spec.src.json (15616B)
1 { 2 "test_description_template": "Content Security Policy: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.", 3 "test_page_title_template": "Content Security Policy: %(title)s", 4 "specification": [ 5 { 6 "title": "content security policy", 7 "description": "content security policy", 8 "specification_url": "https://w3c.github.io/webappsec-csp/", 9 "test_expansion": [ 10 // Set "allowed" for all requests here, and set "block" for requests 11 // to be blocked by CSP in subsequent sections. 12 // (Requests blocked due to non-CSP reasons (e.g. cross-origin workers) 13 // are excluded by `excluded_tests` sections) 14 { 15 "expansion": "default", 16 "source_scheme": "*", 17 "source_context_list": "*", 18 "delivery_type": "*", 19 "delivery_value": "*", 20 "redirection": "*", 21 "origin": "*", 22 "subresource": "*", 23 "expectation": "allowed" 24 }, 25 26 // script-src 27 { 28 // "script-src" blocks script-ish requests, except for ... 29 "expansion": "override", 30 "source_scheme": "*", 31 "source_context_list": "*", 32 "delivery_type": "*", 33 "delivery_value": [ 34 "script-src-none", 35 "script-src-self", 36 "script-src-wildcard" 37 ], 38 "redirection": "*", 39 "origin": "*", 40 "subresource": [ 41 "script-tag", 42 "sharedworker-classic", 43 "sharedworker-import", 44 "sharedworker-import-data", 45 "sharedworker-module", 46 "worker-classic", 47 "worker-import", 48 "worker-import-data", 49 "worker-module", 50 "worklet-animation", 51 "worklet-animation-import-data", 52 "worklet-audio", 53 "worklet-audio-import-data", 54 "worklet-layout", 55 "worklet-layout-import-data", 56 "worklet-paint", 57 "worklet-paint-import-data" 58 ], 59 "expectation": "blocked" 60 }, 61 { 62 // non-data: URLs for "script-src *", 63 "expansion": "override", 64 "source_scheme": "*", 65 "source_context_list": "*", 66 "delivery_type": "*", 67 "delivery_value": "script-src-wildcard", 68 "redirection": "*", 69 "origin": "*", 70 "subresource": [ 71 "script-tag", 72 "sharedworker-classic", 73 "sharedworker-import", 74 "sharedworker-module", 75 "worker-classic", 76 "worker-import", 77 "worker-module", 78 "worklet-animation", 79 "worklet-audio", 80 "worklet-layout", 81 "worklet-paint" 82 ], 83 "expectation": "allowed" 84 }, 85 { 86 // same-origin requests (HTTP) for "script-src 'self'", or 87 "expansion": "override", 88 "source_scheme": "http", 89 "source_context_list": "*", 90 "delivery_type": "*", 91 "delivery_value": "script-src-self", 92 "redirection": ["no-redirect", "keep-origin"], 93 "origin": "same-http", 94 "subresource": [ 95 "script-tag", 96 "sharedworker-classic", 97 "sharedworker-import", 98 "sharedworker-module", 99 "worker-classic", 100 "worker-import", 101 "worker-module", 102 "worklet-animation", 103 "worklet-audio", 104 "worklet-layout", 105 "worklet-paint" 106 ], 107 "expectation": "allowed" 108 }, 109 { 110 // same-origin requests (HTTPS) for "script-src 'self'". 111 "expansion": "override", 112 "source_scheme": "https", 113 "source_context_list": "*", 114 "delivery_type": "*", 115 "delivery_value": "script-src-self", 116 "redirection": ["no-redirect", "keep-origin"], 117 "origin": "same-https", 118 "subresource": [ 119 "script-tag", 120 "sharedworker-classic", 121 "sharedworker-import", 122 "sharedworker-module", 123 "worker-classic", 124 "worker-import", 125 "worker-module", 126 "worklet-animation", 127 "worklet-audio", 128 "worklet-layout", 129 "worklet-paint" 130 ], 131 "expectation": "allowed" 132 }, 133 134 // worker-src 135 { 136 // "worker-src" blocks worker requests, except for ... 137 "expansion": "override", 138 "source_scheme": "*", 139 "source_context_list": "*", 140 "delivery_type": "*", 141 "delivery_value": [ 142 "worker-src-none", 143 "worker-src-self", 144 "worker-src-wildcard" 145 ], 146 "redirection": "*", 147 "origin": "*", 148 "subresource": [ 149 "sharedworker-classic", 150 "sharedworker-import", 151 "sharedworker-import-data", 152 "sharedworker-module", 153 "worker-classic", 154 "worker-import", 155 "worker-import-data", 156 "worker-module" 157 ], 158 "expectation": "blocked" 159 }, 160 { 161 // non-data: URLs for "worker-src *", 162 "expansion": "override", 163 "source_scheme": "*", 164 "source_context_list": "*", 165 "delivery_type": "*", 166 "delivery_value": "worker-src-wildcard", 167 "redirection": "*", 168 "origin": "*", 169 "subresource": [ 170 "sharedworker-classic", 171 "sharedworker-import", 172 "sharedworker-module", 173 "worker-classic", 174 "worker-import", 175 "worker-module" 176 ], 177 "expectation": "allowed" 178 }, 179 { 180 // same-origin requests (HTTP) for "worker-src 'self'", or 181 "expansion": "override", 182 "source_scheme": "http", 183 "source_context_list": "*", 184 "delivery_type": "*", 185 "delivery_value": "worker-src-self", 186 "redirection": ["no-redirect", "keep-origin"], 187 "origin": "same-http", 188 "subresource": [ 189 "sharedworker-classic", 190 "sharedworker-import", 191 "sharedworker-module", 192 "worker-classic", 193 "worker-import", 194 "worker-module" 195 ], 196 "expectation": "allowed" 197 }, 198 { 199 // same-origin requests (HTTPS) for "worker-src 'self'". 200 "expansion": "override", 201 "source_scheme": "https", 202 "source_context_list": "*", 203 "delivery_type": "*", 204 "delivery_value": "worker-src-self", 205 "redirection": ["no-redirect", "keep-origin"], 206 "origin": "same-https", 207 "subresource": [ 208 "sharedworker-classic", 209 "sharedworker-import", 210 "sharedworker-module", 211 "worker-classic", 212 "worker-import", 213 "worker-module" 214 ], 215 "expectation": "allowed" 216 }, 217 218 ] 219 } 220 ], 221 "delivery_key": "contentSecurityPolicy", 222 "excluded_tests": [ 223 { 224 // upgraded-protocol-workers 225 "expansion": "*", 226 "source_scheme": "http", 227 "source_context_list": "*", 228 "delivery_type": "*", 229 "delivery_value": "*", 230 "redirection": "*", 231 "origin": [ 232 "same-https", 233 "cross-https" 234 ], 235 "subresource": [ 236 "worker-classic", 237 "worker-module", 238 "sharedworker-classic", 239 "sharedworker-module" 240 ], 241 "expectation": "*" 242 }, 243 { 244 // mixed-content-insecure-subresources 245 "expansion": "*", 246 "source_scheme": "https", 247 "source_context_list": "*", 248 "delivery_type": "*", 249 "delivery_value": "*", 250 "redirection": "*", 251 "origin": [ 252 "same-http", 253 "same-http-downgrade", 254 "cross-http", 255 "cross-http-downgrade", 256 "same-ws", 257 "same-ws-downgrade", 258 "cross-ws", 259 "cross-ws-downgrade" 260 ], 261 "subresource": "*", 262 "expectation": "*" 263 }, 264 { 265 // redirections that content security policy tests don't care 266 "expansion": "*", 267 "source_scheme": "*", 268 "source_context_list": "*", 269 "delivery_type": "*", 270 "delivery_value": "*", 271 "redirection": [ 272 "keep-scheme", 273 "swap-scheme", 274 "downgrade" 275 ], 276 "origin": "*", 277 "subresource": "*", 278 "expectation": "*" 279 }, 280 { 281 // origins that content security policy tests don't care 282 "expansion": "*", 283 "source_scheme": "*", 284 "source_context_list": "*", 285 "delivery_type": "*", 286 "delivery_value": "*", 287 "redirection": "*", 288 "origin": [ 289 "same-http-downgrade", 290 "cross-http-downgrade", 291 "same-ws-downgrade", 292 "cross-ws-downgrade" 293 ], 294 "subresource": "*", 295 "expectation": "*" 296 }, 297 { 298 // source_context_list values to be blocked by CSP (i.e. the source 299 // context itself should be blocked by CSP before sending subresource 300 // requests): 301 // - data: URLs are blocked by "worker-src *", "worker-src 'self'" or 302 // "worker-src 'none'". 303 "expansion": "*", 304 "source_scheme": "*", 305 "source_context_list": [ 306 "worker-classic-data", 307 "worker-module-data", 308 "sharedworker-classic-data", 309 "sharedworker-module-data" 310 ], 311 "delivery_type": "*", 312 "delivery_value": [ 313 "worker-src-wildcard", 314 "worker-src-self", 315 "worker-src-none" 316 ], 317 "redirection": "*", 318 "subresource": "*", 319 "origin": "*", 320 "expectation": "*" 321 }, 322 { 323 // Currently only requests from top-level Documents are tested, because 324 // `generic/test-case.sub.js` assumes that `securitypolicyviolation` 325 // events are fired on top-level Documents. Once 326 // `generic/test-case.sub.js` is fixed, we can enable non-top 327 // source_context_list here. 328 "expansion": "*", 329 "source_scheme": "*", 330 "source_context_list": [ 331 "srcdoc-inherit", 332 "srcdoc", 333 "iframe", 334 "iframe-blank-inherit", 335 "worker-classic", 336 "worker-classic-data", 337 "worker-module", 338 "worker-module-data", 339 "sharedworker-classic", 340 "sharedworker-classic-data", 341 "sharedworker-module", 342 "sharedworker-module-data" 343 ], 344 "delivery_type": "*", 345 "delivery_value": "*", 346 "redirection": "*", 347 "subresource": "*", 348 "origin": "*", 349 "expectation": "*" 350 }, 351 { 352 // Skip tests with no CSP directives. 353 "expansion": "*", 354 "source_scheme": "*", 355 "source_context_list": "*", 356 "delivery_type": "*", 357 "delivery_value": null, 358 "redirection": "*", 359 "subresource": "*", 360 "origin": "*", 361 "expectation": "*" 362 }, 363 { 364 // Skip script-src-none tests, as "script-src 'none'" would prevent 365 // test scripts as well. See also comments in `get_csp_value()` in 366 // `common/security-features/tools/generate.py`. 367 "expansion": "*", 368 "source_scheme": "*", 369 "source_context_list": "*", 370 "delivery_type": "*", 371 "delivery_value": "script-src-none", 372 "redirection": "*", 373 "subresource": "*", 374 "origin": "*", 375 "expectation": "*" 376 }, 377 // Only test relevant subresources. 378 // E.g. do not test <a> tag for worker-src directives. 379 { 380 // script-src: workers (block), worklets (block), scripts (block) 381 "expansion": "*", 382 "source_scheme": "*", 383 "source_context_list": "*", 384 "delivery_type": "*", 385 "delivery_value": [ 386 "script-src-wildcard", 387 "script-src-self", 388 "script-src-none" 389 ], 390 "redirection": "*", 391 "subresource": [ 392 "a-tag", 393 "area-tag", 394 "audio-tag", 395 "beacon", 396 "fetch", 397 "iframe-tag", 398 "img-tag", 399 "link-css-tag", 400 "link-prefetch-tag", 401 "object-tag", 402 "picture-tag", 403 "script-tag-dynamic-import", 404 "video-tag", 405 "websocket", 406 "xhr" 407 ], 408 "origin": "*", 409 "expectation": "*" 410 }, 411 { 412 // worker-src: workers (block), worklets (allow), scripts (allow) 413 "expansion": "*", 414 "source_scheme": "*", 415 "source_context_list": "*", 416 "delivery_type": "*", 417 "delivery_value": [ 418 "worker-src-wildcard", 419 "worker-src-self", 420 "worker-src-none" 421 ], 422 "redirection": "*", 423 "subresource": [ 424 "a-tag", 425 "area-tag", 426 "audio-tag", 427 "beacon", 428 "fetch", 429 "iframe-tag", 430 "img-tag", 431 "link-css-tag", 432 "link-prefetch-tag", 433 "object-tag", 434 "picture-tag", 435 "script-tag-dynamic-import", 436 "video-tag", 437 "websocket", 438 "xhr" 439 ], 440 "origin": "*", 441 "expectation": "*" 442 }, 443 { 444 // HTTP->HTTPS requests are skipped to reduce the number of tests. 445 "expansion": "*", 446 "source_scheme": "http", 447 "source_context_list": "*", 448 "delivery_type": "*", 449 "delivery_value": "*", 450 "redirection": "*", 451 "origin": [ 452 "same-https", 453 "cross-https" 454 ], 455 "subresource": "*", 456 "expectation": "*" 457 }, 458 ], 459 "source_context_schema": { 460 "supported_delivery_type": { 461 "top": [ 462 "meta", 463 "http-rp" 464 ], 465 // The following lines are commented out, because the 466 // contentSecurityPolicy deliveries are not yet implemented in the 467 // `common/security-features/scope/` scripts. 468 "iframe": [ 469 // "meta", 470 // "http-rp" 471 ], 472 "iframe-blank": [ 473 // "meta" 474 ], 475 "srcdoc": [ 476 // "meta" 477 ], 478 "worker-classic": [ 479 // "http-rp" 480 ], 481 "worker-module": [ 482 // "http-rp" 483 ], 484 "worker-classic-data": [], 485 "worker-module-data": [], 486 "sharedworker-classic": [ 487 // "http-rp" 488 ], 489 "sharedworker-module": [ 490 // "http-rp" 491 ], 492 "sharedworker-classic-data": [], 493 "sharedworker-module-data": [] 494 } 495 }, 496 "subresource_schema": { 497 "supported_delivery_type": { 498 // No per-request CSP can be specified. 499 "a-tag": [], 500 "area-tag": [], 501 "audio-tag": [], 502 "beacon": [], 503 "fetch": [], 504 "iframe-tag": [], 505 "img-tag": [], 506 "link-css-tag": [], 507 "link-prefetch-tag": [], 508 "object-tag": [], 509 "picture-tag": [], 510 "script-tag": [], 511 "script-tag-dynamic-import": [], 512 "sharedworker-classic": [], 513 "sharedworker-import": [], 514 "sharedworker-import-data": [], 515 "sharedworker-module": [], 516 "video-tag": [], 517 "websocket": [], 518 "worker-classic": [], 519 "worker-import": [], 520 "worker-import-data": [], 521 "worker-module": [], 522 "worklet-animation": [], 523 "worklet-animation-import-data": [], 524 "worklet-audio": [], 525 "worklet-audio-import-data": [], 526 "worklet-layout": [], 527 "worklet-layout-import-data": [], 528 "worklet-paint": [], 529 "worklet-paint-import-data": [], 530 "xhr": [] 531 } 532 }, 533 "test_expansion_schema": { 534 "delivery_type": [ 535 "http-rp", 536 "meta" 537 ], 538 "delivery_value": [ 539 null, 540 "script-src-none", 541 "script-src-self", 542 "script-src-wildcard", 543 "worker-src-none", 544 "worker-src-self", 545 "worker-src-wildcard" 546 ], 547 "expectation": [ 548 "blocked", 549 "allowed" 550 ] 551 } 552 }