Remove instances of 'whitelist' in content-security-policy/ (#21321)
As per https://whatwg.org/style-guide
diff --git a/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html b/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
index 96f0e38..a8a6a36 100644
--- a/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
+++ b/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
@@ -69,12 +69,12 @@
"returned_csp_1": "style-src 'unsafe-inline'",
"returned_csp_2": null,
"expected": IframeLoad.EXPECT_BLOCK },
- { "name": "Returned csp whitelists a nonce.",
+ { "name": "Returned csp allows a nonce.",
"required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
"returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'",
"returned_csp_2": "style-src 'nonce-abc'",
"expected": IframeLoad.EXPECT_BLOCK },
- { "name": "Returned csp whitelists a hash.",
+ { "name": "Returned csp allows a hash.",
"required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'",
"returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'",
"returned_csp_2": "style-src 'sha256-abc123'",
diff --git a/content-security-policy/script-src/script-src-sri_hash.sub.html b/content-security-policy/script-src/script-src-sri_hash.sub.html
index 2c888f4..b592068 100644
--- a/content-security-policy/script-src/script-src-sri_hash.sub.html
+++ b/content-security-policy/script-src/script-src-sri_hash.sub.html
@@ -49,11 +49,11 @@
'./simpleSourcedScript.js',
'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
false ],
- [ 'crossorigin no integrity but whitelisted host',
+ [ 'crossorigin no integrity but allowed host',
crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
'',
true ],
- [ 'crossorigin mismatched integrity but whitelisted host',
+ [ 'crossorigin mismatched integrity but allowed host',
crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
true ],
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html b/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
new file mode 100644
index 0000000..4edef30
--- /dev/null
+++ b/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <title>Source expressions are discarded with `strict-dynamic` in the script-src directive.</title>
+ <script src='/resources/testharness.js' nonce='dummy'></script>
+ <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+ <!-- CSP served: script-src 'self' 'strict-dynamic' 'nonce-dummy' -->
+</head>
+
+<body>
+ <h1>Source expressions are discarded with `strict-dynamic` in the script-src directive.</h1>
+ <div id='log'></div>
+
+ <script nonce='dummy'>
+ async_test(function(t) {
+ window.addEventListener('message', t.step_func(function(e) {
+ if (e.data === 'allowedScript') {
+ assert_unreached('Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
+ }
+ }));
+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+ assert_equals(e.effectiveDirective, 'script-src-elem');
+ }));
+ }, 'Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.');
+ </script>
+ <script id='allowedScript' src='simpleSourcedScript.js'></script>
+
+</body>
+
+</html>
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers b/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers
similarity index 100%
rename from content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html.headers
rename to content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.headers
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html b/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html
deleted file mode 100644
index 51b0b79..0000000
--- a/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html
+++ /dev/null
@@ -1,32 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
- <title>Whitelists are discarded with `strict-dynamic` in the script-src directive.</title>
- <script src='/resources/testharness.js' nonce='dummy'></script>
- <script src='/resources/testharnessreport.js' nonce='dummy'></script>
-
- <!-- CSP served: script-src 'self' 'strict-dynamic' 'nonce-dummy' -->
-</head>
-
-<body>
- <h1>Whitelists are discarded with `strict-dynamic` in the script-src directive.</h1>
- <div id='log'></div>
-
- <script nonce='dummy'>
- async_test(function(t) {
- window.addEventListener('message', t.step_func(function(e) {
- if (e.data === 'whitelistedScript') {
- assert_unreached('Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
- }
- }));
- window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
- assert_equals(e.effectiveDirective, 'script-src-elem');
- }));
- }, 'Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.');
- </script>
- <script id='whitelistedScript' src='simpleSourcedScript.js'></script>
-
-</body>
-
-</html>
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html b/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html
similarity index 66%
rename from content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
rename to content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html
index 314ed91..39126de 100644
--- a/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
+++ b/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html
@@ -2,7 +2,7 @@
<html>
<head>
- <title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
+ <title>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
@@ -13,35 +13,35 @@
</head>
<body>
- <h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
+ <h1>Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
<div id='log'></div>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
- if (e.data === 'whitelisted-appendChild') {
+ if (e.data === 'allowed-appendChild') {
t.done();
}
}));
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
- if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
+ if (violation.blockedURI.split('?')[1] !== 'allowed-appendChild') {
return;
}
- assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+ assert_unreached('Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
}));
var e = document.createElement('script');
- e.id = 'whitelisted-appendChild';
+ e.id = 'allowed-appendChild';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
- }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+ }, 'Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.');
</script>
<script nonce='dummy'>
async_test(function(t) {
window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
- if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
+ if (violation.blockedURI.split('?')[1] !== 'nonAllowed-appendChild') {
return;
}
assert_equals(violation.effectiveDirective, 'script-src-elem');
@@ -50,11 +50,11 @@
}));
var e = document.createElement('script');
- e.id = 'nonWhitelisted-appendChild';
+ e.id = 'nonAllowed-appendChild';
e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
e.onload = t.unreached_func('OnLoad should not be triggered.');
document.body.appendChild(e);
- }, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
+ }, 'Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.');
</script>
</body>
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers b/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html.headers
similarity index 100%
rename from content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.headers
rename to content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html.headers
diff --git a/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html b/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
index d640421..29a2a59 100644
--- a/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
+++ b/content-security-policy/script-src/script-src-strict_dynamic_in_img-src.html
@@ -2,7 +2,7 @@
<html>
<head>
- <title>`strict-dynamic` does not drop whitelists in `img-src`.</title>
+ <title>`strict-dynamic` does not drop allowed source expressions in `img-src`.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
@@ -10,7 +10,7 @@
</head>
<body>
- <h1>`strict-dynamic` does not drop whitelists in `img-src`.</h1>
+ <h1>`strict-dynamic` does not drop allowed source expressions in `img-src`.</h1>
<div id='log'></div>
<script nonce='dummy'>
@@ -20,12 +20,12 @@
async_test(function(t) {
var e = document.createElement('img');
- e.id = 'whitelistedImage';
+ e.id = 'allowedImage';
e.src = '/content-security-policy/support/pass.png';
e.onerror = t.unreached_func('Error should not be triggered.');
e.onload = t.step_func_done();
document.body.appendChild(e);
- }, '`strict-dynamic` does not drop whitelists in `img-src`.');
+ }, '`strict-dynamic` does not drop allowed source expressions in `img-src`.');
</script>
</body>
diff --git a/content-security-policy/style-src/stylenonce-allowed.sub.html b/content-security-policy/style-src/stylenonce-allowed.sub.html
index e190b84..fcedc15 100644
--- a/content-security-policy/style-src/stylenonce-allowed.sub.html
+++ b/content-security-policy/style-src/stylenonce-allowed.sub.html
@@ -51,7 +51,7 @@
});
</script>
- <p>Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
+ <p>Style correctly allowed via a 'nonce-*' expression in 'style-src' should be applied to the page.</p>
<div id="log"></div>
</body>
diff --git a/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html b/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
index 9c37dfb..c16a9a5 100644
--- a/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
+++ b/content-security-policy/worker-src/dedicated-worker-src-child-fallback.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script>
\ No newline at end of file
+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by child-src 'self'."></script>
diff --git a/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html b/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
index 06e79db..69e9647 100644
--- a/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
+++ b/content-security-policy/worker-src/dedicated-worker-src-self-fallback.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script>
\ No newline at end of file
+<script src="../support/dedicated-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin dedicated worker allowed by worker-src 'self'."></script>
diff --git a/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html b/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
index 0053b10..4d6f2f3 100644
--- a/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
+++ b/content-security-policy/worker-src/service-worker-src-child-fallback.https.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script>
\ No newline at end of file
+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by child-src 'self'."></script>
diff --git a/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html b/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
index 58bc8cd..5759112 100644
--- a/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
+++ b/content-security-policy/worker-src/service-worker-src-self-fallback.https.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script>
\ No newline at end of file
+<script src="../support/service-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin service worker allowed by worker-src 'self'."></script>
diff --git a/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html b/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
index 5351085..1e6a1df 100644
--- a/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
+++ b/content-security-policy/worker-src/shared-worker-src-child-fallback.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="child-src 'self'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script>
\ No newline at end of file
+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by child-src 'self'."></script>
diff --git a/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html b/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
index 353a3a0..dc8370b 100644
--- a/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
+++ b/content-security-policy/worker-src/shared-worker-src-self-fallback.sub.html
@@ -4,6 +4,6 @@
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src="../support/testharness-helper.js"></script>
-<!-- Ideally we would use "script-src 'none'" alone but we have to whitelist the actual script that spawns the workers, hence the nonce.-->
+<!-- Ideally we would use "script-src 'none'" alone but we have to allow the actual script that spawns the workers, hence the nonce.-->
<meta http-equiv="Content-Security-Policy" content="worker-src 'self'; child-src 'none'; script-src 'none' 'nonce-foo'; default-src 'none'; ">
-<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script>
\ No newline at end of file
+<script src="../support/shared-worker-helper.js" nonce="foo" id="foo" data-desc-fallback="Same-origin shared worker allowed by worker-src 'self'."></script>