-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1771355 [wpt PR 34219] - [WPT] Fix and extend content-security-po…
…licy/unsafe-hashes/, a=testonly Automatic update from web-platform-tests [WPT] Fix and extend content-security-policy/unsafe-hashes/ The tests using `<a>` elements were largely broken: - Some tests execute `t.unreached_func()` instead of `t.unreached_func()()`, and thus didn't terminate tests on failures. - `target="_blank"`, `rel="opener"` and `opener` in JavaScript URL should be used together but weren't. `javascript_src_denied_wrong_hash-href_blank.html` had `target="_blank"` but not other two. - Filenames and test contents didn't match. For example, javascript_src_denied_missing_unsafe_hashes-href_blank.html had actually wrong hashes while javascript_src_denied_wrong_hash-href_blank.html missed 'unsafe-hash'. This CL refactors and fixes these tests. The common parts are moved into `helper.js` and only two javascript: URLs are used to simplify CSP hashes: - `javascript:opener.navigated();` - `javascript:navigated();` This CL also adds tests to confirm that `script-src-elem` is used, not `script-src-attr`. Bug: 941246 Change-Id: Ieb6e665b34abced26fcc6cc2bbefe3c3eb6749b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3669066 Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Commit-Position: refs/heads/main@{#1008357} -- wpt-commits: ba1428c9e542762d0dc61c6e0f7bb761c8363be5 wpt-pr: 34219
- Loading branch information
1 parent
55f2313
commit 3b99c00
Showing
13 changed files
with
177 additions
and
116 deletions.
There are no files selected for viewing
23 changes: 6 additions & 17 deletions
23
...web-platform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' | ||
'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> | ||
<!-- | ||
'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=' ==> 'javascript:t1.done();' | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a href='javascript:t1.done();' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(true, '<a href>', ''); | ||
</script> | ||
</body> | ||
|
||
</html> |
18 changes: 18 additions & 0 deletions
18
...tent-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc' | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
// script-src-attr CSP should not have effects because navigation CSP | ||
// checks are done against script-src-elem. | ||
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check | ||
runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); | ||
</script> | ||
</body> | ||
</html> |
15 changes: 15 additions & 0 deletions
15
...tent-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-elem.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc' | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
runTest(true, '<a href target=_blank>', ''); | ||
</script> | ||
</body> | ||
</html> |
23 changes: 6 additions & 17 deletions
23
...atform/tests/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' | ||
'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=';"> | ||
<!-- | ||
'sha256-WZYVPzLjoxd1Cbc8gcx07ChlPmT3WP+KxkOiY0s4h8g=' ==> 'javascript:opener.t1.done();' | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a target="_blank" rel="opener" href='javascript:opener.t1.done();' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.unreached_func("Should have not raised any event")); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(true, '<a href target=_blank>', ''); | ||
</script> | ||
</body> | ||
|
||
</html> |
26 changes: 6 additions & 20 deletions
26
...ntent-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';"> | ||
<!-- | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is not allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { | ||
assert_equals(e.violatedDirective, 'script-src-elem'); | ||
assert_equals(e.blockedURI, 'inline'); | ||
})); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(false, '<a href>', ' due to missing unsafe-hashes'); | ||
</script> | ||
</body> | ||
|
||
</html> |
18 changes: 18 additions & 0 deletions
18
...unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-attr.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'nonce-abc' | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
// script-src-attr CSP should not have effects because navigation CSP | ||
// checks are done against script-src-elem. | ||
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check | ||
runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); | ||
</script> | ||
</body> | ||
</html> |
15 changes: 15 additions & 0 deletions
15
...unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-script-src-elem.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes'); | ||
</script> | ||
</body> | ||
</html> |
28 changes: 7 additions & 21 deletions
28
...security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' | ||
'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> | ||
<!-- | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' | ||
'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is not allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { | ||
assert_equals(e.violatedDirective, 'script-src-elem'); | ||
assert_equals(e.blockedURI, 'inline'); | ||
})); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(false, '<a href target=_blank>', ' due to missing unsafe-hashes'); | ||
</script> | ||
</body> | ||
|
||
</html> |
26 changes: 6 additions & 20 deletions
26
...rm/tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' | ||
'sha256-r5W8SQIDMTbMxAjJ7KzCzFT38dwBy7Y5KF5B+20009g=';"> | ||
<!-- | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is not allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { | ||
assert_equals(e.violatedDirective, 'script-src-elem'); | ||
assert_equals(e.blockedURI, 'inline'); | ||
})); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(false, '<a href>', ' due to wrong hash'); | ||
</script> | ||
</body> | ||
|
||
</html> |
18 changes: 18 additions & 0 deletions
18
...ity-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-attr.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc' | ||
'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
// script-src-attr CSP should not have effects because navigation CSP | ||
// checks are done against script-src-elem. | ||
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check | ||
runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)'); | ||
</script> | ||
</body> | ||
</html> |
15 changes: 15 additions & 0 deletions
15
...ity-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src-elem 'unsafe-hashes' 'nonce-abc' | ||
'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
<body> | ||
<script nonce="abc"> | ||
runTest(false, '<a href target=_blank>', ' due to wrong hash'); | ||
</script> | ||
</body> | ||
</html> |
28 changes: 7 additions & 21 deletions
28
...ts/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,15 @@ | ||
<!DOCTYPE HTML> | ||
<html> | ||
|
||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=';"> | ||
<!-- | ||
'sha256-3MhWOWQJwDMJCRltopqBmDhP4qq569eTDcH+BpbHp0o=' ==> javascript:t1.unreached_func("Should not have run javascript: URL"); | ||
--> | ||
<script src='/resources/testharness.js' nonce='abc'></script> | ||
<script src='/resources/testharnessreport.js' nonce='abc'></script> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' | ||
'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';"> | ||
<script src="/resources/testharness.js" nonce="abc"></script> | ||
<script src="/resources/testharnessreport.js" nonce="abc"></script> | ||
<script src="support/helper.js" nonce="abc"></script> | ||
</head> | ||
|
||
<body> | ||
<div id='log'></div> | ||
<a target="_blank" href='javascript:t1.unreached_func("Should not have run javascript: URL");' id='test'> | ||
<script nonce='abc'> | ||
var t1 = async_test("Test that the javascript: src is not allowed to run"); | ||
|
||
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) { | ||
assert_equals(e.violatedDirective, 'script-src-elem'); | ||
assert_equals(e.blockedURI, 'inline'); | ||
})); | ||
|
||
document.getElementById('test').click(); | ||
<script nonce="abc"> | ||
runTest(false, '<a href target=_blank>', ' due to wrong hash'); | ||
</script> | ||
</body> | ||
|
||
</html> |
40 changes: 40 additions & 0 deletions
40
testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
// Typical CSP hashes are: | ||
// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated(); | ||
// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated(); | ||
|
||
function runTest(navigationShouldAllowed, navigationMethod, description) { | ||
const t1 = async_test( | ||
'javascript: navigation using ' + navigationMethod + ' should be ' + | ||
(navigationShouldAllowed ? 'allowed' : 'refused') + description); | ||
|
||
if (navigationShouldAllowed) { | ||
window.navigated = () => t1.done(); | ||
window.addEventListener('securitypolicyviolation', | ||
t1.unreached_func('Should have not raised any event')); | ||
} else { | ||
window.navigated = | ||
t1.unreached_func('Should not have run javascript: URL'); | ||
window.addEventListener('securitypolicyviolation', | ||
t1.step_func_done(function(e) { | ||
assert_equals(e.violatedDirective, 'script-src-elem'); | ||
assert_equals(e.blockedURI, 'inline'); | ||
})); | ||
} | ||
|
||
if (navigationMethod === '<a href target=_blank>') { | ||
const a = document.createElement('a'); | ||
a.setAttribute('target', '_blank'); | ||
a.setAttribute('rel', 'opener'); | ||
a.setAttribute('href', 'javascript:opener.navigated();'); | ||
document.body.appendChild(a); | ||
a.click(); | ||
} | ||
else if (navigationMethod === '<a href>') { | ||
const a = document.createElement('a'); | ||
a.setAttribute('href', 'javascript:navigated();'); | ||
document.body.appendChild(a); | ||
a.click(); | ||
} else { | ||
t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)(); | ||
} | ||
} |