invalid-bytes.html (3773B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>Content-Security-Policy Invalid Bytes Parsing Tests</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="./support/helper.sub.js"></script> 7 <body> 8 <script> 9 "use strict"; 10 11 // Original source: https://github.com/web-platform-tests/wpt/pull/48855 12 13 // \x01 - \x08, \x0e, \x0f, \x10 - \x1f, \x7f. 14 // In a source expression, non-whitespace characters outside ASCII 0x21-0x7E must be Punycode-encoded, as described in RFC 3492 (https://tools.ietf.org/html/rfc3492), if part of the hostname and percent-encoded, as described in RFC 3986, section 2.1 (http://tools.ietf.org/html/rfc3986#section-2.1), if part of the path. 15 16 var EXPECT_BLOCK = true; 17 var EXPECT_LOAD = false; 18 19 function csp_parsing_test(policy, expectBlock, message) { 20 promise_test(async t => { 21 let iframe = document.createElement("iframe"); 22 iframe.src = "/content-security-policy/parsing/support/csp.py?policy=" + encodeURIComponent(policy); 23 document.body.appendChild(iframe); 24 25 let {data} = await new Promise(resolve => window.addEventListener("message", resolve, {once: true})); 26 assert_equals(data, expectBlock ? "error" : "load", "img state is correct"); 27 }, message); 28 } 29 30 // \x01 31 csp_parsing_test("img-src 'none'\x01", EXPECT_LOAD, `CSP: "img-src 'none'\\x01" should allow rendering (Invalid directive ignored).`); 32 csp_parsing_test("img-src 'none' http\x01", EXPECT_LOAD, `CSP: "img-src 'none' http:\\x01" should allow rendering (Invalid directive ignored).`); 33 csp_parsing_test("img-src 'self'\x01", EXPECT_LOAD, `CSP: "img-src 'self'\\x01" should allow rendering (Invalid directive ignored).`); 34 csp_parsing_test("img-src 'none'; media-src 'self'\x01", EXPECT_BLOCK, `CSP: "img-src 'none'; media-src 'self'\\x01" should block rendering.`); 35 csp_parsing_test("img-src 'self'; media-src 'self'\x01", EXPECT_LOAD, `CSP: "img-src 'self'; media-src 'self'\\x01" should allow rendering.`); 36 csp_parsing_test("img-src 'self', img-src 'self'\x01", EXPECT_LOAD, `CSP: "img-src 'self', img-src 'self'\\x01" should allow rendering.`); 37 csp_parsing_test("img-src 'none', img-src 'self'\x01", EXPECT_BLOCK, `CSP: "img-src 'none', img-src 'self'\\x01" should block rendering.`); 38 csp_parsing_test("img-src 'self', img-src\x01", EXPECT_LOAD, `CSP: "img-src 'self', img-src\\x01" should allow rendering.`); 39 csp_parsing_test("img-src 'none', img-src\x01", EXPECT_BLOCK, `CSP: "img-src 'none', img-src\\x01" should block rendering.`); 40 41 // \x7f 42 csp_parsing_test("img-src 'none'\x7f", EXPECT_LOAD, `CSP: "img-src 'none'\\x7f" should allow rendering (Invalid directive ignored).`); 43 csp_parsing_test("img-src 'none' http\x7f", EXPECT_LOAD, `CSP: "img-src 'none' http:\\x7f" should allow rendering (Invalid directive ignored).`); 44 csp_parsing_test("img-src 'self'\x7f", EXPECT_LOAD, `CSP: "img-src 'self'\\x7f" should allow rendering (Invalid directive ignored).`); 45 csp_parsing_test("img-src 'none'; media-src 'self'\x7f", EXPECT_BLOCK, `CSP: "img-src 'none'; media-src 'self'\\x7f" should block rendering.`); 46 csp_parsing_test("img-src 'self'; media-src 'self'\x7f", EXPECT_LOAD, `CSP: "img-src 'self'; media-src 'self'\\x7f" should allow rendering.`); 47 csp_parsing_test("img-src 'self', img-src 'self'\x7f", EXPECT_LOAD, `CSP: "img-src 'self', img-src 'self'\\x7f" should allow rendering.`); 48 csp_parsing_test("img-src 'none', img-src 'self'\x7f", EXPECT_BLOCK, `CSP: "img-src 'none', img-src 'self'\\x7f" should block rendering.`); 49 csp_parsing_test("img-src 'self', img-src\x7f", EXPECT_LOAD, `CSP: "img-src 'self', img-src\\x7f" should allow rendering.`); 50 csp_parsing_test("img-src 'none', img-src\x7f", EXPECT_BLOCK, `CSP: "img-src 'none', img-src\\x7f" should block rendering.`); 51 </script> 52 </body>