New tests and support files. Updated runner.js to prevent caching of MANIFEST files that makes updating difficult. Checking in before we move to Github.
authorbhill2
Tue, 07 May 2013 09:20:07 -0700
changeset 99 e0a6bdba7efb
parent 98 6ffe8d24ce82
child 100 d5e10cc9631f
New tests and support files. Updated runner.js to prevent caching of MANIFEST files that makes updating difficult. Checking in before we move to Github.
tests/csp/submitted/WG/CSP_1_1.php
tests/csp/submitted/WG/CSP_1_2.php
tests/csp/submitted/WG/CSP_ExampleTest.php
tests/csp/submitted/WG/MANIFEST
tests/csp/submitted/WG/support/clearCookies.html
tests/csp/submitted/WG/support/setReportAsCookie.php
tests/testRunner/runner.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_1.php	Tue May 07 09:20:07 2013 -0700
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup.  It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports.  For the same reason, we set the report-uri as a distinct variable and 
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src 'self'";
+$title = "Inline script should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie.  Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe. 
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+	header("X-Content-Security-Policy: $policy_string; $report_string");
+	header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Yes, this metadata is important in making these test cases useful
+		in assessing conformance.  Please preserve and update it. -->
+		<title><?php echo $title ?></title>
+		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+		<meta description="<?php echo $title ?>" />
+		<link rel="author" title="bhill@paypal-inc.com" />
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
+	</head>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+		<h1><?php echo $title ?></h1>
+		<div id=log></div>
+	</body>
+
+	<!-- Often when testing CSP you want something *not* to happen. Including this support script
+	(from an allowed source!) will give you and the test runner a guaranteed positive signal that
+	something is happening.  -->
+	<script src="support/success.php"></script>
+
+	<!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+	<script>
+		test(function() {assert_false(true, "Unsafe inline script ran.")});
+	</script>
+
+        <!-- This iframe will execute a test on the report contents.  It will pull a field out of
+        the report, specified by reportField, and compare it's value to to reportValue.  It will
+	also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+	<iframe width="100%" height="300" 
+	  src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+	>
+	</iframe>
+
+</html>
--- a/tests/csp/submitted/WG/CSP_1_2.php	Thu May 02 14:36:43 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_1_2.php	Tue May 07 09:20:07 2013 -0700
@@ -37,10 +37,10 @@
 		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
 		<meta description="<?php echo $title ?>" />
 		<link rel="author" title="bhill@paypal-inc.com" />
-		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
-		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
 	</head>
-	<body>
+	<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
 		<h1><?php echo $title ?></h1>
 		<div id=log></div>
 	</body>
--- a/tests/csp/submitted/WG/CSP_ExampleTest.php	Thu May 02 14:36:43 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_ExampleTest.php	Tue May 07 09:20:07 2013 -0700
@@ -37,8 +37,8 @@
 		<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
 		<meta description="<?php echo $title ?>" />
 		<link rel="author" title="bhill@paypal-inc.com" />
-		<script src="http://www.w3c-test.org/resources/testharness.js"></script>
-		<script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+		<script src="/resources/testharness.js"></script>
+		<script src="/resources/testharnessreport.js"></script>
 	</head>
 	<body>
 		<h1><?php echo $title ?></h1>
--- a/tests/csp/submitted/WG/MANIFEST	Thu May 02 14:36:43 2013 -0700
+++ b/tests/csp/submitted/WG/MANIFEST	Tue May 07 09:20:07 2013 -0700
@@ -1,2 +1,4 @@
+support support/clearCookies.html
+CSP_1_1.php
 CSP_1_2.php
-
+support support/clearCookies.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/clearCookies.html	Tue May 07 09:20:07 2013 -0700
@@ -0,0 +1,12 @@
+<html>
+<head>
+	<script>
+document.cookie = "";
+	</script>
+	<script src="/resources/testharness.js"></script>
+	<script src="/resources/testharnessreport.js"></script>
+	<script src="success.php"></script>
+</head>
+<body>
+</body>
+</html>
--- a/tests/csp/submitted/WG/support/setReportAsCookie.php	Thu May 02 14:36:43 2013 -0700
+++ b/tests/csp/submitted/WG/support/setReportAsCookie.php	Tue May 07 09:20:07 2013 -0700
@@ -8,5 +8,5 @@
 header("Pragma: no-cache");
 header("Content-Type: text/javascript");
 
-header("Set-Cookie: " . $_GET['reportID'] . "=" . urlencode(file_get_contents('php://input')));
+header("Set-Cookie: " . $_GET['reportID'] . "=" . urlencode(file_get_contents('php://input')) . "; Path=/;");
 ?>
--- a/tests/testRunner/runner.js	Thu May 02 14:36:43 2013 -0700
+++ b/tests/testRunner/runner.js	Tue May 07 09:20:07 2013 -0700
@@ -115,7 +115,7 @@
         return;
       self.process(this.responseText, "");
     };
-    xhr.open("GET", this.mPath + "MANIFEST");
+    xhr.open("GET", this.mPath + "MANIFEST?nocache="+Math.random());
     xhr.send(null);//Fx 3
   },
 
@@ -133,7 +133,7 @@
 
         self.process(this.responseText, this.dataDir);
       };
-      xhr.open("GET", this.mPath + dir + "MANIFEST");
+      xhr.open("GET", this.mPath + dir + "MANIFEST?nocache="+Math.random());
       xhr.send(null);//Fx 3
     }