Added some tests in my submission directory, removed some junk that had been previously committed.
authorbhill2
Thu, 02 May 2013 14:24:13 -0700
changeset 96 a801916fe189
parent 95 9001d279213e
child 97 bde3a983e837
Added some tests in my submission directory, removed some junk that had been previously committed.
tests/cors/submitted/opera/staging/resources/logs.txt
tests/csp/bar.txt
tests/csp/csp-self.php
tests/csp/redir-test.php
tests/csp/submitted/bhill2/.htaccess
tests/csp/submitted/bhill2/CSP_001.php
tests/csp/submitted/bhill2/CSP_002.php
tests/csp/submitted/bhill2/CSP_003.php
tests/csp/submitted/bhill2/CSP_004.php
tests/csp/submitted/bhill2/CSP_1_2.php
tests/csp/submitted/bhill2/CSP_ExampleTest.php
tests/csp/submitted/bhill2/CSP_passTest001.php
tests/csp/submitted/bhill2/MANIFEST
tests/csp/submitted/bhill2/assertTrue.php
tests/csp/submitted/bhill2/csp-self.php
tests/csp/submitted/bhill2/support/assertTrue.php
tests/csp/submitted/bhill2/support/checkReportFieldHtml.php
tests/csp/submitted/bhill2/support/checkReportFieldJs.php
tests/csp/submitted/bhill2/support/setReportAsCookie.php
tests/csp/submitted/bhill2/support/success.php
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/opera/staging/resources/logs.txt	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,1 @@
+{}
\ No newline at end of file
--- a/tests/csp/csp-self.php	Thu May 02 14:22:52 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-<?php
-header("X-Content-Security-Policy: allow 'self'");
-?>
--- a/tests/csp/redir-test.php	Thu May 02 14:22:52 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,6 +0,0 @@
-<?php
-
-TODO: get url, change host to www2, keep path and use "getOrigin.php"
-
-header("Location: ");
-?>
--- a/tests/csp/submitted/bhill2/CSP_001.php	Thu May 02 14:22:52 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-<?php
-header("Content-Security-Policy: default-src *");
-header("X-Content-Security-Policy: default-src *");
-header("X-WebKit-CSP: default-src *");
-?>
-<!DOCTYPE html>
-<html>
-	<head>
-		<title>CSP Test: default-src: *</title>
-		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
-		<meta descriptionn="Content-Security-Policy Test: default-src: *" />
-		<link rel="author" title="bhill@paypal-inc.com" />
-		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
-		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
-		<script src="CSP_passTest001.php"></script>
-	</head>
-	<body>
-		<div id=log></div>
-	</body>
-
-	<script>
-		test(function() {assert_true(false)}, "assert_true with false from unsafe inline script");
-	</script>
-</html>
--- a/tests/csp/submitted/bhill2/CSP_002.php	Thu May 02 14:22:52 2013 -0700
+++ b/tests/csp/submitted/bhill2/CSP_002.php	Thu May 02 14:24:13 2013 -0700
@@ -1,7 +1,10 @@
 <?php
-header("Content-Security-Policy: default-src 'self'");
-header("X-Content-Security-Policy: default-src 'self'");
-header("X-WebKit-CSP: default-src 'self'");
+$policy_string = "default-src 'self'";
+header("Content-Security-Policy: $policy_string");
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string");
+	header("X-Webkit-CSP: $policy_string");
+}
 ?>
 <!DOCTYPE html>
 <html>
@@ -15,10 +18,12 @@
 		<script src="CSP_passTest001.php"></script>
 	</head>
 	<body>
+	<h1>Verify that inline script does not run when a CSP specifies "default-src: 'self'" but not 'unsafe-inline'.</h1>
+
 		<div id=log></div>
 	</body>
 
 	<script>
-		test(function() {assert_true(false)}, "assert_true with false from unsafe inline script");
+		test(function() {assert_false(true, "Unsafe unline script ran.")});
 	</script>
 </html>
--- a/tests/csp/submitted/bhill2/CSP_003.php	Thu May 02 14:22:52 2013 -0700
+++ b/tests/csp/submitted/bhill2/CSP_003.php	Thu May 02 14:24:13 2013 -0700
@@ -1,7 +1,10 @@
 <?php
-header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
-header("X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'");
-header("X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'");
+$policy_string = "default-src 'self'; script-src 'self' 'unsafe-inline'";
+header("Content-Security-Policy: $policy_string");
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string");
+	header("X-Webkit-CSP: $policy_string");
+}
 ?>
 <!DOCTYPE html>
 <html>
@@ -14,6 +17,8 @@
 		<script src="/resources/testharnessreport.js"></script>
 	</head>
 	<body>
+<h1>Test that an inline script block executes when policy is: "default-src 'self'; script-src 'self' 'unsafe-inline'"</h1>
+
 		<div id=log></div>
 	</body>
 	<!--
@@ -31,5 +36,5 @@
 		var unsafeScript = true;
 	</script>
 
-	<script src="assertTrue.php?varName=unsafeScript"></script>
+	<script src="support/assertTrue.php?varName=unsafeScript"></script>
 </html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_004.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,40 @@
+<?php
+$policy_string = "script-src 'self' 'unsafe-inline'";
+header("Content-Security-Policy: $policy_string");
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string");
+	header("X-Webkit-CSP: $policy_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>CSP Test: script-src 'self' 'unsafe-inline'</title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="Content-Security-Policy Test: script-src 'self' 'unsafe-inline'" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+<h1>Test that an inline script block executes when policy is: "script-src 'self' 'unsafe-inline'"</h1>
+
+		<div id=log></div>
+	</body>
+	<!--
+		This test demonstrates how to test something that shouldn't happen, or 
+		fail when something that should happend doesn't.  Use script with
+		conditional execution based on the policy being tested to set a variable,
+		then use script we know will execute by policy to check if it is set.
+		
+		Some limitations on this approach, obviously, if policy enforcement is
+		very broken - when we can't count on any script to execute - but this
+		is a start, at least.
+	-->	
+
+	<script>
+		var unsafeScript = true;
+	</script>
+
+	<script src="assertTrue.php?varName=unsafeScript"></script>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_1_2.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+	</body>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/CSP_ExampleTest.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+	</head>
+	<body>
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+	</body>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+</html>
--- a/tests/csp/submitted/bhill2/CSP_passTest001.php	Thu May 02 14:22:52 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,7 +0,0 @@
-<?php
-header("Content-type: text/javascript");
-?>
-(function ()
-{
-	test(function() {assert_true(true)}, "assert_true with true");
-})();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/MANIFEST	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,4 @@
+CSP_001.php
+CSP_002.php
+CSP_003.php
+CSP_004.php
--- a/tests/csp/submitted/bhill2/assertTrue.php	Thu May 02 14:22:52 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-<?php
-
-//Prevent Caching
-header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
-header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
-header("Cache-Control: no-store, no-cache, must-revalidate");
-header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache");
-header("Content-Type: text/javascript");
-
-
-print("(function () { test(function() {assert_true(" . $_GET["varName"] . ")}, \"assert_true with varName\"); })();");
-
-?>
-
--- a/tests/csp/submitted/bhill2/csp-self.php	Thu May 02 14:22:52 2013 -0700
+++ b/tests/csp/submitted/bhill2/csp-self.php	Thu May 02 14:24:13 2013 -0700
@@ -1,5 +1,10 @@
 <?php
-header("X-Content-Security-Policy: allow 'self'");
+$policy_string = "default-src 'self'";
+header("Content-Security-Policy: $policy_string");
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string");
+	header("X-Webkit-CSP: $policy_string");
+
 ?>
 <!doctype html>
 <html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/support/assertTrue.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,15 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+
+print("(function () { test(function() {assert_true( (typeof " . $_GET["varName"] . " === 'undefined') ? false : " . $_GET["varName"] . ")}, \"assert_true with " . $_GET["varName"] . "\"); })();");
+
+?>
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/support/checkReportFieldHtml.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,22 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/html");
+
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
+		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="checkReportFieldJs.php?reportID=<?php echo urlencode($_GET['reportID']) ?>&reportField=<?php echo urlencode($_GET['reportField']) ?>&reportValue=<?php echo $_GET['reportValue'] ?>"></script>
+	</head>
+	<body>
+		<div id=log></div>
+	<body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/support/checkReportFieldJs.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,62 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+$cleanQuotedCookieId = json_encode($_GET['reportID']);
+$cleanReportField = json_encode($_GET['reportField']);
+$cleanReportValue = json_encode($_GET['reportValue']);
+
+?>
+
+(function () 
+{ 
+  function createCookie(name,value,days) {
+	if (days) {
+		var date = new Date();
+		date.setTime(date.getTime()+(days*24*60*60*1000));
+		var expires = "; expires="+date.toGMTString();
+	}
+	else var expires = "";
+	document.cookie = name+"="+value+expires+"; path=/";
+}
+
+ function readCookie(name) {
+	var nameEQ = name + "=";
+	var ca = document.cookie.split(';');
+	for(var i=0;i < ca.length;i++) {
+		var c = ca[i];
+		while (c.charAt(0)==' ') c = c.substring(1,c.length);
+		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+	undefined}
+	return null;
+}
+
+  function eraseCookie(name) {
+	createCookie(name,"",-1);
+}
+
+function reportdecode (str) {
+
+  if(str!= null){ str = str.replace(/"/g, '$'); }
+
+  return decodeURIComponent((str + '').replace(/\+/g, '%20'));
+}
+ test(function() {
+
+	var x = reportdecode(readCookie(<?php echo $cleanQuotedCookieId ?>));
+	eraseCookie(<?php echo $cleanQuotedCookieId ?>);
+
+        report = JSON.parse(x);	
+
+	assert_equals(report['csp-report'][<?php echo $cleanReportField ?>],<?php echo $cleanReportValue ?>);
+
+}, "Verify report contents.");
+
+})();
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/support/setReportAsCookie.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,12 @@
+<?php
+error_reporting(~0); ini_set('display_errors',1);
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+header("Set-Cookie: " . $_GET['reportID'] . "=" . urlencode(file_get_contents('php://input')));
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/bhill2/support/success.php	Thu May 02 14:24:13 2013 -0700
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+	test(function() {assert_true(true)}, "Generic positive signal that test suite is working...");
+})()