LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt - Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes.

Unified Diff: LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-script-expected.txt ('k') | LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

diff --git a/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt b/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

index ae396c522c55a442ae70a56714c9de5c61f086c1..bf364f617d4fc20b7399195d1c37f4f30859572a 100644

--- a/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

+++ b/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt

@@ -1,15 +1,19 @@

-CONSOLE MESSAGE: line 38: Injecting in main world: this should fail.

-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-e60BLfvCKfiss30l0/CjqQlJEpX7WtoC8LEKMl+iG90='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

+CONSOLE MESSAGE: line 58: Injecting in main world: this should fail.

+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-VW0vOGrZCqH0TKtw5B5uFtLP1DqNIIUce/tDyu/378c='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

CONSOLE MESSAGE: line 31: PASS: Style assignment in test 4 was not blocked by CSP.

-CONSOLE MESSAGE: line 42: Injecting into isolated world without bypass: this should fail.

-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-kVbFCEN3tujpGR/7YZ0u911bqia3698BE0FCDj/PtPI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

+CONSOLE MESSAGE: line 62: Injecting into isolated world without bypass: this should fail.

+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-mqk0x+ZowQUO8stz3Tm8e/4c044WSEbqlTVrz4jf9ko='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

CONSOLE MESSAGE: line 19: PASS: Style assignment in test 3 was not blocked by CSP.

-CONSOLE MESSAGE: line 46: Starting to bypass main world's CSP: this should pass!

+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

+CONSOLE MESSAGE: line 17: PASS: Style attribute assignment in test 3 was not blocked by CSP.

+CONSOLE MESSAGE: line 67: Starting to bypass main world's CSP: this should pass!

CONSOLE MESSAGE: line 12: PASS: Style assignment in test 2 was blocked by CSP.

-CONSOLE MESSAGE: line 51: Injecting into main world again: this should fail.

-CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-VDsBNA+Zvvkmllh2FMR8cCCzjPNSS0Q/2b0ra+R4nt8='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

+CONSOLE MESSAGE: line 10: PASS: Style attribute assignment in test 2 was blocked by CSP.

+CONSOLE MESSAGE: line 73: Injecting into main world again: this should fail.

+CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-bUBNmssmL79UBWplbQJyN9Hi2tRE9H345W5DVyjdUq4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

CONSOLE MESSAGE: line 31: PASS: Style assignment in test 1 was not blocked by CSP.

This test ensures that style applied in isolated worlds marked with their own Content Security Policy aren't affected by the page's content security policy. Extensions, for example, should be able to inject inline CSS (even though it's probably a bad idea to do so).