spec.src.json (6614B)
1 { 2 "test_description_template": "Upgrade-Insecure-Requests: Expects %(expectation)s for %(subresource)s to %(origin)s origin and %(redirection)s redirection from %(source_scheme)s context.", 3 "test_page_title_template": "Upgrade-Insecure-Requests: %(title)s", 4 "specification": [ 5 { 6 // No upgrade-insecure-request 7 "title": "No upgrade-insecure-request", 8 "description": "No upgrade-insecure-request", 9 "specification_url": "https://w3c.github.io/webappsec-upgrade-insecure-requests/", 10 "test_expansion": [ 11 { 12 // Without upgrade-insecure-request, all requests are blocked ... 13 "expansion": "default", 14 "source_scheme": "https", 15 "source_context_list": "*", 16 "delivery_type": "meta", 17 "delivery_value": null, 18 "redirection": "*", 19 "subresource": "*", 20 "origin": "*", 21 "expectation": "blocked" 22 }, 23 { 24 // ... except for the secure requests listed here 25 "expansion": "override", 26 "source_scheme": "https", 27 "source_context_list": "*", 28 "delivery_type": "meta", 29 "delivery_value": null, 30 "redirection": "no-redirect", 31 "subresource": "*", 32 "origin": [ 33 "same-https", 34 "cross-https", 35 "same-wss", 36 "cross-wss" 37 ], 38 "expectation": "allowed" 39 } 40 ] 41 }, 42 { 43 // With upgrade-insecure-request 44 "title": "With upgrade-insecure-request", 45 "description": "With upgrade-insecure-request", 46 "specification_url": "https://w3c.github.io/webappsec-upgrade-insecure-requests/", 47 "test_expansion": [ 48 { 49 // With upgrade-insecure-request, all insecure requests are upgraded and allowed. 50 "expansion": "default", 51 "source_scheme": "https", 52 "source_context_list": "*", 53 "delivery_type": "*", 54 "delivery_value": "upgrade", 55 "redirection": "*", 56 "subresource": "*", 57 "origin": "*", 58 "expectation": "allowed" 59 } 60 ] 61 } 62 ], 63 "delivery_key": "upgradeInsecureRequests", 64 "excluded_tests": [ 65 { 66 // Omit secure requests 67 "expansion": "*", 68 "source_scheme": "*", 69 "source_context_list": "*", 70 "delivery_type": "*", 71 "delivery_value": "*", 72 "redirection": "no-redirect", 73 "subresource": "*", 74 "origin": [ 75 "same-https", 76 "cross-https", 77 "same-wss", 78 "cross-wss" 79 ], 80 "expectation": "allowed" 81 }, 82 { 83 // For inheriting tests skip http-rp because we already have <meta> tests 84 "expansion": "*", 85 "source_scheme": "*", 86 "source_context_list": [ 87 "srcdoc-inherit", 88 "iframe-blank-inherit", 89 "worker-classic-data" 90 ], 91 "delivery_type": "http-rp", 92 "delivery_value": "*", 93 "redirection": "*", 94 "subresource": "*", 95 "origin": "*", 96 "expectation": "*" 97 }, 98 { 99 // source_context_list values not yet tested 100 "expansion": "*", 101 "source_scheme": "*", 102 "source_context_list": [ 103 "req", 104 "srcdoc", 105 "iframe" 106 ], 107 "delivery_type": "*", 108 "delivery_value": "*", 109 "redirection": "*", 110 "subresource": "*", 111 "origin": "*", 112 "expectation": "*" 113 }, 114 { 115 // subresource values not yet tested 116 "expansion": "*", 117 "source_scheme": "*", 118 "source_context_list": "*", 119 "delivery_type": "*", 120 "delivery_value": "*", 121 "redirection": "*", 122 "subresource": [ 123 "a-tag", 124 "area-tag", 125 "audio-tag", 126 "beacon", 127 "link-css-tag", 128 "link-prefetch-tag", 129 "object-tag", 130 "picture-tag", 131 "script-tag", 132 "script-tag-dynamic-import", 133 "video-tag" 134 ], 135 "origin": "*", 136 "expectation": "*" 137 }, 138 { 139 // origins that upgrade-insecure-requests tests don't care 140 "expansion": "*", 141 "source_scheme": "*", 142 "source_context_list": "*", 143 "delivery_type": "*", 144 "delivery_value": "*", 145 "redirection": "*", 146 "origin": [ 147 "same-http", 148 "cross-http", 149 "same-ws", 150 "cross-ws" 151 ], 152 "subresource": "*", 153 "expectation": "*" 154 }, 155 { 156 // redirections that upgrade-insecure-requests tests don't care 157 "expansion": "*", 158 "source_scheme": "*", 159 "source_context_list": "*", 160 "delivery_type": "*", 161 "delivery_value": "*", 162 "redirection": [ 163 "keep-origin", 164 "swap-origin", 165 "keep-scheme", 166 "swap-scheme" 167 ], 168 "origin": "*", 169 "subresource": "*", 170 "expectation": "*" 171 }, 172 ], 173 "source_context_schema": { 174 "supported_delivery_type": { 175 "top": [ 176 "http-rp", 177 "meta" 178 ], 179 "iframe": [ 180 "http-rp", 181 "meta" 182 ], 183 "iframe-blank": [ 184 "meta" 185 ], 186 "srcdoc": [ 187 "meta" 188 ], 189 "worker-classic": [ 190 "http-rp" 191 ], 192 "worker-module": [ 193 "http-rp" 194 ], 195 "worker-classic-data": [], 196 "worker-module-data": [], 197 "sharedworker-classic": [ 198 "http-rp" 199 ], 200 "sharedworker-module": [ 201 "http-rp" 202 ], 203 "sharedworker-classic-data": [], 204 "sharedworker-module-data": [] 205 } 206 }, 207 "subresource_schema": { 208 "supported_delivery_type": { 209 "a-tag": [], 210 "area-tag": [], 211 "audio-tag": [], 212 "beacon": [], 213 "fetch": [], 214 "iframe-tag": [], 215 "img-tag": [], 216 "link-css-tag": [], 217 "link-prefetch-tag": [], 218 "object-tag": [], 219 "picture-tag": [], 220 "script-tag": [], 221 "script-tag-dynamic-import": [], 222 "sharedworker-classic": [], 223 "sharedworker-import": [], 224 "sharedworker-import-data": [], 225 "sharedworker-module": [], 226 "video-tag": [], 227 "websocket": [], 228 "worker-classic": [], 229 "worker-import": [], 230 "worker-import-data": [], 231 "worker-module": [], 232 "worklet-animation": [], 233 "worklet-animation-import-data": [], 234 "worklet-audio": [], 235 "worklet-audio-import-data": [], 236 "worklet-layout": [], 237 "worklet-layout-import-data": [], 238 "worklet-paint": [], 239 "worklet-paint-import-data": [], 240 "xhr": [] 241 } 242 }, 243 "test_expansion_schema": { 244 "delivery_type": [ 245 "http-rp", 246 "meta" 247 ], 248 "delivery_value": [ 249 null, 250 "upgrade" 251 ], 252 "expectation": [ 253 "allowed", 254 "blocked" 255 ] 256 } 257 }