CSP: Enhance WPTs to check inline and eval blockedURIs
This adds a few assertions to Web Platform Tests for Content Security
Policies checking if inline script execution and eval are allowed, so
that they also ensure that the blockedURI in the CSP violation matches
'inline' or 'eval'.
Bug: 563976
Change-Id: Ie2b93fe838768703e652dcfd5bd25b1334abcf57
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2743762
Auto-Submit: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/master@{#862765}
diff --git a/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html b/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
index 001d175..6ee3785 100644
--- a/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
+++ b/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
@@ -14,6 +14,6 @@
}
</script>
- <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27"></script>
+ <script async defer src="../support/checkReport.sub.js?reportField=blocked-uri&reportValue=eval"></script>
</body>
</html>
diff --git a/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers b/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
index e312b2c..09d8ade 100644
--- a/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
+++ b/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
@@ -1,2 +1,2 @@
Set-Cookie: eval-allowed-in-report-only-mode-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/script-src
-Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/content-security-policy/script-src/injected-inline-script-blocked.sub.html
index 45c389f..45b7414 100644
--- a/content-security-policy/script-src/injected-inline-script-blocked.sub.html
+++ b/content-security-policy/script-src/injected-inline-script-blocked.sub.html
@@ -7,7 +7,7 @@
<title>injected-inline-script-blocked</title>
<script nonce='abc' src="/resources/testharness.js"></script>
<script nonce='abc' src="/resources/testharnessreport.js"></script>
- <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem",]'></script>
+ <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","blocked-uri=inline"]'></script>
<script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
</head>
@@ -15,6 +15,7 @@
<script nonce='abc'>
window.addEventListener('securitypolicyviolation', function(e) {
log("violated-directive=" + e.violatedDirective);
+ log("blocked-uri=" + e.blockedURI);
});
</script>
<script src="support/inject-script.js"></script>
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_eval.html b/content-security-policy/script-src/script-src-strict_dynamic_eval.html
index 459d69a..3a6056f 100644
--- a/content-security-policy/script-src/script-src-strict_dynamic_eval.html
+++ b/content-security-policy/script-src/script-src-strict_dynamic_eval.html
@@ -20,6 +20,7 @@
window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
assert_false(evalScriptRan);
assert_equals(e.effectiveDirective, 'script-src');
+ assert_equals(e.blockedURI, 'eval');
}));
assert_throws_js(Error,
