Disallow CSP source * matching of data:, blob:, and filesystem: URLs

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
new file mode 100644
index 0000000000000000000000000000000000000000..fe27b33314e8ab21d0c30d58aaf907095c372647
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <title>script-src disallowed wildcard use</title>
+    <script src="../../../resources/testharness.js"></script>
+    <script src="../../../resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *">
+    </head>
+    <body>
+    <script nonce="nonce">
+        var t1 = async_test('data: URIs should not match *');
+        t1.step(function() {
+            var script = document.createElement("script");
+            script.src = 'data:application/javascript,';
+            script.addEventListener('load', t1.step_func(function() {
+                assert_unreached('Should not successfully load data URI.');
+            }));
+            script.addEventListener('error', t1.step_func(function() {
+                t1.done();
+            }));
+            document.head.appendChild(script);
+        });
+
+        var t2 = async_test('blob: URIs should not match *');
+        t2.step(function() {
+            var b = new Blob([''], { type: 'application/javascript' });
+            var script = document.createElement('script');
+            script.addEventListener('load', t2.step_func(function() {
+                assert_unreached('Should not successfully load blob URI.');
+            }));
+            script.addEventListener('error', t2.step_func(function() {
+                t2.done();
+            }));
+
+            script.src = URL.createObjectURL(b);
+            document.head.appendChild(script);
+        });
+
+        var t3 = async_test('filesystem URIs should not match *');
+        window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {

[Mike West, 2015/09/25 13:53:41]

Nit: Wrap this in an `if (window.webkitRequestFileSystem)`, please. That will
make it easier to upstream to w3c/web-platform-test.

[jww, 2015/09/25 15:32:15]

Done.

+            fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+                fileEntry.createWriter(function(fileWriter) {
+                    var script = document.createElement('script');
+
+                    script.addEventListener('load', t3.step_func(function() {
+                        assert_unreached('Should not successfully load filesystem URI.');
+                    }));
+                    script.addEventListener('error', t3.step_func(function() {
+                        t3.done();
+                    }));
+
+                    script.src = fileEntry.toURL('application/javascript');
+                    document.body.appendChild(script);
+                });
+            });
+        });
+    </script>
+    </body>
+</html>