OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-inline' keyword.</t
itle> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script src="support/testharness-helper.sub.js"></script> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 var tests = [ |
| 12 { "name": "'strict-dynamic' is ineffective for `style-src`.", |
| 13 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e' 'strict-dynamic'", |
| 14 "returned_csp_1": "style-src 'unsafe-inline' http://example1.com/foo/bar
.html", |
| 15 "returned_csp_2": null, |
| 16 "expected": IframeLoad.EXPECT_LOAD }, |
| 17 { "name": "'unsafe-inline' is properly subsumed in `style-src`.", |
| 18 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 19 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", |
| 20 "returned_csp_2": null, |
| 21 "expected": IframeLoad.EXPECT_LOAD }, |
| 22 { "name": "'unsafe-inline' is only ineffective if the effective returned c
sp has nonces in `style-src`.", |
| 23 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 24 "returned_csp_1": "style-src 'unsafe-inline' 'nonce-yay'", |
| 25 "returned_csp_2": "style-src 'unsafe-inline'", |
| 26 "expected": IframeLoad.EXPECT_LOAD }, |
| 27 { "name": "'unsafe-inline' is only ineffective if the effective returned c
sp has hashes in `style-src`.", |
| 28 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 29 "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", |
| 30 "returned_csp_2": "style-src 'unsafe-inline'", |
| 31 "expected": IframeLoad.EXPECT_LOAD }, |
| 32 { "name": "Returned csp does not have to allow 'unsafe-inline' in `style-s
rc` to be subsumed.", |
| 33 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 34 "returned_csp_1": "style-src 'self'", |
| 35 "returned_csp_2": null, |
| 36 "expected": IframeLoad.EXPECT_LOAD }, |
| 37 { "name": "'unsafe-inline' does not matter if returned csp is effectively
`none`.", |
| 38 "required_csp": "style-src 'unsafe-inline'", |
| 39 "returned_csp_1": "style-src ", |
| 40 "returned_csp_2": null, |
| 41 "expected": IframeLoad.EXPECT_LOAD }, |
| 42 { "name": "'unsafe-inline' is properly subsumed in `script-src`.", |
| 43 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inli
ne'", |
| 44 "returned_csp_1": "script-src http://example1.com/foo/ 'unsafe-inline'", |
| 45 "returned_csp_2": null, |
| 46 "expected": IframeLoad.EXPECT_LOAD }, |
| 47 { "name": "Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc
'.", |
| 48 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inli
ne'", |
| 49 "returned_csp_1": "script-src 'nonce-abc'", |
| 50 "returned_csp_2": "script-src 'unsafe-inline'", |
| 51 "expected": IframeLoad.EXPECT_LOAD }, |
| 52 { "name": "'unsafe-inline' is ineffective when nonces are present.", |
| 53 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inli
ne'", |
| 54 "returned_csp_1": "script-src 'unsafe-inline' 'nonce-abc'", |
| 55 "returned_csp_2": "script-src 'unsafe-inline'", |
| 56 "expected": IframeLoad.EXPECT_LOAD }, |
| 57 { "name": "'unsafe-inline' is only ineffective if the effective returned c
sp has hashes in `script-src`.", |
| 58 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inli
ne'", |
| 59 "returned_csp_1": "script-src 'unsafe-inline' 'sha256-abc123' 'nonce-abc
'", |
| 60 "returned_csp_2": "script-src 'unsafe-inline'", |
| 61 "expected": IframeLoad.EXPECT_LOAD }, |
| 62 { "name": "Required csp allows `strict-dynamic`, but retuned csp does.", |
| 63 "required_csp": "script-src http://example1.com/foo/ 'unsafe-inline' 'st
rict-dynamic'", |
| 64 "returned_csp_1": "script-src 'unsafe-inline' http://example1.com/foo/ba
r.html", |
| 65 "returned_csp_2": null, |
| 66 "expected": IframeLoad.EXPECT_BLOCK }, |
| 67 { "name": "Required csp does not allow `unsafe-inline`, but retuned csp do
es.", |
| 68 "required_csp": "style-src http://example1.com/foo/ 'self'", |
| 69 "returned_csp_1": "style-src 'unsafe-inline'", |
| 70 "returned_csp_2": null, |
| 71 "expected": IframeLoad.EXPECT_BLOCK }, |
| 72 { "name": "Returned csp whitelists a nonce.", |
| 73 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 74 "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'", |
| 75 "returned_csp_2": "style-src 'nonce-abc'", |
| 76 "expected": IframeLoad.EXPECT_BLOCK }, |
| 77 { "name": "Returned csp whitelists a hash.", |
| 78 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e'", |
| 79 "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", |
| 80 "returned_csp_2": "style-src 'sha256-abc123'", |
| 81 "expected": IframeLoad.EXPECT_BLOCK }, |
| 82 { "name": "Effective returned csp allows 'unsafe-inline'", |
| 83 "required_csp": "style-src http://example1.com/foo/ 'self'", |
| 84 "returned_csp_1": "style-src 'unsafe-inline' https://example.test/", |
| 85 "returned_csp_2": "style-src 'unsafe-inline'", |
| 86 "expected": IframeLoad.EXPECT_BLOCK }, |
| 87 { "name": "Effective returned csp does not allow 'sha512-321cba' hash.", |
| 88 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inlin
e' 'sha512-321cba'", |
| 89 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'n
once-yay'", |
| 90 "returned_csp_2": "style-src http://example1.com/foo/ 'unsafe-inline' 's
ha512-321cba'", |
| 91 "expected": IframeLoad.EXPECT_LOAD }, |
| 92 ]; |
| 93 tests.forEach(test => { |
| 94 async_test(t => { |
| 95 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1
); |
| 96 if (test.returned_csp_2) |
| 97 url.searchParams.append("policy2", test.returned_csp_2); |
| 98 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.na
me, null); |
| 99 }, test.name); |
| 100 }); |
| 101 </script> |
| 102 </body> |
| 103 </html> |
OLD | NEW |