commit 1c34d1ac61aecb14a69b79496ad5531135712245
parent aa1eca0183d271d29ff123bdaae75179ad3fb7ab
Author: Julian Descottes <jdescottes@mozilla.com>
Date: Sat, 22 Nov 2025 21:11:15 +0000
Bug 2001361 [wpt PR 55853] - [wdspec] Add tentative tests for script commands bypassing CSP, a=testonly
Automatic update from web-platform-tests
[wdspec] Add tentative tests for script commands bypassing CSP
--
wpt-commits: 9a253c311b7a1efe922a7b46280f5674e8481025
wpt-pr: 55853
Diffstat:
4 files changed, 131 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/webdriver/tests/bidi/script/__init__.py b/testing/web-platform/tests/webdriver/tests/bidi/script/__init__.py
@@ -224,3 +224,32 @@ async def create_sandbox(bidi_session, context, sandbox_name="Test", method="eva
raise Exception(f"Unsupported method to create a sandbox: {method}")
return result["realm"]
+
+
+# Expressions used for script evaluate and call_function CSP tentative tests.
+CSP_EXPRESSIONS = {
+ "default": "2 + 1",
+ "eval": "eval('2 + 1')",
+ "new Function": "new Function('return 2 + 1')()",
+ "promise eval": """
+ new Promise(r => {
+ setTimeout(() => {
+ r(eval('2 + 1'));
+ }, 0);
+ })
+ """,
+ "async eval": """
+ (async () => {
+ await new Promise(r => setTimeout(r, 0));
+ return eval("2 + 1");
+ })()
+ """,
+ "eval from inline script": "window.inlineScriptEval()",
+ "eval from preload script": "window.preloadScriptEval()",
+ "async eval from preload script": "window.preloadScriptAsyncEval()",
+ "eval from event handler": "window.document.body.onclick()",
+ "nested eval": "eval(\"eval('2+1')\")",
+ "nested new Function": "new Function(\"return new Function('return 2 + 1')()\")()",
+ "new Function nested in eval": "eval(\"new Function('return 2 + 1')()\")",
+ "eval nested in new Function": "new Function(\"return eval('2+1')\")()",
+}
diff --git a/testing/web-platform/tests/webdriver/tests/bidi/script/call_function/csp_tentative.py b/testing/web-platform/tests/webdriver/tests/bidi/script/call_function/csp_tentative.py
@@ -0,0 +1,30 @@
+import pytest
+import asyncio
+
+from webdriver.bidi.modules.script import ContextTarget
+
+from .. import CSP_EXPRESSIONS
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+ "expression",
+ CSP_EXPRESSIONS.values(),
+ ids=CSP_EXPRESSIONS.keys(),
+)
+async def test_default_src_unsafe_inline(
+ bidi_session, top_context, setup_csp_tentative_test, expression
+):
+ function_declaration = f"() => ({expression})"
+ result = await asyncio.wait_for(
+ asyncio.shield(
+ bidi_session.script.call_function(
+ function_declaration=function_declaration,
+ target=ContextTarget(top_context["context"]),
+ await_promise=True,
+ )
+ ),
+ timeout=2.0,
+ )
+
+ assert result == {"type": "number", "value": 3}
diff --git a/testing/web-platform/tests/webdriver/tests/bidi/script/conftest.py b/testing/web-platform/tests/webdriver/tests/bidi/script/conftest.py
@@ -65,3 +65,46 @@ def evaluate(bidi_session, top_context):
return result
return evaluate
+
+
+@pytest_asyncio.fixture
+async def setup_csp_tentative_test(
+ bidi_session, inline, top_context, add_preload_script
+):
+ url = inline(
+ """<!DOCTYPE html>
+ <html lang="en">
+ <head>
+ <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">
+ </head>
+ <body onclick="return eval('2 + 1')">
+ <script type="text/javascript">
+ window.inlineScriptEval = function () {
+ return eval("2 + 1");
+ }
+ </script>
+ </body>
+ </html>""",
+ # Note: Use the html_quirks template in order to have an empty template
+ # and be able to set cleanly a meta tag, a body tag etc. However we are
+ # not actually testing quirks mode here, so we still add a standard
+ # doctype in the template content.
+ doctype="html_quirks",
+ )
+
+ await add_preload_script(
+ function_declaration="""() => {
+ window.preloadScriptEval = function () {
+ return eval("2 + 1");
+ };
+ window.preloadScriptAsyncEval = async function () {
+ await new Promise(r => setTimeout(r, 0));
+ return eval("2 + 1");
+ };
+ }""",
+ contexts=[top_context["context"]],
+ )
+
+ await bidi_session.browsing_context.navigate(
+ context=top_context["context"], url=url, wait="complete"
+ )
diff --git a/testing/web-platform/tests/webdriver/tests/bidi/script/evaluate/csp_tentative.py b/testing/web-platform/tests/webdriver/tests/bidi/script/evaluate/csp_tentative.py
@@ -0,0 +1,29 @@
+import pytest
+import asyncio
+
+from webdriver.bidi.modules.script import ContextTarget
+
+from .. import CSP_EXPRESSIONS
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+ "expression",
+ CSP_EXPRESSIONS.values(),
+ ids=CSP_EXPRESSIONS.keys(),
+)
+async def test_default_src_unsafe_inline(
+ bidi_session, top_context, setup_csp_tentative_test, expression
+):
+ result = await asyncio.wait_for(
+ asyncio.shield(
+ bidi_session.script.evaluate(
+ expression=expression,
+ target=ContextTarget(top_context["context"]),
+ await_promise=True,
+ )
+ ),
+ timeout=2.0,
+ )
+
+ assert result == {"type": "number", "value": 3}
