only-valid-whitespaces-are-allowed.html (3841B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <script src='/resources/testharness.js'></script> 5 <script src='/resources/testharnessreport.js'></script> 6 </head> 7 <body> 8 <script> 9 var tests = [ 10 // Make sure that csp works properly in normal situations 11 { "csp": "", "expected": true, "name": "Should load image without any CSP" }, 12 { "csp": "img-src 'none';", "expected": false, "name": "Should not load image with 'none' CSP" }, 13 // Ensure ASCII whitespaces are properly parsed 14 // ASCII whitespace is U+0009 TAB, U+000A LF, U+000C FF, U+000D CR, or U+0020 SPACE. 15 16 // between directive name and value 17 { "csp": "img-src\u0009'none';", "expected": false, "name": "U+0009 TAB should be properly parsed between directive name and value" }, 18 { "csp": "img-src\u000C'none';", "expected": false, "name": "U+000C FF should be properly parsed between directive name and value" }, 19 { "csp": "img-src\u000A'none';", "expected": false, "name": "U+000A LF should be properly parsed between directive name and value" }, 20 { "csp": "img-src\u000D'none';", "expected": false, "name": "U+000D CR should be properly parsed between directive name and value" }, 21 { "csp": "img-src\u0020'none';", "expected": false, "name": "U+0020 SPACE should be properly parsed between directive name and value" }, 22 23 // inside directive value 24 { "csp": "img-src http://example.com\u0009http://example2.com;", "expected": false, "name": "U+0009 TAB should be properly parsed inside directive value" }, 25 { "csp": "img-src http://example.com\u000Chttp://example2.com;", "expected": false, "name": "U+000C FF should be properly parsed inside directive value" }, 26 { "csp": "img-src http://example.com\u000Ahttp://example2.com;", "expected": false, "name": "U+000A LF should be properly parsed inside directive value" }, 27 { "csp": "img-src http://example.com\u000Dhttp://example2.com;", "expected": false, "name": "U+000D CR should be properly parsed inside directive value" }, 28 { "csp": "img-src http://example.com\u0020http://example2.com;", "expected": false, "name": "U+0020 SPACE should be properly parsed inside directive value" }, 29 30 // Ensure nbsp (U+00A0) is not considered a valid whitespace 31 // https://github.com/webcompat/web-bugs/issues/18902 has more details about why this particularly relevant 32 { "csp": "img-src\u00A0'none';", "expected": true, "name": "U+00A0 NBSP should not be parsed between directive name and value" }, 33 { "csp": "img-src http://example.com\u00A0http://example2.com;", "expected": true, "name": "U+00A0 NBSP should not be parsed inside directive value" }, 34 ]; 35 36 tests.forEach(test => { 37 async_test(t => { 38 var url = "support/load_img_and_post_result_meta.sub.html?csp=" + encodeURIComponent(test.csp); 39 test_image_loads_as_expected(test, t, url); 40 }, test.name + " - meta tag"); 41 42 // We can't test csp delivered in an HTTP header if we're testing CR/LF characters 43 if (test.csp.indexOf("\u000A") == -1 && test.csp.indexOf("\u000D") == -1) { 44 async_test(t => { 45 var url = "support/load_img_and_post_result_header.html?csp=" + encodeURIComponent(test.csp); 46 test_image_loads_as_expected(test, t, url); 47 }, test.name + " - HTTP header"); 48 } 49 }); 50 51 function test_image_loads_as_expected(test, t, url) { 52 var i = document.createElement('iframe'); 53 i.src = url; 54 window.addEventListener('message', t.step_func(function(e) { 55 if (e.source != i.contentWindow) return; 56 if (test.expected) { 57 assert_equals(e.data, "img loaded"); 58 } else { 59 assert_equals(e.data, "img not loaded"); 60 } 61 t.done(); 62 })); 63 document.body.appendChild(i); 64 } 65 </script> 66 </body> 67 </html>