Re-sync web-platform-tests/content-security-policy from upstream
authorpsaavedra@igalia.com <psaavedra@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jan 2020 17:23:59 +0000 (17:23 +0000)
committerpsaavedra@igalia.com <psaavedra@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Jan 2020 17:23:59 +0000 (17:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205639

Reviewed by Carlos Alberto Lopez Perez.

LayoutTests/imported/w3c:

* resources/resource-files.json:
* web-platform-tests/content-security-policy/README.html:
* web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html:
* web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html:
* web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html:
* web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py:
(main):
* web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt: Added.
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html: Added.
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt:
* web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub-expected.txt: Added.
* web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html: Added.
* web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub-expected.txt: Added.
* web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html: Added.
* web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html: Added.
* web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers: Added.
* web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html: Added.
* web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers: Added.
* web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js:
(iframeLoaded):
* web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js: Added.
(self.onfetch.e.e.respondWith):
* web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log:
* web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log:
* web-platform-tests/content-security-policy/frame-src/frame-src-same-document-expected.txt: Added.
* web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt: Added.
* web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html: Added.
* web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html: Added.
* web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers: Added.
* web-platform-tests/content-security-policy/frame-src/w3c-import.log:
* web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html:
* web-platform-tests/content-security-policy/generic/generic-0_10.sub-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt.
* web-platform-tests/content-security-policy/generic/generic-0_10.sub.html: Renamed from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html.
* web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt:
* web-platform-tests/content-security-policy/generic/generic-0_2.html:
* web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt:
* web-platform-tests/content-security-policy/generic/generic-0_8.sub.html:
* web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html:
* web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt:
* web-platform-tests/content-security-policy/generic/generic-0_9.sub.html:
* web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt:
* web-platform-tests/content-security-policy/generic/no-default-src.sub.html:
* web-platform-tests/content-security-policy/generic/positiveTest.js:
(onload): Deleted.
* web-platform-tests/content-security-policy/generic/w3c-import.log:
* web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt:
* web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html:
* web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt:
* web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html:
* web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt:
* web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html:
* web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js:
* web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js:
(promise_test.t.return.new.Promise):
(async_test.t.Promise.all.new.Promise): Deleted.
* web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js:
* web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js:
* web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html:
* web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html:
* web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt: Added.
* web-platform-tests/content-security-policy/meta/sandbox-iframe.html: Added.
* web-platform-tests/content-security-policy/meta/w3c-import.log:
* web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html:
* web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html:
* web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval-expected.txt: Added.
* web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html: Added.
* web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers: Added.
* web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt:
* web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html:
* web-platform-tests/content-security-policy/reporting/w3c-import.log:
* web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt:
* web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html:
* web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event-expected.txt: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-changed-1-expected.txt: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-changed-2-expected.txt: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html: Added.
* web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html:
* web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1-expected.txt: Added.
* web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html: Added.
* web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2-expected.txt: Added.
* web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html: Added.
* web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js: Added.
(document.getElementById):
* web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js: Added.
(document.getElementById):
* web-platform-tests/content-security-policy/script-src/support/empty.css: Added.
* web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js: Added.
(async_test.t.s.onerror.t.step_func):
(async_test.t.s.onload.t.step_func):
* web-platform-tests/content-security-policy/script-src/support/w3c-import.log:
* web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js:
* web-platform-tests/content-security-policy/script-src/w3c-import.log:
* web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html:
* web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html:
* web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html:
* web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html:
* web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js:
* web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html:
* web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html:
* web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html:
* web-platform-tests/content-security-policy/support/inject-image.sub.js:
* web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html:

LayoutTests:

* platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt: Added.
* platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt: Added.
* platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt: Added.
* tests-options.json:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254133 268f45cc-cd09-0410-ab3c-d52691b4dbfc

109 files changed:
LayoutTests/ChangeLog
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/resources/resource-files.json
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/README.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.sub-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.sub.html [moved from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html with 85% similarity]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/positiveTest.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/empty.css [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/w3c-import.log
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/inject-image.sub.js
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt [new file with mode: 0644]
LayoutTests/tests-options.json

index aad1679..cbad5b1 100644 (file)
@@ -1,3 +1,15 @@
+2020-01-07  Pablo Saavedra  <psaavedra@igalia.com>
+
+        Re-sync web-platform-tests/content-security-policy from upstream
+        https://bugs.webkit.org/show_bug.cgi?id=205639
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt: Added.
+        * platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt: Added.
+        * platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt: Added.
+        * tests-options.json:
+
 2020-01-07  youenn fablet  <youenn@apple.com>
 
         Implement MediaRecorder backend in GPUProcess
index cd1ec58..c3e594d 100644 (file)
@@ -1,3 +1,124 @@
+2020-01-07  Pablo Saavedra  <psaavedra@igalia.com>
+
+        Re-sync web-platform-tests/content-security-policy from upstream
+        https://bugs.webkit.org/show_bug.cgi?id=205639
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * resources/resource-files.json:
+        * web-platform-tests/content-security-policy/README.html:
+        * web-platform-tests/content-security-policy/connect-src/connect-src-beacon-allowed.sub.html:
+        * web-platform-tests/content-security-policy/connect-src/connect-src-beacon-blocked.sub.html:
+        * web-platform-tests/content-security-policy/connect-src/connect-src-beacon-redirect-to-blocked.sub.html:
+        * web-platform-tests/content-security-policy/embedded-enforcement/support/echo-required-csp.py:
+        (main):
+        * web-platform-tests/content-security-policy/font-src/font-none-blocked.sub.html:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-none-block-expected.txt:
+        * web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub-expected.txt: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub-expected.txt: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers: Added.
+        * web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js:
+        (iframeLoaded):
+        * web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js: Added.
+        (self.onfetch.e.e.respondWith):
+        * web-platform-tests/content-security-policy/frame-ancestors/support/w3c-import.log:
+        * web-platform-tests/content-security-policy/frame-ancestors/w3c-import.log:
+        * web-platform-tests/content-security-policy/frame-src/frame-src-same-document-expected.txt: Added.
+        * web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt: Added.
+        * web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html: Added.
+        * web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html: Added.
+        * web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers: Added.
+        * web-platform-tests/content-security-policy/frame-src/w3c-import.log:
+        * web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html:
+        * web-platform-tests/content-security-policy/generic/generic-0_10.sub-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt.
+        * web-platform-tests/content-security-policy/generic/generic-0_10.sub.html: Renamed from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html.
+        * web-platform-tests/content-security-policy/generic/generic-0_2-expected.txt:
+        * web-platform-tests/content-security-policy/generic/generic-0_2.html:
+        * web-platform-tests/content-security-policy/generic/generic-0_8.sub-expected.txt:
+        * web-platform-tests/content-security-policy/generic/generic-0_8.sub.html:
+        * web-platform-tests/content-security-policy/generic/generic-0_8_1.sub.html:
+        * web-platform-tests/content-security-policy/generic/generic-0_9.sub-expected.txt:
+        * web-platform-tests/content-security-policy/generic/generic-0_9.sub.html:
+        * web-platform-tests/content-security-policy/generic/no-default-src.sub-expected.txt:
+        * web-platform-tests/content-security-policy/generic/no-default-src.sub.html:
+        * web-platform-tests/content-security-policy/generic/positiveTest.js:
+        (onload): Deleted.
+        * web-platform-tests/content-security-policy/generic/w3c-import.log:
+        * web-platform-tests/content-security-policy/img-src/img-src-4_1.sub-expected.txt:
+        * web-platform-tests/content-security-policy/img-src/img-src-4_1.sub.html:
+        * web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub-expected.txt:
+        * web-platform-tests/content-security-policy/img-src/img-src-host-partial-wildcard-allowed.sub.html:
+        * web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub-expected.txt:
+        * web-platform-tests/content-security-policy/img-src/img-src-port-wildcard-allowed.sub.html:
+        * web-platform-tests/content-security-policy/inside-worker/support/connect-src-allow.sub.js:
+        * web-platform-tests/content-security-policy/inside-worker/support/connect-src-self.sub.js:
+        (promise_test.t.return.new.Promise):
+        (async_test.t.Promise.all.new.Promise): Deleted.
+        * web-platform-tests/content-security-policy/inside-worker/support/script-src-allow.sub.js:
+        * web-platform-tests/content-security-policy/inside-worker/support/script-src-self.sub.js:
+        * web-platform-tests/content-security-policy/media-src/media-src-7_3.sub.html:
+        * web-platform-tests/content-security-policy/media-src/media-src-7_3_2.sub.html:
+        * web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt: Added.
+        * web-platform-tests/content-security-policy/meta/sandbox-iframe.html: Added.
+        * web-platform-tests/content-security-policy/meta/w3c-import.log:
+        * web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html:
+        * web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html:
+        * web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval-expected.txt: Added.
+        * web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html: Added.
+        * web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers: Added.
+        * web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame-expected.txt:
+        * web-platform-tests/content-security-policy/reporting/report-uri-from-child-frame.html:
+        * web-platform-tests/content-security-policy/reporting/w3c-import.log:
+        * web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt:
+        * web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub.html:
+        * web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event-expected.txt: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-changed-1-expected.txt: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-changed-2-expected.txt: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html: Added.
+        * web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html:
+        * web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1-expected.txt: Added.
+        * web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html: Added.
+        * web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2-expected.txt: Added.
+        * web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html: Added.
+        * web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js: Added.
+        (document.getElementById):
+        * web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js: Added.
+        (document.getElementById):
+        * web-platform-tests/content-security-policy/script-src/support/empty.css: Added.
+        * web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js: Added.
+        (async_test.t.s.onerror.t.step_func):
+        (async_test.t.s.onload.t.step_func):
+        * web-platform-tests/content-security-policy/script-src/support/w3c-import.log:
+        * web-platform-tests/content-security-policy/script-src/support/worker-importscripts.js:
+        * web-platform-tests/content-security-policy/script-src/w3c-import.log:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image-from-script.sub.html:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/support/inside-worker.sub.js:
+        * web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html:
+        * web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html:
+        * web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html:
+        * web-platform-tests/content-security-policy/support/inject-image.sub.js:
+        * web-platform-tests/content-security-policy/svg/object-in-svg-foreignobject.sub.html:
+
 2020-01-07  Alexey Shvayka  <shvaikalesh@gmail.com>
 
         Re-sync web-platform-tests/css/cssom-view from upstream
index b690b18..0113fe4 100644 (file)
@@ -64,6 +64,8 @@
         "web-platform-tests/content-security-policy/README.html",
         "web-platform-tests/content-security-policy/form-action/support/post-message-to-opener.sub.html",
         "web-platform-tests/content-security-policy/form-action/support/post-message-to-parent.sub.html",
+        "web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html",
+        "web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html",
         "web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html",
         "web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html",
         "web-platform-tests/content-security-policy/frame-src/support/frame.html",
index 98fd5c4..28b011b 100644 (file)
@@ -46,7 +46,7 @@
 
     &lt;script&gt;
     test(function() {
-        asset_unreached(&#39;Unsafe inline script ran.&#39;)},
+        assert_unreached(&#39;Unsafe inline script ran.&#39;)},
         &#39;Inline script in a script tag should not run without an unsafe-inline directive&#39;
     );
     &lt;/script&gt;
@@ -71,7 +71,7 @@ Cache-Control: no-store, no-cache, must-revalidate
 Cache-Control: post-check=0, pre-check=0, false
 Pragma: no-cache
 Set-Cookie: <span class=highlight2>script-src-1_1</span>={{$id:uuid()}}; Path=<span class=highlight2>/content-security-policy/script-src/</span>
-Content-Security-Policy: <span class=highlight1>script-src 'self'</span>; report-uri  <span class=highlight2>..</span>/support/report.py?op=put&reportID={{$id}}
+Content-Security-Policy: <span class=highlight1>script-src 'self'</span>; report-uri  <span class=highlight2>..</span>/support/report.py?op=put&reportID;={{$id}}
         </code></pre>
     <p>This sets some headers to prevent caching (just so we are more likely to see our latest changes if we're actively developing this test) sets a cookie (more on that later) and sets the relevant <span class=code>Content-Security-Policy</span> header for our test case.</p>
 
index a32913d..de032a9 100644 (file)
@@ -19,19 +19,19 @@ connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe
         window.addEventListener('securitypolicyviolation', function(e) {
             log("FAIL");
         });
-    
-             if (typeof navigator.sendBeacon != 'function') {
+
+        if (typeof navigator.sendBeacon != 'function') {
             t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
             t_log.phase = t_log.phases.HAS_RESULT;
             t_log.done();
         } else {
-                 try {
-                      var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
-                      log("Pass");
-                   } catch (e) {
-                      log("Fail");
-                   }
-             }
+            try {
+                var es = navigator.sendBeacon("http://{{host}}:{{ports[http][0]}}/cors/resources/status.py");
+                log("Pass");
+            } catch (e) {
+                log("Fail");
+            }
+        }
     </script>
     <div id="log"></div>
 </body>
index 95b4ce9..025a720 100644 (file)
@@ -3,7 +3,7 @@
 
 <head>
     <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';"> 
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
     <title>connect-src-beacon-blocked</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
@@ -16,22 +16,22 @@ connect-src 'self' http://{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe
 
 <body>
     <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
+        window.addEventListener('securitypolicyviolation', function(e) {
             log("violated-directive=" + e.violatedDirective);
-       });
-       
-       if (typeof navigator.sendBeacon != 'function') {
+        });
+
+        if (typeof navigator.sendBeacon != 'function') {
             t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
             t_log.phase = t_log.phases.HAS_RESULT;
             t_log.done();
-       } else {
-                try {
-                    var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
-                      log("Pass");
-           } catch (e) {
-               log("Fail");
-           }
-            }
+        } else {
+            try {
+                var es = navigator.sendBeacon("http://www1.{{host}}:{{ports[http][0]}}/security/contentSecurityPolicy/echo-report.php");
+                log("Pass");
+            } catch (e) {
+                log("Fail");
+            }
+        }
     </script>
     <div id="log"></div>
 </body>
index 7328d7a..b0cbea5 100644 (file)
     <p>The beacon should not follow the redirect to http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png and send a CSP violation report.</p>
     <p>Verify that a CSP connect-src directive blocks redirects.</p>
     <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
+        window.addEventListener('securitypolicyviolation', function(e) {
             log("violated-directive=" + e.violatedDirective);
-       });
-       
-            if (typeof navigator.sendBeacon != 'function') {
-                 t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
+        });
+
+        if (typeof navigator.sendBeacon != 'function') {
+            t_log.set_status(t_log.NOTRUN, "No navigator.sendBeacon, cannot run test.");
             t_log.phase = t_log.phases.HAS_RESULT;
             t_log.done();
         } else {
index 6063cc0..03f7ca1 100644 (file)
@@ -10,7 +10,7 @@ def main(request, response):
 
     second_level_iframe_code = ""
     if "include_second_level_iframe" in request.GET:
-       if "second_level_iframe_csp" in request.GET and request.GET["second_level_iframe_csp"] <> "":
+       if "second_level_iframe_csp" in request.GET and request.GET["second_level_iframe_csp"] != "":
          second_level_iframe_code = '''<script>
             var i2 = document.createElement('iframe');
             i2.src = 'echo-required-csp.py';
index eae1b49..966cecc 100644 (file)
@@ -13,7 +13,7 @@
       var link = document.createElement('link');
       link.rel="preload";
       link.as="font";
-      link.href="http://{{domains[www]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-none-blocked";
+      link.href="http://{{hosts[alt][]}}:{{ports[http][0]}}/fonts/Ahem.ttf?font-none-blocked";
       link.onload = t.unreached_func("Should not have loaded the font.");
       link.onerror = t.step_func_done();
       document.getElementsByTagName('head')[0].appendChild(link);
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt
new file mode 100644 (file)
index 0000000..2cbebf9
--- /dev/null
@@ -0,0 +1,5 @@
+
+Harness Error (FAIL), message = TypeError: undefined is not an object (evaluating 'navigator.serviceWorker.getRegistration')
+
+NOTRUN A 'frame-ancestors' CSP directive set from a serviceworker response with a value 'none' should block rendering. 
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html
new file mode 100644 (file)
index 0000000..bf0e9d5
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+</head>
+<body>
+  <script>
+    var t = async_test("A 'frame-ancestors' CSP directive set from a serviceworker response with a value 'none' should block rendering.");
+
+    // Register service worker.
+    var worker = 'support/service-worker.js';
+    var scope = 'support/service-worker/';
+    service_worker_unregister_and_register(t, worker, scope)
+      .then(registration => wait_for_state(t, registration.installing, 'activated'))
+      .then(() => {
+        // Load iframe.
+        var iframe = document.createElement("iframe");
+        function iframeLoaded(ev) {
+          var failed = false;
+          try {
+            ev.target.contentWindow.location.href;
+            failed = true;
+          } catch (ex) {}
+          t.step_func_done(() => assert_false(failed, "The IFrame should have been blocked. It wasn't."))();
+        };
+        iframe.addEventListener("load", iframeLoaded);
+        iframe.addEventListener("error", iframeLoaded);
+        iframe.src = "/content-security-policy/frame-ancestors/support/service-worker/frame-ancestors-none.html";
+        document.body.appendChild(iframe);
+      });
+  </script>
+</body>
+</html>
+
index a0b8f46..1600ca2 100644 (file)
@@ -1,5 +1,5 @@
 Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=%27none%27
 
 
-FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. assert_unreached: Inner IFrame msg: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
 
index bae86a9..bd5b308 100644 (file)
@@ -1,5 +1,5 @@
 Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=%27self%27
 
 
-FAIL A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+FAIL A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. assert_unreached: Inner IFrame msg: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
 
index 0ab3610..1970829 100644 (file)
@@ -1,5 +1,5 @@
 Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=*
 
 
-FAIL A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+FAIL A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. assert_unreached: Inner IFrame msg: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
 
index d8d9b3a..7bbd5a4 100644 (file)
@@ -1,5 +1,5 @@
 Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=http://localhost:8800%20http://www1.localhost:8801
 
 
-FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
 
index a0f73c1..d2319cc 100644 (file)
@@ -1,5 +1,5 @@
 Blocked access to external URL http://www1.localhost:8801/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=http://www1.localhost:8801
 
 
-FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
 
index 654e90e..d7c83ae 100644 (file)
@@ -8,9 +8,9 @@
 <body>
     <script>
         test = async_test("A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, " +
-                   "so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.");
+                          "so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.");
 
-       testNestedSandboxedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+        testNestedSandboxedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
     </script>
 </body>
 </html>
index e5c1b69..a06ac5b 100644 (file)
@@ -1,4 +1,4 @@
 
 
-FAIL A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. assert_unreached: Inner IFrame msg: undefined Reached unreachable code
+PASS A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. 
 
index a1f990f..2195257 100644 (file)
@@ -1,4 +1,4 @@
 
 
-FAIL A 'frame-ancestors' CSP directive with a value 'none' should block rendering. assert_unreached: The IFrame should have been blocked (or cross-origin). It wasn't. Reached unreachable code
+PASS A 'frame-ancestors' CSP directive with a value 'none' should block rendering. 
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub-expected.txt
new file mode 100644 (file)
index 0000000..53f2f2d
--- /dev/null
@@ -0,0 +1,4 @@
+
+
+PASS Violation report status OK. 
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html
new file mode 100644 (file)
index 0000000..69c098d
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<meta name="timeout" content="long">
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <title>Blocked frames are reported correctly</title>
+</head>
+<body>
+  <iframe src="support/content-security-policy.sub.html?policy=report-uri%20../../support/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></iframe>
+  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script>
+</body>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub-expected.txt
new file mode 100644 (file)
index 0000000..496d4a5
--- /dev/null
@@ -0,0 +1,4 @@
+
+
+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false"
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html
new file mode 100644 (file)
index 0000000..28dd4be
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<meta name="timeout" content="long">
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <title>Blocked frames are reported correctly</title>
+</head>
+<body>
+  <iframe src="support/content-security-policy-report-only.sub.html?policy=report-uri%20../../support/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></iframe>
+  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script>
+</body>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html
new file mode 100644 (file)
index 0000000..c8317b9
--- /dev/null
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content-Security-Policy-Report-Only header containing "{{GET[policy]}}".</p>
+</body>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers
new file mode 100644 (file)
index 0000000..ccb142e
--- /dev/null
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: {{GET[policy]}}
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html
new file mode 100644 (file)
index 0000000..2182f4a
--- /dev/null
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This is an IFrame sending a Content Security Policy header containing "{{GET[policy]}}".</p>
+</body>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers
new file mode 100644 (file)
index 0000000..322c99d
--- /dev/null
@@ -0,0 +1 @@
+Content-Security-Policy: {{GET[policy]}}
index dde04f0..79b761a 100644 (file)
@@ -26,7 +26,7 @@ window.addEventListener("message", function (e) {
         window.parent.postMessage(e.data, "*");
     else
         if (e.data.type === 'test_result')
-            endTest(e.data.failed, "Inner IFrame msg: " + e.data.msg);
+            endTest(e.data.failed, "Inner IFrame msg: " + e.data.message);
 });
 
 function injectNestedIframe(policy, parent, child, expectation, isSandboxed) {
@@ -67,6 +67,7 @@ function iframeLoaded(expectBlock) {
         var failed = true;
         var message = "";
         try {
+            ev.target.contentWindow.location.href;
             if (expectBlock) {
                 message = "The IFrame should have been blocked (or cross-origin). It wasn't.";
                 failed = true;
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js
new file mode 100644 (file)
index 0000000..ebced90
--- /dev/null
@@ -0,0 +1,10 @@
+self.onfetch = e => {
+  e.respondWith(function() {
+    return new Promise((resolve) => {
+      var headers = new Headers;
+      headers.append("Content-Security-Policy", "frame-ancestors 'none'");
+      var response = new Response("", { "headers" : headers, "status": 200, "statusText" : "OK" });
+      resolve(response);
+    });
+  }());
+};
index bca0dcf..084367e 100644 (file)
@@ -14,6 +14,10 @@ Property values requiring vendor prefixes:
 None
 ------------------------------------------------------------------------
 List of files:
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js
@@ -21,3 +25,4 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/support/service-worker.js
index d420bb1..b28aad9 100644 (file)
@@ -14,6 +14,7 @@ Property values requiring vendor prefixes:
 None
 ------------------------------------------------------------------------
 List of files:
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html
@@ -43,3 +44,5 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-star-allow-sameorigin.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-allow.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-url-block.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-expected.txt
new file mode 100644 (file)
index 0000000..c6af01b
--- /dev/null
@@ -0,0 +1,4 @@
+
+
+PASS Same-document navigation in an iframe blocked by CSP frame-src 
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt
new file mode 100644 (file)
index 0000000..ace1274
--- /dev/null
@@ -0,0 +1,7 @@
+Blocked access to external URL http://www1.%7B%7Bhost%7D%7D/content-security-policy/support/frame.html#0
+
+
+Harness Error (TIMEOUT), message = null
+
+TIMEOUT Same-document navigations in an iframe blocked by CSP frame-src dynamically using the <meta> tag Test timed out
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html
new file mode 100644 (file)
index 0000000..f3750b1
--- /dev/null
@@ -0,0 +1,54 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<html>
+<body></body>
+<script>
+    async_test(async test => {
+      // 1. Load an iframe (not blocked).
+      let iframe = document.createElement("iframe");
+      {
+        iframe.name = "theiframe";
+        iframe.src =
+          "http://www1.{{host}}/content-security-policy/support/frame.html#0";
+        let iframeLoaded = new Promise(resolve => { iframe.onload = resolve; });
+        document.body.appendChild(iframe);
+        await iframeLoaded;
+      }
+
+      // 2. Start blocking iframes using CSP frame-src 'none'.
+      {
+        let meta = document.createElement('meta');
+        meta.httpEquiv = "Content-Security-Policy";
+        meta.content = "frame-src 'none'";
+        document.getElementsByTagName('head')[0].appendChild(meta);
+      }
+
+      // 3. Blocked same-document navigation using iframe.src.
+      {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', resolve);
+        });
+        iframe.src =
+          "http://www1.{{host}}/content-security-policy/support/frame.html#1";
+        await violation;
+      }
+
+      // 4. Blocked same-document navigation using window.open.
+      {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', resolve);
+        });
+        window.open(
+          "http://www1.{{host}}/content-security-policy/support/frame.html#2",
+          "theiframe");
+        await violation;
+      }
+
+      // 5. Regression test for https://crbug.com/1018385. The browser should
+      // not crash while displaying the error page.
+      await new Promise(resolve => window.setTimeout(resolve, 1000));
+
+      test.done();
+    }, "Same-document navigations in an iframe blocked by CSP frame-src dynamically using the <meta> tag");
+</script>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html
new file mode 100644 (file)
index 0000000..398d022
--- /dev/null
@@ -0,0 +1,25 @@
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<html>
+<body></body>
+<script>
+    let crossOriginUrl =
+      "http://www1.{{host}}/content-security-policy/support/frame.html";
+
+    async_test(async test => {
+      test.done();
+      let iframe = document.createElement("iframe");
+      document.body.appendChild(iframe);
+
+      for(let hash of ["#0", "#1"]) {
+        let violation = new Promise(resolve => {
+          window.addEventListener('securitypolicyviolation', resolve);
+        });
+        iframe.src = crossOriginUrl + hash;
+        await violation;
+      }
+
+      test.done();
+    }, "Same-document navigation in an iframe blocked by CSP frame-src");
+</script>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers
new file mode 100644 (file)
index 0000000..6502444
--- /dev/null
@@ -0,0 +1 @@
+Content-Security-Policy: frame-src 'none'
index 8a03688..44d5b38 100644 (file)
@@ -21,4 +21,7 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document.html.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html
index 35033c3..b374b8b 100644 (file)
@@ -2,7 +2,7 @@
 <html>
 <head>
     <title>default-src should cascade to script-src directive</title>
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; report-uri  ../support/report.py?op=put&reportID={{$id}}">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
     <script src='../support/siblingPath.js'></script>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.sub-expected.txt
new file mode 100644 (file)
index 0000000..6b3b526
--- /dev/null
@@ -0,0 +1,5 @@
+test implicit port number matching (requires port 80)
+
+
+PASS Test that script does not fire violation event 
+
@@ -2,7 +2,7 @@
 <html>
 <head>
     <title>test implicit port number matching (requires port 80)</title>
-    <meta http-equiv="Content-Security-Policy content="script-src 'self' www.{{host}} 'unsafe-inline';">
+    <meta http-equiv="Content-Security-Policy content="script-src 'self' {{hosts[alt][]}} 'unsafe-inline';">
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
     <script>
@@ -12,7 +12,7 @@
       var head = document.getElementsByTagName('head')[0];
       var script = document.createElement('script');
       script.type = 'text/javascript';
-      script.src = "http://www." + location.hostname + "/content-security-policy/generic/positiveTest.js";
+      script.src = "http://{{hosts[alt][]}}/content-security-policy/generic/positiveTest.js";
       head.appendChild(script);
     </script>
     
index ecfeaf6..4f29544 100644 (file)
@@ -7,12 +7,19 @@
     <script src='/resources/testharnessreport.js'></script>
     <script nonce='abc'>
       var t_spv = async_test("Should fire violation events for every failed violation");
-      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src");
-      }));      
+      window.addEventListener(
+        "securitypolicyviolation", t_spv.unreached_func("securitypolicyviolation should not be emitted"));
+
+      window.addEventListener("load", function() {
+        t_spv.done();
+      });
     </script>
     <script src='positiveTest.js'></script>
-    <script nonce='abc'>t_spv.done();</script>
+    <script nonce='abc'>
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
+    </script>
 </head>
 <body>
     <h1>'self' keyword positive test</h1>
index 01b3fec..4c442f1 100644 (file)
@@ -2,5 +2,6 @@ Blocked access to external URL http://www.localhost:8800/content-security-policy
 test wildcard host name matching (asterisk as a subdomain of the current domain)
 
 
-PASS Test that script does not fire violation event 
+FAIL Test that script does not fire violation event assert_true: expected true got false
+FAIL Wildcard host matching works. assert_true: Script should have ran. expected true got false
 
index 79edff2..a9a76c8 100644 (file)
@@ -9,17 +9,16 @@
     <script>
       var t = async_test("Test that script does not fire violation event");
       window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
-      
+      window.addEventListener("load", t.step_func(function() {
+        assert_true(window.wildcardHostTestRan);
+        t.done();
+      }));
       var head = document.getElementsByTagName('head')[0];
       var script = document.createElement('script');
       script.type = 'text/javascript';
       script.src = "http://www." + location.hostname + ":" + location.port + "/content-security-policy/generic/wildcardHostTestSuceeds.js";
       head.appendChild(script);
     </script>
-
-    <script>
-        t.done();
-    </script>    
 </head>
 <body>
     <h1>test wildcard host name matching (asterisk as a subdomain of the current domain)</h1>
index e8ce234..a0b7416 100644 (file)
@@ -8,8 +8,13 @@
     <script src='wildcardHostTestFailure.js'></script>
     <script>
       var t_spv = async_test("Should fire violation events for every failed violation");
-      window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
-          assert_equals(e.violatedDirective, "script-src-elem");
+      var spvEvent;
+      window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
+          spvEvent = e;
+      }));
+      addEventListener("load", t_spv.step_func_done(function() {
+          assert_true(!!spvEvent);
+          assert_equals(spvEvent.violatedDirective, "script-src-elem");
       }));
 
       var head = document.getElementsByTagName('head')[0];
index 150876c..f7f7f0d 100644 (file)
@@ -9,6 +9,9 @@
     <script>
       var t = async_test("Test that script does not fire violation event");
       window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a violation event"));
+      window.addEventListener("load", function() {
+        t.done();
+      });
       
       var head = document.getElementsByTagName('head')[0];
       var script = document.createElement('script');
       script.src = "http://" + location.hostname + ":{{ports[http][1]}}/content-security-policy/generic/wildcardPortTestSuceeds.js";
       head.appendChild(script);
     </script>
-
-    <script>
-        t.done();
-    </script>  
 </head>
 <body>
     <h1>test wildcard port number matching</h1>
index 7d361d2..c218031 100644 (file)
@@ -3,6 +3,6 @@ no default src doesn't behave exactly like *
 This page has a CSP header but an unknown directive. This should have no impact on an img loaded from a data: uri, or an inline script, although that would be blocked by a default-src policy of *. 
 
 
-PASS Violation report status OK. 
 PASS Allows scripts from the same host. 
+PASS Violation report status OK. 
 
index 5f5c8cb..9a89ec0 100644 (file)
     <br>
     <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKgAAABACAIAAAABPqsMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH1QoMCC8h3if5rgAAAB10RVh0Q29tbWVudABDcmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAGD0lEQVR42u2aa0yTVxiA39ILxa4KIkKrVCCIitzrqkAXQiXDSFjQHyZDBRRdtoDzgooao5uaoInID4hRJFC8RBOzxQuKigyYokuDSB0WlaJQlQrITRCwte1+nKVhpbT9aGUue59fb84573dO+uR7v/drS4OfAPkf4oQfAYpHUDyC4hEUj6B4BMUjKB5B8QiKR1A8guIRFI+geATFIygeQfEIikdQPEIVxmd1GsN+w9hBrV7bN9Kn7FHWqmqLHxY3vW2ycIWtS7Yeiz9G4h0VO47eO2rj1p4cz7WhayW+kuCZwdNdpjsznIe0Q53vO1X9qsbOxrr2uprWmrb+Nofn/lvQPqs/W5oVb0KBrCDrVpZGpzE7++iHR8Ezg0ms6FIsPL7Qho+Ali3O3h+zn81gW1n5M82BuVjqqZEpyjyVeMrs1CL+IqN1AAj0CBTNElm9YGFiYc7SHKvmHJ6Lpd7K/cF0YvK5/KV+S3eLd/tP9weAlNAUaYO0qrXKJGtd2DoS6A16J5oTGZG9llnYKDEgcUPEBhI/636WL8uvelHV1t82rB1mM9geHA8fV58QzxAhTxjjE+PAXCz15ku92cLIZXFr1tWEe4UDwLk/z635dc3oWWe6s3q72o3tBgD7qvYdiD0AAH0jfbxc3sjHkfF2LF9dvsx/GQDcbLmZdCHJwkrH5mKpp8CAZiC7IpvEUd5RJrMrFqwg1pU9ykO/H2rpbQEAV7brygUrLVxz8ezFJNh2cxtVc/bkonhq3Ht5jwReX3iNV+elDVIDGKQNUpNxs0x1nkoCZY+S6mHsyUXxE30oGP7R/3tP9Y7ziyNP91J5KQCUNpTqDXoAkPhKBNME412ne6ibBEEzg6iewZ5cFE8NY4XveN8xejw1LJV0cxXPK169ewUAL9+9vP38NgA40ZxSQ1OtlpDCxMI50+ZMrPxMIBfFU4DD5ByOO2zyoRPSwtJIUPyw2DhojNPC0mhg/jU67488AxgAQMgTNv/YfPXbq5miTNEskQvDxep57MnFrt56V890YvK4vFif2D1f7QlwDyCDcafjKl9UkjhmTkx1WjUA9Az38HP5H3Qfxvb5saWx1a3VZjfdsmRL7te5pGAY0Rl0ii7FnbY7l55cqnxRSZ4ajs1F8WbEW8bkXU6aJCXFvEBWsKl80+iVBcsLMr7MAIDT8tOpl8Yt+JGzIw9KDkp8JWYLg7JHmXUr68rTKw7PRfEUxJ98cHJz+Wbjbc1lcdXb1RwmBwCEhcJ6df3oxUKesO67OgAY0g55HfUa0AxYuLJgmmD53OVigTiCFxHgHkCn0UfP7rq960jtkU+Ri+LH/ZGmf6S/pbelVlVb0lDS2Nk4ejY9PL3omyIAkHfIw06EjU2Xfy8P8QwBgI1XNxbVF9l4EheGi5AvTJibkB6R7jHFAwAMYBAXi016C4fn4jPe1p807q6/G+0dbWMTHl0cTfVIbmy3suQy8jZxUXFx1cVVk5OLXb0lAtwDbLROXgWNvaHt9I70ZlzPILFYIJ60XBRvCcvfytm/ntDU9fc/AEjdnrTcTwrjv2udTqOnhKaQOOlC0uWnl8dbmTA3oSy5DABSQlP2/rZXZ9BR2mjejHkksNwbOjwX73jzxPvH87l8AOh433Gt+ZqFlTeUN9SDagDgc/nx/vGUdpnCnJIXn0fiB+0PJi0X73jrdfvso7Mf9R8trNQZdGfkZ3ZG7yRZ15uvG6dUW1W1qtp6db2iS9HW36YeUA9qBrV6LYfJ8XPzk/hKMkWZfm5+ZLHJS4E9udjVT7Crd3dxb89qZ9FZABB0POhx12PL6+fPmN+U0QQAGp2Gn8vvHu6m9JWR2bbcnlws9RNkdchqYl32WmbVOgA8efvk/qv7AMCis5KDkyntpdFpcu7mJP+SPIFz2pOLpd5SnS9pKLExpeRhSeTsSABYH74+X5ZPBgV5gijvqAheRKBHoI+rD4/L47K4TDpzWDv8ZvCNoktR3Vp9vvF8+0D72Avak4ulHsFSj6B4BMUjKB5B8QiKR1A8guIRFI+geATFo3gExSMoHkHxCIpHUDyC4hEUj6B45HPmL9so2ZKs94sNAAAAAElFTkSuQmCC'>
     <script>
-        var allowedScriptRan = true;
+      setup({ explicit_done: true });
+
+      test(function() {
+        assert_true(window.cspPositiveTest);
+      }, "Allows scripts from the same host.");
     </script>
 
     <div id='log'></div>
 
-    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+    <script>
+      var script = document.createElement('script');
+      script.src = '../support/checkReport.sub.js?reportExists=false';
+      script.async = true;
+      script.defer = true;
+      script.addEventListener('load', function() {
+        done();
+      });
+      document.body.appendChild(script);
+    </script>
 </body>
 </html>
index 63c9991..15053e0 100644 (file)
@@ -1,6 +1 @@
-onload = function() {
-  test(function() {
-        assert_true(true, 'Script ran.')},
-        "Allows scripts from the same host."
-    );
-}
+window.cspPositiveTest = true;
index ac4fa38..d0bfe57 100644 (file)
@@ -26,7 +26,7 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/filesystem-urls-match-filesystem.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src.html
-/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub.html
index 8bd20f3..23f4f8e 100644 (file)
@@ -1,6 +1,5 @@
-Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png
 
 PASS img-src for relative path should load 
 PASS img-src from unapproved domains should not load 
-FAIL img-src from approved domains should load assert_unreached: The img should have loaded Reached unreachable code
+PASS img-src from approved domains should load 
 
index 9e4e345..84934da 100644 (file)
@@ -1,5 +1,5 @@
 <!DOCTYPE HTML>
-<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{domains[www]}}:{{ports[http][0]}}">
+<meta http-equiv="Content-Security-Policy" content="img-src 'self' {{hosts[alt][]}}:{{ports[http][0]}}">
 <html>
 <head>
     <title>img element src attribute must match src list.</title>
@@ -28,7 +28,7 @@
         i = new Image();
         i.onload = t.step_func_done();
         i.onerror = t.unreached_func("The img should have loaded");
-        i.src = location.protocol + '//{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png';
+        i.src = location.protocol + '//{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/pass.png';
       }, "img-src from approved domains should load");
     </script>
 </body>
index dde9fbb..d48dbd8 100644 (file)
@@ -1,5 +1,3 @@
-Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png
-Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png
 
 
 FAIL img src matches correctly partial wildcard host csp directive assert_unreached: Image should have loaded Reached unreachable code
index d2d36d1..452f35b 100644 (file)
@@ -12,7 +12,7 @@
     <script>
       var t1 = async_test("img src matches correctly partial wildcard host csp directive");
     </script>
-    <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+    <img src='http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
          onload='t1.done();'
          onerror='t1.step(function() { assert_unreached("Image should have loaded"); t1.done(); });'>
 
index aae61b6..90b77d9 100644 (file)
@@ -1,5 +1,3 @@
-Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png
-Blocked access to external URL http://www.localhost:8800/content-security-policy/support/pass.png
 
 
 FAIL img-src with wildcard port should match any port assert_unreached: Image should have loaded. Reached unreachable code
index 215c100..5622180 100644 (file)
@@ -12,7 +12,7 @@
     <script>
       var t1 = async_test("img-src with wildcard port should match any port");
     </script>
-    <img src='http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
+    <img src='http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/pass.png'
          onload='t1.done();'
          onerror='t1.step(function() { assert_unreached("Image should have loaded."); t1.done()} );'>
 
index 7ba44e5..9fd2d3f 100644 (file)
@@ -23,7 +23,7 @@ async_test(t => {
 
 // Cross-origin
 async_test(t => {
-  var url = "http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch";
+  var url = "http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch";
   assert_no_csp_event_for_url(t, url);
 
   fetch(url)
@@ -31,7 +31,7 @@ async_test(t => {
 }, "Cross-origin 'fetch()' in " + self.location.protocol + self.location.search);
 
 async_test(t => {
-  var url = "http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-xhr";
+  var url = "http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-xhr";
   assert_no_csp_event_for_url(t, url);
 
   var xhr = new XMLHttpRequest();
@@ -43,7 +43,7 @@ async_test(t => {
 
 // Same-origin redirecting to cross-origin
 async_test(t => {
-  var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch";
+  var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/resource.py?cross-origin-fetch";
   assert_no_csp_event_for_url(t, url);
 
   fetch(url)
index 8c533ab..f6a231d 100644 (file)
@@ -2,40 +2,42 @@ importScripts("{{location[server]}}/resources/testharness.js");
 importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
 
 // Same-origin
-async_test(t => {
+promise_test(t => {
   var url = "{{location[server]}}/common/text-plain.txt?same-origin-fetch";
   assert_no_csp_event_for_url(t, url);
 
-  fetch(url)
-    .then(t.step_func_done(r => assert_equals(r.status, 200)));
+  return fetch(url)
+    .then(t.step_func(r => assert_equals(r.status, 200)));
 }, "Same-origin 'fetch()' in " + self.location.protocol + self.location.search);
 
-async_test(t => {
+promise_test(t => {
   var url = "{{location[server]}}/common/text-plain.txt?same-origin-xhr";
   assert_no_csp_event_for_url(t, url);
 
-  var xhr = new XMLHttpRequest();
-  xhr.open("GET", url);
-  xhr.onload = t.step_func_done();
-  xhr.onerror = t.unreached_func();
-  xhr.send();
+  return new Promise((resolve, reject) => {
+    var xhr = new XMLHttpRequest();
+    xhr.open("GET", url);
+    xhr.onload = t.step_func(resolve);
+    xhr.onerror = t.step_func(_ => reject("xhr.open should success."));
+    xhr.send();
+  });
 }, "Same-origin XHR in " + self.location.protocol + self.location.search);
 
 // Cross-origin
-async_test(t => {
-  var url = "http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch";
+promise_test(t => {
+  var url = "http://{{hosts[alt][]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch";
 
-  Promise.all([
+  return Promise.all([
     // TODO(mkwst): A 'securitypolicyviolation' event should fire.
     fetch(url)
       .catch(t.step_func(e => assert_true(e instanceof TypeError)))
-  ]).then(t.step_func_done());
+  ]);
 }, "Cross-origin 'fetch()' in " + self.location.protocol + self.location.search);
 
-async_test(t => {
-  var url = "http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-xhr";
+promise_test(t => {
+  var url = "http://{{hosts[alt][]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-xhr";
 
-  Promise.all([
+  return Promise.all([
     // TODO(mkwst): A 'securitypolicyviolation' event should fire.
     new Promise((resolve, reject) => {
       var xhr = new XMLHttpRequest();
@@ -44,16 +46,15 @@ async_test(t => {
       xhr.onerror = t.step_func(resolve);
       xhr.send();
     })
-  ]).then(t.step_func_done());
+  ]);
 }, "Cross-origin XHR in " + self.location.protocol + self.location.search);
 
 // Same-origin redirecting to cross-origin
-async_test(t => {
-  var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{domains[www]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch";
+promise_test(t => {
+  var url = "{{location[server]}}/common/redirect-opt-in.py?status=307&location=http://{{hosts[alt][]}}:{{ports[http][1]}}/common/text-plain.txt?cross-origin-fetch";
 
   // TODO(mkwst): A 'securitypolicyviolation' event should fire.
-  fetch(url)
-    .catch(t.step_func_done(e => assert_true(e instanceof TypeError)))
+  return promise_rejects(t, new TypeError, fetch(url));
 }, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol + self.location.search);
 
 done();
index 1f7d7ab..601297b 100644 (file)
@@ -1,7 +1,7 @@
 importScripts("{{location[server]}}/resources/testharness.js");
 
 test(t => {
-  importScripts("http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/testharness-helper.js");
+  importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/testharness-helper.js");
 }, "Cross-origin `importScripts()` not blocked in " + self.location.protocol + self.location.search);
 
 test(t => {
index b0d5576..db1f440 100644 (file)
@@ -4,7 +4,7 @@ importScripts("{{location[server]}}/content-security-policy/support/testharness-
 test(t => {
   self.a = false;
   assert_throws("NetworkError",
-                _ => importScripts("http://{{domains[www]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"),
+                _ => importScripts("http://{{hosts[alt][]}}:{{ports[http][1]}}/content-security-policy/support/var-a.js"),
                 "importScripts should throw `NetworkError`");
   assert_false(self.a);
 }, "Cross-origin `importScripts()` blocked in " + self.location.protocol + self.location.search);
index 05aa134..77c2744 100644 (file)
@@ -2,7 +2,7 @@
 <html>
 <head>
     <title>Video track src attribute must match src list - positive test</title>
-    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{domains[www]}}:{{ports[http][0]}};"> 
+    <meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline'; media-src 'self' {{hosts[alt][]}}:{{ports[http][0]}};"> 
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>
@@ -13,7 +13,7 @@
   <script>
     var source_test = async_test("In-policy track element");
 
-    var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
+    var trackURL = location.protocol + "//{{hosts[alt][]}}:{{ports[http][0]}}/media/foo.vtt";
 
     var t_spv = async_test("Should not fire policy violation events");
     var test_count = 1;
index 6abe850..6ecc459 100644 (file)
     var source_test =
         async_test("Disallowed track element onerror handler fires.");
 
-    var trackURL = location.protocol + "//{{domains[www]}}:{{ports[http][0]}}/media/foo.vtt";
-    
+    var trackURL = location.protocol + "//{{hosts[alt][]}}:{{ports[http][0]}}/media/foo.vtt";
+
     var t_spv = async_test("Test that securitypolicyviolation events are fired");
     var test_count = 1;
     window.addEventListener("securitypolicyviolation", t_spv.step_func(function(e) {
           assert_equals(e.violatedDirective, "media-src");
           assert_equals(e.blockedURI, trackURL);
           if (--test_count <= 0) {
-              t_spv.done(); 
+              t_spv.done();
           }
       }));
 
@@ -62,9 +62,9 @@
 
         setTimeout(function() {
           if(source_test.phase != source_test.phases.COMPLETE) {
-               source_test.step( function () { assert_unreached("Onerror event never fired for track element."); });
-               source_test.done();
-          }
+            source_test.step( function () { assert_unreached("Onerror event never fired for track element."); });
+            source_test.done();
+          }
         }, 2 * 1000);
     </script>
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt
new file mode 100644 (file)
index 0000000..af79e0d
--- /dev/null
@@ -0,0 +1,5 @@
+self is derived correctly inside inside a sandboxed iframe.
+
+
+FAIL img-src 'self' works when specified in a meta tag. assert_equals: expected "PASS" but got "FAIL"
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe.html
new file mode 100644 (file)
index 0000000..d353caf
--- /dev/null
@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
+
+    <title>base-uri works correctly inside a sandboxed iframe.</title>
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+
+<body>
+    <h1>self is derived correctly inside inside a sandboxed iframe.</h1>
+    <div id='log'></div>
+
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            assert_unreached('No CSP violation report should have been fired.');
+        });
+
+        async_test(function(t) {
+            var i = document.createElement('iframe');
+            i.sandbox = 'allow-scripts';
+            i.style.display = 'none';
+            i.srcdoc = `
+              <meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+              <body>
+              <script>
+
+              var img = document.createElement('img');
+              img.src = '../support/fail.png';
+              img.onerror = function() {
+                top.postMessage('FAIL', '*');
+              };
+              img.onload = function() {
+                top.postMessage('PASS', '*');
+              };
+              document.body.appendChild(img);
+              </sc` + `ript></body>`;
+
+            window.addEventListener('message', t.step_func(function(e) {
+              if (e.source === i.contentWindow) {
+                assert_equals(e.data, 'PASS');
+                t.done();
+              }
+            }));
+
+            document.body.appendChild(i);
+        }, 'img-src \'self\' works when specified in a meta tag.');
+   </script>
+
+</body>
+
+</html>
index 32a50b1..78c419b 100644 (file)
@@ -20,3 +20,4 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-modified.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/meta-outside-head.sub.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe.html
index 98d85b6..a034bdb 100644 (file)
@@ -12,7 +12,7 @@
 <body>
 <script>
   promise_test(function(test) {
-       const path = encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/");
+    const path = encodeURIComponent("{{domains[www1]}}:{{ports[http][0]}}/");
     return fetch(
       "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" + path,
       {mode: 'no-cors', credentials: 'include'})
index 04b9688..574c218 100644 (file)
       script.defer = true;
       script.src = '../support/checkReport.sub.js?reportExists=false'
       document.body.appendChild(script);
+
+      // Immediately declare a test so that the harness does not infer
+      // completion if the image loads before the script.
+      var checkReportTest = async_test("checkReport tests loaded");
+      script.onload = checkReportTest.step_func_done();
+      script.onerror = checkReportTest.unreached_func();
     });
   </script>
 </body>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval-expected.txt
new file mode 100644 (file)
index 0000000..9ca8e55
--- /dev/null
@@ -0,0 +1,5 @@
+
+PASS Eval is allowed because the CSP is report-only 
+FAIL SPV event is still raised assert_unreached: SPV event has not been received Reached unreachable code
+FAIL Violation report status OK. assert_equals: No such report. expected "" but got "false"
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html
new file mode 100644 (file)
index 0000000..9effbc6
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script nonce='abc' src="/resources/testharness.js"></script>
+    <script nonce='abc' src="/resources/testharnessreport.js"></script>
+    <!-- CSP headers
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
+-->
+</head>
+<body>
+    <script nonce='abc'>
+      var t = async_test("Eval is allowed because the CSP is report-only");
+
+      var t_spv = async_test("SPV event is still raised");
+      t_spv.step_timeout(t_spv.unreached_func("SPV event has not been received"), 3000);
+      document.addEventListener('securitypolicyviolation', t_spv.step_func(e => {
+        assert_equals(e.violatedDirective, "script-src");
+        assert_equals(e.blockedURI, "eval");
+        t_spv.done();
+      }));
+
+      try {
+        eval("t.done()");
+      } catch {
+        t.step(t.unreached_func("The eval should have executed succesfully"));
+        t_spv.step(t_spv.unreached_func("The eval execution should have triggered a securitypolicyviolation event"));
+      }
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers
new file mode 100644 (file)
index 0000000..549f3db
--- /dev/null
@@ -0,0 +1,4 @@
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: report-only-unsafe-eval={{$id:uuid()}}; Path=/content-security-policy/reporting/
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri ../support/report.py?op=put&reportID={{$id}}
index 92b1e1b..1be4961 100644 (file)
@@ -8,8 +8,6 @@
 </head>
 <body>
     <script nonce="abc">
-      var t1 = async_test("Check that we received a message from the child frame");
-
       window.onmessage = function(e) {
         if (e.data == 'cookie set') {
           var s = document.createElement('script');
@@ -17,8 +15,6 @@
           s.defer = true;
           s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27%20%27nonce-abc%27&reportCookieName=generate-csp-report';
           document.body.appendChild(s);
-
-          t1.done();
         }
       }
     </script>
index 3bdef90..a983c29 100644 (file)
@@ -32,6 +32,8 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-multiple-violations-02.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub.html.sub.headers
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url.sub.html.sub.headers
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-same-origin-with-cookies.html
index 9f24b1d..afb84a7 100644 (file)
@@ -1,5 +1,3 @@
-Blocked access to external URL http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js
-Blocked access to external URL http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js
 External scripts with matching SRI hash should be allowed.
 
 
@@ -11,7 +9,7 @@ FAIL matching plus unsupported integrity assert_unreached: Script should load! h
 PASS mismatched integrity 
 PASS multiple mismatched integrity 
 PASS partially matching integrity 
-FAIL crossorigin no integrity but whitelisted host assert_unreached: Script should load! http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
-FAIL crossorigin mismatched integrity but whitelisted host assert_unreached: Script should load! http://www.localhost:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
+FAIL crossorigin no integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
+FAIL crossorigin mismatched integrity but whitelisted host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
 FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false
 
index 2c888f4..d8e358c 100644 (file)
@@ -6,7 +6,7 @@
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>
 
-    <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
+    <!-- CSP served: script-src {{hosts[alt][]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
 </head>
 
 <body>
@@ -17,7 +17,7 @@
         var port = "{{ports[http][0]}}";
         if (location.protocol === "https:")
           port = "{{ports[https][0]}}";
-        var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;
+        var crossorigin_base = location.protocol + "//{{hosts[alt][]}}:" + port;
 
         // Test name, src, integrity, expected to run.
         var test_cases = [
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event-expected.txt
new file mode 100644 (file)
index 0000000..e851842
--- /dev/null
@@ -0,0 +1,3 @@
+
+PASS CSP script-hash block causes error event 
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html
new file mode 100644 (file)
index 0000000..62b8693
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP script-hash block causes error event</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-deadbeef'"></meta>
+</head>
+<body>
+    <script src="support/inline-script-should-be-blocked.js"></script>
+</body>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1-expected.txt
new file mode 100644 (file)
index 0000000..9d399c2
--- /dev/null
@@ -0,0 +1,3 @@
+
+FAIL scr1.innerText before modification should not be blocked assert_equals: expected "scr1 at #prepare-a-script" but got ""
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html
new file mode 100644 (file)
index 0000000..9da41dd
--- /dev/null
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (hash)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      'log1 += 'scr1 at #prepare-a-script';' => 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s=' (allowed)
+      'log1 += 'scr1 at #execute-the-script-block';' => 'sha256-Vtap5AhPN9kbQAbWqObJexCvNDexqoIwo4XsABQBqcg=' (blocked)
+    -->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s='"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when innerText is modified after #prepare-a-script, the text BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log1 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=1&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scripthash-before-execute.js?dummy=1&pipe=trickle(d1)" async></script>
+<script id="scr1">log1 += 'scr1 at #prepare-a-script';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log1, 'scr1 at #prepare-a-script');
+}, 'scr1.innerText before modification should not be blocked');
+</script>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2-expected.txt
new file mode 100644 (file)
index 0000000..04b172e
--- /dev/null
@@ -0,0 +1,3 @@
+
+FAIL scr2.innerText before modification should be blocked assert_equals: expected "" but got "scr2 at #execute-the-script-block"
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html
new file mode 100644 (file)
index 0000000..927d60a
--- /dev/null
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (hash)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!--
+      'log2 += 'scr2 at #prepare-a-script';' => 'sha256-9vE5NuHfEDoLvk3nPZPDX2/mnG+ZwKhpPuwQZwCDGc4=' (blocked)
+      'log2 += 'scr2 at #execute-the-script-block';' => 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw=' (allowed)
+    -->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw='"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when innerText is modified after #prepare-a-script, the text BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log2 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=2&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scripthash-before-execute.js?dummy=2&pipe=trickle(d1)" async></script>
+<script id="scr2">log2 += 'scr2 at #prepare-a-script';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log2, '');
+}, 'scr2.innerText before modification should be blocked');
+</script>
index 4212297..b082b55 100644 (file)
@@ -49,9 +49,9 @@
             script1.test.done();
           });
         } else {
-         script1.test.step(function() {
+          script1.test.step(function() {
             assert_unreached("nonMatchingContent script ran");
-         });
+          });
         }
       }
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1-expected.txt
new file mode 100644 (file)
index 0000000..554f8f7
--- /dev/null
@@ -0,0 +1,3 @@
+
+FAIL scr1 nonce before modification should not be blocked assert_equals: expected "scr1 executed" but got ""
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html
new file mode 100644 (file)
index 0000000..75f92f3
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (nonce)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when nonce is modified after #prepare-a-script, the nonce BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log1 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=3&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scriptnonce-before-execute.js?dummy=3&pipe=trickle(d1)" async></script>
+<script id="scr1" nonce="abc">log1 += 'scr1 executed';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log1, 'scr1 executed');
+}, 'scr1 nonce before modification should not be blocked');
+</script>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2-expected.txt
new file mode 100644 (file)
index 0000000..2232884
--- /dev/null
@@ -0,0 +1,3 @@
+
+FAIL scr2 nonce before modification should be blocked assert_equals: expected "" but got "scr2 executed"
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html
new file mode 100644 (file)
index 0000000..f2321dd
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+    <title>CSP inline script check is done at #prepare-a-script (nonce)</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta>
+</head>
+<!--
+  "Should element's inline behavior be blocked by Content Security Policy?"
+  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
+  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
+  So when nonce is modified after #prepare-a-script, the nonce BEFORE
+  the modification is used for hash check.
+-->
+<script nonce="abc">
+let log2 = '';
+</script>
+
+<!--  Execution order:
+  async script is executed
+  -> stylesheet is loaded
+  -> inline script is executed. -->
+<link rel="stylesheet" href="support/empty.css?dummy=4&pipe=trickle(d2)" type="text/css">
+<script src="support/change-scriptnonce-before-execute.js?dummy=4&pipe=trickle(d1)" async></script>
+<script id="scr2" nonce="wrong">log2 += 'scr2 executed';</script>
+
+<script nonce="abc">
+test(() => {
+  assert_equals(log2, '');
+}, 'scr2 nonce before modification should be blocked');
+</script>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js
new file mode 100644 (file)
index 0000000..a04e857
--- /dev/null
@@ -0,0 +1,10 @@
+// This script is executed after |scr1| and |scr2| are inserted into DOM
+// before their execution (if not blocked by CSP).
+if (document.getElementById("scr1")) {
+  document.getElementById("scr1").innerText =
+    "log1 += 'scr1 at #execute-the-script-block';";
+}
+if (document.getElementById("scr2")) {
+  document.getElementById("scr2").innerText =
+    "log2 += 'scr2 at #execute-the-script-block';";
+}
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js
new file mode 100644 (file)
index 0000000..2676b34
--- /dev/null
@@ -0,0 +1,8 @@
+// This script is executed after |scr1| and |scr2| are inserted into DOM
+// before their execution (if not blocked by CSP).
+if (document.getElementById('scr1')) {
+  document.getElementById('scr1').setAttribute('nonce', 'wrong');
+}
+if (document.getElementById('scr2')) {
+  document.getElementById('scr2').setAttribute('nonce', 'abc');
+}
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/empty.css b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/empty.css
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js
new file mode 100644 (file)
index 0000000..f32d250
--- /dev/null
@@ -0,0 +1,14 @@
+var t;
+async_test(t => {
+  self.t = t;
+  const s = document.createElement('script');
+  s.onerror = t.step_func(function() {
+    assert_unreached('Script error event should not be fired.');
+  });
+  s.onload = t.step_func(function() {
+    assert_unreached('Script load event should not be fired.');
+  });
+  s.innerText = 'self.t.assert_unreached("Script should not run.");'
+  document.body.appendChild(s);
+  setTimeout(() => t.done(), 2000);
+});
index 2d2df6a..a3b6dcd 100644 (file)
@@ -14,7 +14,11 @@ Property values requiring vendor prefixes:
 None
 ------------------------------------------------------------------------
 List of files:
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scripthash-before-execute.js
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/change-scriptnonce-before-execute.js
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/empty.css
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inject-script.js
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/inline-script-should-be-blocked.js
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/post-message.js
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/support/worker-eval.js.sub.headers
index 9a4d892..3e7136d 100644 (file)
@@ -88,13 +88,18 @@ List of files:
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_worker.https.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-wildcards-disallowed.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-allowed.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked-error-event.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-basic-blocked.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-1.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-default-src.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-ignore-unsafeinline.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-allowed.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-1.html
+/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-redirect.sub.html
 /LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedScript.js
index 65311c3..b95213a 100644 (file)
       .then(t.step_func_done(e => {
         assert_equals(e.documentURI, document.location.toString());
         assert_equals(e.referrer, document.referrer);
-        assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+        assert_equals(e.blockedURI, "http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
         assert_equals(e.violatedDirective, "img-src");
         assert_equals(e.effectiveDirective, "img-src");
         assert_equals(e.originalPolicy, "img-src \'none\'");
         assert_equals(e.disposition, "enforce");
-        assert_equals(e.sourceFile, "");
-        assert_equals(e.lineNumber, 0);
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js");
+        assert_equals(e.lineNumber, 2);
         assert_equals(e.columnNumber, 0);
         assert_equals(e.statusCode, 200);
       }));
index 03829fe..3d5d837 100644 (file)
       .then(t.step_func_done(e => {
         assert_equals(e.documentURI, document.location.toString());
         assert_equals(e.referrer, document.referrer);
-        assert_equals(e.blockedURI, "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png");
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{hosts[alt][]}}:{{location[port]}}/content-security-policy/support/fail.png");
         assert_equals(e.violatedDirective, "img-src");
         assert_equals(e.effectiveDirective, "img-src");
         assert_equals(e.originalPolicy, "img-src \'none\'");
         assert_equals(e.disposition, "enforce");
-        assert_equals(e.sourceFile, "");
-        assert_equals(e.lineNumber, 0);
-        assert_equals(e.columnNumber, 0);
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-cross-origin-image.sub.html");
+        assert_equals(e.lineNumber, 25);
+        assert_equals(e.columnNumber, 4);
         assert_equals(e.statusCode, 200);
       }));
     
     var i = document.createElement("img");
-    i.src = "{{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/fail.png";
+    i.src = "{{location[scheme]}}://{{hosts[alt][]}}:{{location[port]}}/content-security-policy/support/fail.png";
   }, "Non-redirected cross-origin URLs are not stripped.");
 </script>
index 0a7c2b4..481d5a4 100644 (file)
       .then(t.step_func_done(e => {
         assert_equals(e.documentURI, document.location.toString());
         assert_equals(e.referrer, document.referrer);
-        assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+        assert_equals(e.blockedURI, "http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
         assert_equals(e.violatedDirective, "img-src");
         assert_equals(e.effectiveDirective, "img-src");
         assert_equals(e.originalPolicy, "img-src \'none\'");
         assert_equals(e.disposition, "enforce");
-        assert_equals(e.sourceFile, "");
-        assert_equals(e.lineNumber, 0);
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js");
+        assert_equals(e.lineNumber, 2);
         assert_equals(e.columnNumber, 0);
         assert_equals(e.statusCode, 200);
       }));
index 5dd82e6..6e0e6dd 100644 (file)
@@ -15,9 +15,9 @@
         assert_equals(e.effectiveDirective, "img-src");
         assert_equals(e.originalPolicy, "img-src \'none\'");
         assert_equals(e.disposition, "enforce");
-        assert_equals(e.sourceFile, "");
-        assert_equals(e.lineNumber, 0);
-        assert_equals(e.columnNumber, 0);
+        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html");
+        assert_equals(e.lineNumber, 25);
+        assert_equals(e.columnNumber, 4);
         assert_equals(e.statusCode, 200);
       }));
     
index 58bd02f..e5f3c7c 100644 (file)
@@ -41,7 +41,7 @@ async_test(t => {
 }, "SecurityPolicyViolation event fired on global.");
 
 async_test(t => {
-  var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/common/redirect.py?location={{location[scheme]}}://{{domains[www]}}:{{location[port]}}/content-security-policy/support/ping.js";
+  var url = "{{location[scheme]}}://{{host}}:{{location[port]}}/common/redirect.py?location={{location[scheme]}}://{{hosts[alt][]}}:{{location[port]}}/content-security-policy/support/ping.js";
   waitUntilCSPEventForURL(t, url)
     .then(t.step_func_done(e => {
       assert_equals(e.blockedURI, url);
index 7fdd5f6..d222743 100644 (file)
@@ -8,11 +8,21 @@
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script>
+        setup({ explicit_done: true });
+
         var t = async_test("Test that violation report event was fired");
         window.addEventListener("securitypolicyviolation", t.step_func_done(function(e) {
             assert_equals(e.violatedDirective, "style-src");
         }));
         window.onload = function() {
+            try {
+                runTests();
+            } finally {
+                done();
+            }
+        };
+
+        function runTests() {
             window.nodes = document.getElementById('nodes');
             window.node1 = document.getElementById('node1');
             window.node1.style.background = "yellow";
             test(function() {
                 assert_equals(ops.id, clonedOps.id)
             });
-        };
+            test(function() {
+                let el = document.getElementById("svg");
+                assert_equals(el.getAttribute("style"), "");
+                el.style.background = violetOps.style.background;
+                assert_not_equals(el.style.background, "");
+                let clone = el.cloneNode(true);
+                assert_equals(el.style.background, clone.style.background)
+            }, "non-HTML namespace");
+        }
 
     </script>
 </head>
     <div id="violetOps">
         Yet another div.
     </div>
+    <svg id="svg" style="background: rgb(238, 130, 238)"></svg>
     <div id="log"></div>
 </body>
 
index 16df510..92e8f17 100644 (file)
@@ -10,7 +10,7 @@
         document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
     </script>
 
-    <link nonce="nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css>
+    <link nonce="nonceynonce" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
 </head>
 <body>
     <div id='log'></div>
index a076eaf..8a2e17c 100644 (file)
@@ -13,7 +13,7 @@
         assert_equals("style-src-elem", e.violatedDirective);
       }));
     </script>
-    <link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css?pipe=sub" rel=stylesheet type=text/css>
+    <link nonce="not-nonceynonce" href="/content-security-policy/style-src/resources/style-src.css" rel=stylesheet type=text/css>
 </head>
 <body>
     <div id='log'></div>
index acf04f3..ea65cc6 100644 (file)
@@ -1,3 +1,3 @@
 var i = document.createElement('img');
-i.src = "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png";
+i.src = "http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/support/fail.png";
 document.body.appendChild(i);
index aa4f156..76e954b 100644 (file)
@@ -21,7 +21,7 @@
     <svg>
         <foreignObject>
             <embed type="application/x-shockwave-flash" src="/content-security-policy/support/media/flash.swf">
-        </foreignObject>
+        </foreignobject>
     </svg>
 </body>
 </html>
diff --git a/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt b/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/frame-ancestors-from-serviceworker.https-expected.txt
new file mode 100644 (file)
index 0000000..4d66b1e
--- /dev/null
@@ -0,0 +1,4 @@
+
+
+PASS A 'frame-ancestors' CSP directive set from a serviceworker response with a value 'none' should block rendering. 
+
diff --git a/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt b/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-same-document-meta-expected.txt
new file mode 100644 (file)
index 0000000..bffc245
--- /dev/null
@@ -0,0 +1,7 @@
+Blocked access to external URL http://www1.{{host}}/content-security-policy/support/frame.html#0
+
+
+Harness Error (TIMEOUT), message = null
+
+TIMEOUT Same-document navigations in an iframe blocked by CSP frame-src dynamically using the <meta> tag Test timed out
+
diff --git a/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt b/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/content-security-policy/reporting/report-only-in-meta.sub-expected.txt
new file mode 100644 (file)
index 0000000..f4f620f
--- /dev/null
@@ -0,0 +1,6 @@
+
+
+PASS Image should load 
+PASS checkReport tests loaded 
+PASS Violation report status OK. 
+
index 3bfa80a..dfb69ea 100644 (file)
     "imported/w3c/web-platform-tests/beacon/beacon-navigate.html": [
         "slow"
     ],
+    "imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-blocked-frame.sub.html": [
+        "slow"
+    ],
+    "imported/w3c/web-platform-tests/content-security-policy/frame-ancestors/report-only-frame.sub.html": [
+        "slow"
+    ],
     "imported/w3c/web-platform-tests/content-security-policy/generic/no-default-src.sub.html": [
         "slow"
     ],