Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(124)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html

Issue 1361763005: Disallow CSP source * matching of data:, blob:, and filesystem: URLs (Closed) Base URL: https://chromium.googlesource.com/chromium/src@master
Patch Set: Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <title>script-src disallowed wildcard use</title>
5 <script src="../../../resources/testharness.js"></script>
6 <script src="../../../resources/testharnessreport.js"></script>
7 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *">
8 </head>
9 <body>
10 <script nonce="nonce">
11 var t1 = async_test('data: URIs should not match *');
12 t1.step(function() {
13 var script = document.createElement("script");
14 script.src = 'data:application/javascript,';
15 script.addEventListener('load', t1.step_func(function() {
16 assert_unreached('Should not successfully load data URI.');
17 }));
18 script.addEventListener('error', t1.step_func(function() {
19 t1.done();
20 }));
21 document.head.appendChild(script);
22 });
23
24 var t2 = async_test('blob: URIs should not match *');
25 t2.step(function() {
26 var b = new Blob([''], { type: 'application/javascript' });
27 var script = document.createElement('script');
28 script.addEventListener('load', t2.step_func(function() {
29 assert_unreached('Should not successfully load blob URI.');
30 }));
31 script.addEventListener('error', t2.step_func(function() {
32 t2.done();
33 }));
34
35 script.src = URL.createObjectURL(b);
36 document.head.appendChild(script);
37 });
38
39 var t3 = async_test('filesystem URIs should not match *');
40 window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs ) {
Mike West 2015/09/25 13:53:41 Nit: Wrap this in an `if (window.webkitRequestFile
jww 2015/09/25 15:32:15 Done.
41 fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
42 fileEntry.createWriter(function(fileWriter) {
43 var script = document.createElement('script');
44
45 script.addEventListener('load', t3.step_func(function() {
46 assert_unreached('Should not successfully load filesyste m URI.');
47 }));
48 script.addEventListener('error', t3.step_func(function() {
49 t3.done();
50 }));
51
52 script.src = fileEntry.toURL('application/javascript');
53 document.body.appendChild(script);
54 });
55 });
56 });
57 </script>
58 </body>
59 </html>
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698