLoader::PreloadURIComparator::Equals(const PreloadInfo& aPi,
|
||||
static bool CSPAllowsInlineScript(nsIScriptElement* aElement,
|
||||
Document* aDocument) {
|
||||
nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
|
||||
nsresult rv = NS_OK;
|
||||
|
||||
if (!csp) {
|
||||
// no CSP --> allow
|
||||
return true;
|
||||
@ -808,8 +810,8 @@ static bool CSPAllowsInlineScript(nsIScriptElement* aElement,
|
||||
aElement->GetParserCreated() != mozilla::dom::NOT_FROM_PARSER;
|
||||
|
||||
bool allowInlineScript = false;
|
||||
nsresult rv = csp->GetAllowsInline(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE, nonce, parserCreated,
|
||||
rv = csp->GetAllowsInline(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE, nonce, parserCreated,
|
||||
scriptContent, nullptr /* nsICSPEventListener */, u""_ns,
|
||||
aElement->GetScriptLineNumber(), aElement->GetScriptColumnNumber(),
|
||||
&allowInlineScript);
|
||||
|
||||
@ -201,13 +201,6 @@ bool nsCSPContext::permitsInternal(
|
||||
permits = false;
|
||||
}
|
||||
|
||||
// See the comment in nsCSPContext::GetAllowsInline.
|
||||
nsAutoString effectiveDirective(violatedDirective);
|
||||
if (aDir == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDir == SCRIPT_SRC_ATTR_DIRECTIVE) {
|
||||
effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDir));
|
||||
}
|
||||
|
||||
// Callers should set |aSendViolationReports| to false if this is a
|
||||
// preload - the decision may be wrong due to the inability to get the
|
||||
// nonce, and will incorrectly fail the unit tests.
|
||||
@ -228,12 +221,12 @@ bool nsCSPContext::permitsInternal(
|
||||
BlockedContentSource::eUnknown, /* a BlockedContentSource */
|
||||
aOriginalURIIfRedirect, /* in case of redirect originalURI is not
|
||||
null */
|
||||
violatedDirective, effectiveDirective, p, /* policy index */
|
||||
u""_ns, /* no observer subject */
|
||||
spec, /* source file */
|
||||
u""_ns, /* no script sample */
|
||||
lineNumber, /* line number */
|
||||
columnNumber); /* column number */
|
||||
violatedDirective, p, /* policy index */
|
||||
u""_ns, /* no observer subject */
|
||||
spec, /* source file */
|
||||
u""_ns, /* no script sample */
|
||||
lineNumber, /* line number */
|
||||
columnNumber); /* column number */
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -518,7 +511,6 @@ void nsCSPContext::reportInlineViolation(
|
||||
CSPDirective aDirective, Element* aTriggeringElement,
|
||||
nsICSPEventListener* aCSPEventListener, const nsAString& aNonce,
|
||||
const nsAString& aContent, const nsAString& aViolatedDirective,
|
||||
const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that
|
||||
uint32_t aLineNumber, uint32_t aColumnNumber) {
|
||||
nsString observerSubject;
|
||||
@ -526,15 +518,13 @@ void nsCSPContext::reportInlineViolation(
|
||||
// let's report the hash error; no need to report the unsafe-inline error
|
||||
// anymore.
|
||||
if (!aNonce.IsEmpty()) {
|
||||
observerSubject = (aDirective == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDirective == SCRIPT_SRC_ATTR_DIRECTIVE)
|
||||
observerSubject = (aDirective == SCRIPT_SRC_DIRECTIVE)
|
||||
? NS_LITERAL_STRING_FROM_CSTRING(
|
||||
SCRIPT_NONCE_VIOLATION_OBSERVER_TOPIC)
|
||||
: NS_LITERAL_STRING_FROM_CSTRING(
|
||||
STYLE_NONCE_VIOLATION_OBSERVER_TOPIC);
|
||||
} else {
|
||||
observerSubject = (aDirective == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDirective == SCRIPT_SRC_ATTR_DIRECTIVE)
|
||||
observerSubject = (aDirective == SCRIPT_SRC_DIRECTIVE)
|
||||
? NS_LITERAL_STRING_FROM_CSTRING(
|
||||
SCRIPT_HASH_VIOLATION_OBSERVER_TOPIC)
|
||||
: NS_LITERAL_STRING_FROM_CSTRING(
|
||||
@ -563,7 +553,6 @@ void nsCSPContext::reportInlineViolation(
|
||||
BlockedContentSource::eInline, // aBlockedSource
|
||||
mSelfURI, // aOriginalURI
|
||||
aViolatedDirective, // aViolatedDirective
|
||||
aEffectiveDirective, // aEffectiveDirective
|
||||
aViolatedPolicyIndex, // aViolatedPolicyIndex
|
||||
observerSubject, // aObserverSubject
|
||||
sourceFile, // aSourceFile
|
||||
@ -581,11 +570,8 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, const nsAString& aNonce,
|
||||
bool* outAllowsInline) {
|
||||
*outAllowsInline = true;
|
||||
|
||||
if (aDirective != SCRIPT_SRC_ELEM_DIRECTIVE &&
|
||||
aDirective != SCRIPT_SRC_ATTR_DIRECTIVE &&
|
||||
aDirective != STYLE_SRC_DIRECTIVE) {
|
||||
MOZ_ASSERT(false,
|
||||
"can only allow inline for script-src-(attr/elem) or style");
|
||||
if (aDirective != SCRIPT_SRC_DIRECTIVE && aDirective != STYLE_SRC_DIRECTIVE) {
|
||||
MOZ_ASSERT(false, "can only allow inline for script or style");
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
@ -633,20 +619,9 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, const nsAString& aNonce,
|
||||
bool reportSample = false;
|
||||
mPolicies[i]->getDirectiveStringAndReportSampleForContentType(
|
||||
aDirective, violatedDirective, &reportSample);
|
||||
// In CSP 3.0 the effective directive doesn't become the actually used
|
||||
// directive in case of a fallback from e.g. script-src-elem to
|
||||
// script-src or default-src.
|
||||
// TODO(bug 1779369): Fix this for all directive types.
|
||||
nsAutoString effectiveDirective(violatedDirective);
|
||||
if (aDirective == SCRIPT_SRC_ELEM_DIRECTIVE ||
|
||||
aDirective == SCRIPT_SRC_ATTR_DIRECTIVE) {
|
||||
effectiveDirective.AssignASCII(CSP_CSPDirectiveToString(aDirective));
|
||||
}
|
||||
|
||||
reportInlineViolation(aDirective, aTriggeringElement, aCSPEventListener,
|
||||
aNonce, reportSample ? content : EmptyString(),
|
||||
violatedDirective, effectiveDirective, i,
|
||||
aLineNumber, aColumnNumber);
|
||||
violatedDirective, i, aLineNumber, aColumnNumber);
|
||||
}
|
||||
}
|
||||
return NS_OK;
|
||||
@ -723,7 +698,6 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission,
|
||||
nsCSPContext::BlockedContentSource::eSelf, // aBlockedSource
|
||||
nullptr, // aOriginalURI
|
||||
u"navigate-to"_ns, // aViolatedDirective
|
||||
u"navigate-to"_ns, // aEffectiveDirective
|
||||
i, // aViolatedPolicyIndex
|
||||
u""_ns, // aObserverSubject
|
||||
NS_ConvertUTF8toUTF16(spec), // aSourceFile
|
||||
@ -780,16 +754,14 @@ nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission,
|
||||
bool reportSample = false; \
|
||||
mPolicies[p]->getDirectiveStringAndReportSampleForContentType( \
|
||||
directive##_SRC_DIRECTIVE, violatedDirective, &reportSample); \
|
||||
nsAutoString effectiveDirective(violatedDirective); \
|
||||
if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL || \
|
||||
aViolationType == \
|
||||
nsIContentSecurityPolicy::VIOLATION_TYPE_WASM_EVAL) { \
|
||||
effectiveDirective = u"script-src"_ns; \
|
||||
violatedDirective = u"script-src"_ns; \
|
||||
} \
|
||||
AsyncReportViolation(aTriggeringElement, aCSPEventListener, nullptr, \
|
||||
blockedContentSource, nullptr, violatedDirective, \
|
||||
effectiveDirective, p, \
|
||||
NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \
|
||||
p, NS_LITERAL_STRING_FROM_CSTRING(observerTopic), \
|
||||
aSourceFile, reportSample ? aScriptSample : u""_ns, \
|
||||
aLineNum, aColumnNum); \
|
||||
} \
|
||||
@ -1057,14 +1029,14 @@ void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) {
|
||||
|
||||
nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
nsIURI* aBlockedURI, const nsACString& aBlockedString, nsIURI* aOriginalURI,
|
||||
nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex,
|
||||
nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex,
|
||||
nsAString& aSourceFile, nsAString& aScriptSample, uint32_t aLineNum,
|
||||
uint32_t aColumnNum,
|
||||
mozilla::dom::SecurityPolicyViolationEventInit& aViolationEventInit) {
|
||||
EnsureIPCPoliciesRead();
|
||||
NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
|
||||
|
||||
MOZ_ASSERT(ValidateDirectiveName(aEffectiveDirective),
|
||||
MOZ_ASSERT(ValidateDirectiveName(aViolatedDirective),
|
||||
"Invalid directive name");
|
||||
|
||||
nsresult rv;
|
||||
@ -1089,12 +1061,12 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
|
||||
// effective-directive
|
||||
// The name of the policy directive that was violated.
|
||||
aViolationEventInit.mEffectiveDirective = aEffectiveDirective;
|
||||
aViolationEventInit.mEffectiveDirective = aViolatedDirective;
|
||||
|
||||
// violated-directive
|
||||
// In CSP2, the policy directive that was violated, as it appears in the
|
||||
// policy. In CSP3, the same as effective-directive.
|
||||
aViolationEventInit.mViolatedDirective = aEffectiveDirective;
|
||||
aViolationEventInit.mViolatedDirective = aViolatedDirective;
|
||||
|
||||
// original-policy
|
||||
nsAutoString originalPolicy;
|
||||
@ -1415,10 +1387,9 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
nsIURI* aBlockedURI,
|
||||
nsCSPContext::BlockedContentSource aBlockedContentSource,
|
||||
nsIURI* aOriginalURI, uint32_t aViolatedPolicyIndex, bool aReportOnlyFlag,
|
||||
const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum,
|
||||
nsCSPContext* aCSPContext)
|
||||
const nsAString& aViolatedDirective, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum, nsCSPContext* aCSPContext)
|
||||
: mozilla::Runnable("CSPReportSenderRunnable"),
|
||||
mTriggeringElement(aTriggeringElement),
|
||||
mCSPEventListener(aCSPEventListener),
|
||||
@ -1428,7 +1399,6 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
mViolatedPolicyIndex(aViolatedPolicyIndex),
|
||||
mReportOnlyFlag(aReportOnlyFlag),
|
||||
mViolatedDirective(aViolatedDirective),
|
||||
mEffectiveDirective(aEffectiveDirective),
|
||||
mSourceFile(aSourceFile),
|
||||
mScriptSample(aScriptSample),
|
||||
mLineNum(aLineNum),
|
||||
@ -1471,7 +1441,7 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
BlockedContentSourceToString(mBlockedContentSource, blockedContentSource);
|
||||
|
||||
rv = mCSPContext->GatherSecurityPolicyViolationEventData(
|
||||
mBlockedURI, blockedContentSource, mOriginalURI, mEffectiveDirective,
|
||||
mBlockedURI, blockedContentSource, mOriginalURI, mViolatedDirective,
|
||||
mViolatedPolicyIndex, mSourceFile, mScriptSample, mLineNum, mColumnNum,
|
||||
init);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
@ -1536,7 +1506,6 @@ class CSPReportSenderRunnable final : public Runnable {
|
||||
uint32_t mViolatedPolicyIndex;
|
||||
bool mReportOnlyFlag;
|
||||
nsString mViolatedDirective;
|
||||
nsString mEffectiveDirective;
|
||||
nsCOMPtr<nsISupports> mObserverSubject;
|
||||
nsString mSourceFile;
|
||||
nsString mScriptSample;
|
||||
@ -1578,9 +1547,9 @@ nsresult nsCSPContext::AsyncReportViolation(
|
||||
Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener,
|
||||
nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource,
|
||||
nsIURI* aOriginalURI, const nsAString& aViolatedDirective,
|
||||
const nsAString& aEffectiveDirective, uint32_t aViolatedPolicyIndex,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum) {
|
||||
uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum) {
|
||||
EnsureIPCPoliciesRead();
|
||||
NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
|
||||
|
||||
@ -1588,8 +1557,7 @@ nsresult nsCSPContext::AsyncReportViolation(
|
||||
aTriggeringElement, aCSPEventListener, aBlockedURI, aBlockedContentSource,
|
||||
aOriginalURI, aViolatedPolicyIndex,
|
||||
mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(), aViolatedDirective,
|
||||
aEffectiveDirective, aObserverSubject, aSourceFile, aScriptSample,
|
||||
aLineNum, aColumnNum, this);
|
||||
aObserverSubject, aSourceFile, aScriptSample, aLineNum, aColumnNum, this);
|
||||
|
||||
if (XRE_IsContentProcess()) {
|
||||
if (mEventTarget) {
|
||||
|
||||
@ -122,10 +122,9 @@ class nsCSPContext : public nsIContentSecurityPolicy {
|
||||
mozilla::dom::Element* aTriggeringElement,
|
||||
nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI,
|
||||
BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI,
|
||||
const nsAString& aViolatedDirective, const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex, const nsAString& aObserverSubject,
|
||||
const nsAString& aSourceFile, const nsAString& aScriptSample,
|
||||
uint32_t aLineNum, uint32_t aColumnNum);
|
||||
const nsAString& aViolatedDirective, uint32_t aViolatedPolicyIndex,
|
||||
const nsAString& aObserverSubject, const nsAString& aSourceFile,
|
||||
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum);
|
||||
|
||||
// Hands off! Don't call this method unless you know what you
|
||||
// are doing. It's only supposed to be called from within
|
||||
@ -162,7 +161,6 @@ class nsCSPContext : public nsIContentSecurityPolicy {
|
||||
nsICSPEventListener* aCSPEventListener,
|
||||
const nsAString& aNonce, const nsAString& aContent,
|
||||
const nsAString& aViolatedDirective,
|
||||
const nsAString& aEffectiveDirective,
|
||||
uint32_t aViolatedPolicyIndex,
|
||||
uint32_t aLineNumber, uint32_t aColumnNumber);
|
||||
|
||||
|
||||
@ -43,7 +43,6 @@ nsCSPParser::nsCSPParser(policyTokens& aTokens, nsIURI* aSelfURI,
|
||||
: mCurChar(nullptr),
|
||||
mEndChar(nullptr),
|
||||
mHasHashOrNonce(false),
|
||||
mHasAnyUnsafeEval(false),
|
||||
mStrictDynamic(false),
|
||||
mUnsafeInlineKeywordSrc(nullptr),
|
||||
mChildSrc(nullptr),
|
||||
@ -401,11 +400,7 @@ nsCSPBaseSrc* nsCSPParser::keywordSource() {
|
||||
|
||||
if (CSP_IsKeyword(mCurToken, CSP_STRICT_DYNAMIC)) {
|
||||
if (!CSP_IsDirective(mCurDir[0],
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) &&
|
||||
!CSP_IsDirective(mCurDir[0],
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) &&
|
||||
!CSP_IsDirective(mCurDir[0],
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE)) {
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE)) {
|
||||
// Todo: Enforce 'strict-dynamic' within default-src; see Bug 1313937
|
||||
AutoTArray<nsString, 1> params = {u"strict-dynamic"_ns};
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag,
|
||||
@ -443,13 +438,11 @@ nsCSPBaseSrc* nsCSPParser::keywordSource() {
|
||||
if (doc) {
|
||||
doc->SetHasUnsafeEvalCSP(true);
|
||||
}
|
||||
mHasAnyUnsafeEval = true;
|
||||
return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
|
||||
}
|
||||
|
||||
if (StaticPrefs::security_csp_wasm_unsafe_eval_enabled() &&
|
||||
CSP_IsKeyword(mCurToken, CSP_WASM_UNSAFE_EVAL)) {
|
||||
mHasAnyUnsafeEval = true;
|
||||
return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken));
|
||||
}
|
||||
|
||||
@ -924,8 +917,7 @@ nsCSPDirective* nsCSPParser::directiveName() {
|
||||
}
|
||||
|
||||
// if we have a script-src, cache it as a fallback for worker-src
|
||||
// in case child-src is not present. It is also used as a fallback for
|
||||
// script-src-elem and script-src-attr.
|
||||
// in case child-src is not present
|
||||
if (directive == nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) {
|
||||
mScriptSrc = new nsCSPScriptSrcDirective(directive);
|
||||
return mScriptSrc;
|
||||
@ -1011,7 +1003,6 @@ void nsCSPParser::directive() {
|
||||
// make sure to reset cache variables when trying to invalidate unsafe-inline;
|
||||
// unsafe-inline might not only appear in script-src, but also in default-src
|
||||
mHasHashOrNonce = false;
|
||||
mHasAnyUnsafeEval = false;
|
||||
mStrictDynamic = false;
|
||||
mUnsafeInlineKeywordSrc = nullptr;
|
||||
|
||||
@ -1031,12 +1022,8 @@ void nsCSPParser::directive() {
|
||||
|
||||
// If policy contains 'strict-dynamic' invalidate all srcs within script-src.
|
||||
if (mStrictDynamic) {
|
||||
MOZ_ASSERT(
|
||||
cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
|
||||
cspDir->equals(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
|
||||
cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE),
|
||||
"strict-dynamic only allowed within script-src(-elem|attr)");
|
||||
MOZ_ASSERT(cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE),
|
||||
"strict-dynamic only allowed within script-src");
|
||||
for (uint32_t i = 0; i < srcs.Length(); i++) {
|
||||
// Please note that nsCSPNonceSrc as well as nsCSPHashSrc overwrite
|
||||
// invalidate(), so it's fine to just call invalidate() on all srcs.
|
||||
@ -1055,9 +1042,9 @@ void nsCSPParser::directive() {
|
||||
!StringBeginsWith(
|
||||
srcStr, nsDependentString(CSP_EnumToUTF16Keyword(CSP_NONCE))) &&
|
||||
!StringBeginsWith(srcStr, u"'sha"_ns)) {
|
||||
AutoTArray<nsString, 2> params = {srcStr, mCurDir[0]};
|
||||
AutoTArray<nsString, 1> params = {srcStr};
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag,
|
||||
"ignoringScriptSrcForStrictDynamic", params);
|
||||
"ignoringSrcForStrictDynamic", params);
|
||||
}
|
||||
}
|
||||
// Log a warning that all scripts might be blocked because the policy
|
||||
@ -1069,26 +1056,12 @@ void nsCSPParser::directive() {
|
||||
}
|
||||
} else if (mHasHashOrNonce && mUnsafeInlineKeywordSrc &&
|
||||
(cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
|
||||
cspDir->equals(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
|
||||
cspDir->equals(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) ||
|
||||
cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE))) {
|
||||
mUnsafeInlineKeywordSrc->invalidate();
|
||||
|
||||
// Log to the console that unsafe-inline will be ignored.
|
||||
AutoTArray<nsString, 2> params = {u"'unsafe-inline'"_ns, mCurDir[0]};
|
||||
// log to the console that unsafe-inline will be ignored
|
||||
AutoTArray<nsString, 1> params = {u"'unsafe-inline'"_ns};
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag,
|
||||
"ignoringSrcWithinNonceOrHashDirective", params);
|
||||
}
|
||||
|
||||
if (mHasAnyUnsafeEval &&
|
||||
(cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) ||
|
||||
cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE))) {
|
||||
// Log to the console that (wasm-)unsafe-eval will be ignored.
|
||||
AutoTArray<nsString, 1> params = {mCurDir[0]};
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringUnsafeEval",
|
||||
params);
|
||||
"ignoringSrcWithinScriptStyleSrc", params);
|
||||
}
|
||||
|
||||
// Add the newly created srcs to the directive and add the directive to the
|
||||
@ -1124,27 +1097,12 @@ nsCSPPolicy* nsCSPParser::policy() {
|
||||
mChildSrc->setRestrictWorkers();
|
||||
}
|
||||
}
|
||||
|
||||
// if script-src is specified, but not worker-src and also no child-src, then
|
||||
// script-src has to govern workers.
|
||||
if (mScriptSrc && !mWorkerSrc && !mChildSrc) {
|
||||
mScriptSrc->setRestrictWorkers();
|
||||
}
|
||||
|
||||
// If script-src is specified and script-src-elem is not specified, then
|
||||
// script-src has to govern script requests and script blocks.
|
||||
if (mScriptSrc && !mPolicy->hasDirective(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE)) {
|
||||
mScriptSrc->setRestrictScriptElem();
|
||||
}
|
||||
|
||||
// If script-src is specified and script-src-attr is not specified, then
|
||||
// script-src has to govern script attr (event handlers).
|
||||
if (mScriptSrc && !mPolicy->hasDirective(
|
||||
nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE)) {
|
||||
mScriptSrc->setRestrictScriptAttr();
|
||||
}
|
||||
|
||||
return mPolicy;
|
||||
}
|
||||
|
||||
|
||||
@ -182,9 +182,8 @@ class nsCSPParser {
|
||||
|
||||
// helpers to allow invalidation of srcs within script-src and style-src
|
||||
// if either 'strict-dynamic' or at least a hash or nonce is present.
|
||||
bool mHasHashOrNonce; // false, if no hash or nonce is defined
|
||||
bool mHasAnyUnsafeEval; // false, if no (wasm-)unsafe-eval keyword is used.
|
||||
bool mStrictDynamic; // false, if 'strict-dynamic' is not defined
|
||||
bool mHasHashOrNonce; // false, if no hash or nonce is defined
|
||||
bool mStrictDynamic; // false, if 'strict-dynamic' is not defined
|
||||
nsCSPKeywordSrc* mUnsafeInlineKeywordSrc; // null, otherwise invlidate()
|
||||
|
||||
// cache variables for child-src, frame-src and worker-src handling;
|
||||
|
||||
@ -255,11 +255,9 @@ void CSP_LogLocalizedStr(const char* aName, const nsTArray<nsString>& aParams,
|
||||
}
|
||||
|
||||
/* ===== Helpers ============================ */
|
||||
// This implements
|
||||
// https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request.
|
||||
// However the spec doesn't currently cover all request destinations, which
|
||||
// we roughly represent using nsContentPolicyType.
|
||||
CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType) {
|
||||
// We need to know if this is a worker so child-src can handle that case
|
||||
// correctly.
|
||||
switch (aType) {
|
||||
case nsIContentPolicy::TYPE_IMAGE:
|
||||
case nsIContentPolicy::TYPE_IMAGESET:
|
||||
@ -280,11 +278,7 @@ CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType) {
|
||||
case nsIContentPolicy::TYPE_INTERNAL_PAINTWORKLET:
|
||||
case nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT:
|
||||
case nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT:
|
||||
// (https://github.com/w3c/webappsec-csp/issues/554)
|
||||
// Some of these types are not explicitly defined in the spec.
|
||||
//
|
||||
// Chrome seems to use script-src-elem for worklet!
|
||||
return nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE;
|
||||
return nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE;
|
||||
|
||||
case nsIContentPolicy::TYPE_STYLESHEET:
|
||||
case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET:
|
||||
@ -1216,16 +1210,6 @@ void nsCSPDirective::toDomCSPStruct(mozilla::dom::CSP& outCSP) const {
|
||||
outCSP.mWorker_src.Value() = std::move(srcs);
|
||||
return;
|
||||
|
||||
case nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE:
|
||||
outCSP.mScript_src_elem.Construct();
|
||||
outCSP.mScript_src_elem.Value() = std::move(srcs);
|
||||
return;
|
||||
|
||||
case nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE:
|
||||
outCSP.mScript_src_attr.Construct();
|
||||
outCSP.mScript_src_attr.Value() = std::move(srcs);
|
||||
return;
|
||||
|
||||
default:
|
||||
NS_ASSERTION(false, "cannot find directive to convert CSP to JSON");
|
||||
}
|
||||
@ -1293,10 +1277,7 @@ bool nsCSPChildSrcDirective::equals(CSPDirective aDirective) const {
|
||||
/* =============== nsCSPScriptSrcDirective ============= */
|
||||
|
||||
nsCSPScriptSrcDirective::nsCSPScriptSrcDirective(CSPDirective aDirective)
|
||||
: nsCSPDirective(aDirective),
|
||||
mRestrictWorkers(false),
|
||||
mRestrictScriptElem(false),
|
||||
mRestrictScriptAttr(false) {}
|
||||
: nsCSPDirective(aDirective), mRestrictWorkers(false) {}
|
||||
|
||||
nsCSPScriptSrcDirective::~nsCSPScriptSrcDirective() = default;
|
||||
|
||||
@ -1304,12 +1285,6 @@ bool nsCSPScriptSrcDirective::equals(CSPDirective aDirective) const {
|
||||
if (aDirective == nsIContentSecurityPolicy::WORKER_SRC_DIRECTIVE) {
|
||||
return mRestrictWorkers;
|
||||
}
|
||||
if (aDirective == nsIContentSecurityPolicy::SCRIPT_SRC_ELEM_DIRECTIVE) {
|
||||
return mRestrictScriptElem;
|
||||
}
|
||||
if (aDirective == nsIContentSecurityPolicy::SCRIPT_SRC_ATTR_DIRECTIVE) {
|
||||
return mRestrictScriptAttr;
|
||||
}
|
||||
return (mDirective == aDirective);
|
||||
}
|
||||
|
||||
|
||||
@ -88,9 +88,7 @@ static const char* CSPStrDirectives[] = {
|
||||
"block-all-mixed-content", // BLOCK_ALL_MIXED_CONTENT
|
||||
"sandbox", // SANDBOX_DIRECTIVE
|
||||
"worker-src", // WORKER_SRC_DIRECTIVE
|
||||
"navigate-to", // NAVIGATE_TO_DIRECTIVE
|
||||
"script-src-elem", // SCRIPT_SRC_ELEM_DIRECTIVE
|
||||
"script-src-attr", // SCRIPT_SRC_ATTR_DIRECTIVE
|
||||
"navigate-to" // NAVIGATE_TO_DIRECTIVE
|
||||
};
|
||||
|
||||
inline const char* CSP_CSPDirectiveToString(CSPDirective aDir) {
|
||||
@ -512,15 +510,11 @@ class nsCSPScriptSrcDirective : public nsCSPDirective {
|
||||
virtual ~nsCSPScriptSrcDirective();
|
||||
|
||||
void setRestrictWorkers() { mRestrictWorkers = true; }
|
||||
void setRestrictScriptElem() { mRestrictScriptElem = true; }
|
||||
void setRestrictScriptAttr() { mRestrictScriptAttr = true; }
|
||||
|
||||
virtual bool equals(CSPDirective aDirective) const override;
|
||||
|
||||
private:
|
||||
bool mRestrictWorkers;
|
||||
bool mRestrictScriptElem;
|
||||
bool mRestrictScriptAttr;
|
||||
};
|
||||
|
||||
/* =============== nsBlockAllMixedContentDirective === */
|
||||
|
||||
@ -22,7 +22,7 @@ SimpleTest.waitForExplicitFinish();
|
||||
function receiveMessage(event) {
|
||||
window.removeEventListener("message", receiveMessage);
|
||||
is(event.data.blockedURI, "inline", "blockedURI");
|
||||
is(event.data.violatedDirective, "script-src-elem", "violatedDirective")
|
||||
is(event.data.violatedDirective, "script-src", "violatedDirective")
|
||||
is(event.data.originalPolicy, "script-src 'nonce-bug1550414'", "originalPolicy");
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
@ -50,7 +50,7 @@ window.checkResults = function(reportObj) {
|
||||
|
||||
is(cspReport["blocked-uri"], "inline", "Incorrect blocked-uri");
|
||||
|
||||
is(cspReport["violated-directive"], "script-src-elem", "Incorrect violated-directive");
|
||||
is(cspReport["violated-directive"], "default-src", "Incorrect violated-directive");
|
||||
|
||||
is(cspReport["original-policy"], "default-src 'none' 'report-sample'; report-uri http://mochi.test:8888/foo.sjs",
|
||||
"Incorrect original-policy");
|
||||
|
||||
@ -121,7 +121,7 @@ function run_test() {
|
||||
makeTest(0, { "blocked-uri": "inline" }, false, function(csp) {
|
||||
let inlineOK = true;
|
||||
inlineOK = csp.getAllowsInline(
|
||||
Ci.nsIContentSecurityPolicy.SCRIPT_SRC_ELEM_DIRECTIVE,
|
||||
Ci.nsIContentSecurityPolicy.SCRIPT_SRC_DIRECTIVE,
|
||||
"", // aNonce
|
||||
false, // aParserCreated
|
||||
null, // aTriggeringElement
|
||||
@ -193,7 +193,7 @@ function run_test() {
|
||||
makeTest(3, { "blocked-uri": "inline" }, true, function(csp) {
|
||||
let inlineOK = true;
|
||||
inlineOK = csp.getAllowsInline(
|
||||
Ci.nsIContentSecurityPolicy.SCRIPT_SRC_ELEM_DIRECTIVE,
|
||||
Ci.nsIContentSecurityPolicy.SCRIPT_SRC_DIRECTIVE,
|
||||
"", // aNonce
|
||||
false, // aParserCreated
|
||||
null, // aTriggeringElement
|
||||
|
||||
@ -30,8 +30,6 @@ dictionary CSP {
|
||||
sequence<DOMString> block-all-mixed-content;
|
||||
sequence<DOMString> sandbox;
|
||||
sequence<DOMString> worker-src;
|
||||
sequence<DOMString> script-src-elem;
|
||||
sequence<DOMString> script-src-attr;
|
||||
};
|
||||
|
||||
[GenerateToJSON]
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[blob-urls-do-not-match-self.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[default-src-inline-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[generic-0_1-script-src.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[generic-0_10_1.sub.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[generic-0_2_2.sub.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[generic-0_2_3.html]
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[report-uri-effective-directive.html]
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1 @@
|
||||
implementation-status: backlog
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-attr-allowed-src-blocked.html]
|
||||
[Should not fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
[script-src-attr-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation event]
|
||||
expected: NOTRUN
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
[script-src-elem-allowed-attr-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-elem-allowed-src-blocked.html]
|
||||
[Should not fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
[script-src-elem-blocked-attr-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation for the attribute]
|
||||
expected: NOTRUN
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
[script-src-elem-blocked-src-allowed.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a spv event]
|
||||
expected: NOTRUN
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[strict-dynamic-elem-allowed-src-blocked.html]
|
||||
[Should not fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[strict-dynamic-elem-blocked-src-allowed.sub.html]
|
||||
[Should fire a security policy violation event]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[injected-inline-script-blocked.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[javascript-window-open-blocked.html]
|
||||
[Check that a securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-1_1.html]
|
||||
[Should fire policy violation events]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-1_10.html]
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,6 @@
|
||||
[script-src-1_2.html]
|
||||
disabled:
|
||||
if (os == "win"): bug 1172411
|
||||
[Should fire policy violation events]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,6 @@
|
||||
[script-src-1_2_1.html]
|
||||
disabled:
|
||||
if (os == "win"): bug 1094323
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[script-src-report-only-policy-works-with-hash-policy.html]
|
||||
[Test that the securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_discard_source_expressions.html]
|
||||
[Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-strict_dynamic_double_policy_different_nonce.html]
|
||||
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
|
||||
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_double_policy_report_only.html]
|
||||
[Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_javascript_uri.html]
|
||||
[Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html]
|
||||
[All the expected CSP violation reports have been fired.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
implementation-status: backlog
|
||||
[script-src-strict_dynamic_parser_inserted.html]
|
||||
[Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
[Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[scripthash-unicode-normalization.sub.html]
|
||||
[Should fire securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[scriptnonce-and-scripthash.sub.html]
|
||||
[Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[scriptnonce-ignore-unsafeinline.sub.html]
|
||||
[Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[srcdoc-doesnt-bypass-script-src.sub.html]
|
||||
[Expecting logs: ["violated-directive=script-src-elem"\]]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[svg-inline.sub.html]
|
||||
[Should fire violation event]
|
||||
expected: FAIL
|
||||
|
||||
@ -1,4 +0,0 @@
|
||||
[javascript_src_allowed-href_blank-script-src-elem.html]
|
||||
[javascript: navigation using <a href target=_blank> should be allowed]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,3 @@
|
||||
[javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,4 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-href_blank.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to missing unsafe-hashes]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_missing_unsafe_hashes-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-href.html]
|
||||
[javascript: navigation using <a href> should be refused due to wrong hash]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,3 @@
|
||||
[javascript_src_denied_wrong_hash-href_blank-script-src-elem.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to wrong hash]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,4 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-href_blank.html]
|
||||
[javascript: navigation using <a href target=_blank> should be refused due to wrong hash]
|
||||
expected: FAIL
|
||||
@ -0,0 +1,5 @@
|
||||
implementation-status: backlog
|
||||
[javascript_src_denied_wrong_hash-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
[script_event_handlers_denied_wrong_hash.html]
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: FAIL
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user