Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1881)

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html

Issue 1361763005: Disallow CSP source * matching of data:, blob:, and filesystem: URLs (Closed) Base URL: https://chromium.googlesource.com/chromium/src@master
Patch Set: Better extensions fix Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
new file mode 100644
index 0000000000000000000000000000000000000000..6c0916c1fed2dbaf5abdca20cab530114b9cad3b
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>script-src disallowed wildcard use</title>
+ <script src="../../../resources/testharness.js"></script>
+ <script src="../../../resources/testharnessreport.js"></script>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *">
+ </head>
+ <body>
+ <script nonce="nonce">
+ var t1 = async_test('data: URIs should not match *');
+ t1.step(function() {
+ var script = document.createElement("script");
+ script.src = 'data:application/javascript,';
+ script.addEventListener('load', t1.step_func(function() {
+ assert_unreached('Should not successfully load data URI.');
+ }));
+ script.addEventListener('error', t1.step_func(function() {
+ t1.done();
+ }));
+ document.head.appendChild(script);
+ });
+
+ var t2 = async_test('blob: URIs should not match *');
+ t2.step(function() {
+ var b = new Blob([''], { type: 'application/javascript' });
+ var script = document.createElement('script');
+ script.addEventListener('load', t2.step_func(function() {
+ assert_unreached('Should not successfully load blob URI.');
+ }));
+ script.addEventListener('error', t2.step_func(function() {
+ t2.done();
+ }));
+
+ script.src = URL.createObjectURL(b);
+ document.head.appendChild(script);
+ });
+
+ if (window.webkitRequestFileSystem) {
+ var t3 = async_test('filesystem URIs should not match *');
+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ var script = document.createElement('script');
+
+ script.addEventListener('load', t3.step_func(function() {
+ assert_unreached('Should not successfully load filesystem URI.');
+ }));
+ script.addEventListener('error', t3.step_func(function() {
+ t3.done();
+ }));
+
+ script.src = fileEntry.toURL('application/javascript');
+ document.body.appendChild(script);
+ });
+ });
+ });
+ }
+ </script>
+ </body>
+</html>
« no previous file with comments | « extensions/common/manifest_handlers/csp_info.cc ('k') | third_party/WebKit/Source/core/frame/csp/CSPSourceList.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698