subsumption_algorithm-unsafe_inline.html (6141B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Subsumption Algorithm - 'unsafe-inline' keyword.</title> 5 <meta name="variant" content="?1-8"> 6 <meta name="variant" content="?9-last"> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 <script src="support/testharness-helper.sub.js"></script> 10 <script src="/common/subset-tests.js"></script> 11 </head> 12 <body> 13 <script> 14 var tests = [ 15 { "name": "'strict-dynamic' is ineffective for `style-src`.", 16 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic'", 17 "returned_csp_1": "style-src 'unsafe-inline' http://example1.com/foo/bar.html", 18 "returned_csp_2": null, 19 "expected": IframeLoad.EXPECT_LOAD }, 20 { "name": "'unsafe-inline' is properly subsumed in `style-src`.", 21 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 22 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline'", 23 "returned_csp_2": null, 24 "expected": IframeLoad.EXPECT_LOAD }, 25 { "name": "'unsafe-inline' is only ineffective if the effective returned csp has nonces in `style-src`.", 26 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 27 "returned_csp_1": "style-src 'unsafe-inline' 'nonce-yay'", 28 "returned_csp_2": "style-src 'unsafe-inline'", 29 "expected": IframeLoad.EXPECT_LOAD }, 30 { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `style-src`.", 31 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 32 "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", 33 "returned_csp_2": "style-src 'unsafe-inline'", 34 "expected": IframeLoad.EXPECT_LOAD }, 35 { "name": "Returned csp does not have to allow 'unsafe-inline' in `style-src` to be subsumed.", 36 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 37 "returned_csp_1": "style-src 'self'", 38 "returned_csp_2": null, 39 "expected": IframeLoad.EXPECT_LOAD }, 40 { "name": "'unsafe-inline' does not matter if returned csp is effectively `none`.", 41 "required_csp": "style-src 'unsafe-inline'", 42 "returned_csp_1": "style-src ", 43 "returned_csp_2": null, 44 "expected": IframeLoad.EXPECT_LOAD }, 45 { "name": "'unsafe-inline' is properly subsumed in `script-src`.", 46 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", 47 "returned_csp_1": "script-src http://example1.com/foo/ 'unsafe-inline'", 48 "returned_csp_2": null, 49 "expected": IframeLoad.EXPECT_LOAD }, 50 { "name": "Returned csp only loads 'unsafe-inline' scripts with 'nonce-abc'.", 51 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", 52 "returned_csp_1": "script-src 'nonce-abc'", 53 "returned_csp_2": "script-src 'unsafe-inline'", 54 "expected": IframeLoad.EXPECT_LOAD }, 55 { "name": "'unsafe-inline' is ineffective when nonces are present.", 56 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", 57 "returned_csp_1": "script-src 'unsafe-inline' 'nonce-abc'", 58 "returned_csp_2": "script-src 'unsafe-inline'", 59 "expected": IframeLoad.EXPECT_LOAD }, 60 { "name": "'unsafe-inline' is only ineffective if the effective returned csp has hashes in `script-src`.", 61 "required_csp": "script-src http://example1.com/foo/ 'self' 'unsafe-inline'", 62 "returned_csp_1": "script-src 'unsafe-inline' 'sha256-abc123' 'nonce-abc'", 63 "returned_csp_2": "script-src 'unsafe-inline'", 64 "expected": IframeLoad.EXPECT_LOAD }, 65 { "name": "Required csp allows `strict-dynamic`, but retuned csp does.", 66 "required_csp": "script-src http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'", 67 "returned_csp_1": "script-src 'unsafe-inline' http://example1.com/foo/bar.html", 68 "returned_csp_2": null, 69 "expected": IframeLoad.EXPECT_BLOCK }, 70 { "name": "Required csp does not allow `unsafe-inline`, but retuned csp does.", 71 "required_csp": "style-src http://example1.com/foo/ 'self'", 72 "returned_csp_1": "style-src 'unsafe-inline'", 73 "returned_csp_2": null, 74 "expected": IframeLoad.EXPECT_BLOCK }, 75 { "name": "Returned csp allows a nonce.", 76 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 77 "returned_csp_1": "style-src 'unsafe-inline' 'nonce-abc'", 78 "returned_csp_2": "style-src 'nonce-abc'", 79 "expected": IframeLoad.EXPECT_BLOCK }, 80 { "name": "Returned csp allows a hash.", 81 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline'", 82 "returned_csp_1": "style-src 'unsafe-inline' 'sha256-abc123'", 83 "returned_csp_2": "style-src 'sha256-abc123'", 84 "expected": IframeLoad.EXPECT_BLOCK }, 85 { "name": "Effective returned csp allows 'unsafe-inline'", 86 "required_csp": "style-src http://example1.com/foo/ 'self'", 87 "returned_csp_1": "style-src 'unsafe-inline' https://example.test/", 88 "returned_csp_2": "style-src 'unsafe-inline'", 89 "expected": IframeLoad.EXPECT_BLOCK }, 90 { "name": "Effective returned csp does not allow 'sha512-321cba' hash.", 91 "required_csp": "style-src http://example1.com/foo/ 'self' 'unsafe-inline' 'sha512-321cba'", 92 "returned_csp_1": "style-src http://example1.com/foo/ 'unsafe-inline' 'nonce-yay'", 93 "returned_csp_2": "style-src http://example1.com/foo/ 'unsafe-inline' 'sha512-321cba'", 94 "expected": IframeLoad.EXPECT_LOAD }, 95 ]; 96 tests.forEach(test => { 97 subsetTest(async_test, t => { 98 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); 99 if (test.returned_csp_2) 100 url.searchParams.append("policy2", test.returned_csp_2); 101 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); 102 }, test.name); 103 }); 104 </script> 105 </body> 106 </html>