--- a/tests/csp/submitted/WG/CSP_1_3.php Fri May 10 15:32:46 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_1_3.php Fri May 17 08:56:50 2013 -0700
@@ -5,7 +5,7 @@
* reports. For the same reason, we set the report-uri as a distinct variable and
* combine it to form the full CSP header.
*****/
-$policy_string = "script-src self 'unsafe-inline'";
+$policy_string = "script-src 'self' 'unsafe-inline'";
$title = "Inline script should run with policy \"$policy_string\".";
/*****
@@ -54,11 +54,8 @@
test(function() {assert_true(true, "Unsafe inline script ran.")});
</script>
- <!-- This iframe will execute a test on the report contents. It will pull a field out of
- the report, specified by reportField, and compare it's value to to reportValue. It will
- also delete the report cookie to prevent the overall cookie header from becoming too long. -->
<iframe width="100%" height="300"
- src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ src="support/verifyNoReportHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
>
</iframe>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_4.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,68 @@
+<?php
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "eval should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie. Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe.
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+ header("X-Content-Security-Policy: $policy_string; $report_string");
+ header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="<?php echo $title ?>" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+ <h1><?php echo $title ?></h1>
+ <div id=log></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <script>
+ test(function() {assert_true(true, "Unsafe inline script ran.")});
+ </script>
+ <script>
+ eval('test(function() {assert_false(true, "Unsafe eval ran.")})');
+ </script>
+
+ <!-- This iframe will execute a test on the report contents. It will pull a field out of
+ the report, specified by reportField, and compare it's value to to reportValue. It will
+ also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+ <iframe width="100%" height="300"
+ src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ >
+ </iframe>
+
+ </body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_4_1.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,74 @@
+<?php
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "eval equivalents should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie. Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe.
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+ header("X-Content-Security-Policy: $policy_string; $report_string");
+ header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="<?php echo $title ?>" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+
+ <h1> TODO: Function constructor, etc. </h1>
+
+ <body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+ <h1><?php echo $title ?></h1>
+ <div id=log></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <script>
+ test(function() {assert_true(true, "Unsafe inline script ran.")});
+ </script>
+ <script>
+ window.setTimeout('test(function() {assert_false(true, "Unsafe eval ran in setTimeout().")})', 0);
+ </script>
+ <script>
+ window.setInterval('test(function() {assert_false(true, "Unsafe eval ran in setInterval().")})', 0);
+ </script>
+
+ <!-- This iframe will execute a test on the report contents. It will pull a field out of
+ the report, specified by reportField, and compare it's value to to reportValue. It will
+ also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+ <iframe width="100%" height="300"
+ src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ >
+ </iframe>
+
+ </body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_5.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,66 @@
+<?php
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src 'self' 'unsafe-inline'";
+$title = "sourced eval should not execute with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie. Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe.
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+ header("X-Content-Security-Policy: $policy_string; $report_string");
+ header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="<?php echo $title ?>" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+ <h1><?php echo $title ?></h1>
+ <div id=log></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+ <script src="support/evalSuccess.php"></script>
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <script>
+ test(function() {assert_true(true, "Unsafe inline script ran.")});
+ </script>
+
+ <!-- This iframe will execute a test on the report contents. It will pull a field out of
+ the report, specified by reportField, and compare it's value to to reportValue. It will
+ also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+ <iframe width="100%" height="300"
+ src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ >
+ </iframe>
+
+ </body>
+</html>
--- a/tests/csp/submitted/WG/MANIFEST Fri May 10 15:32:46 2013 -0700
+++ b/tests/csp/submitted/WG/MANIFEST Fri May 17 08:56:50 2013 -0700
@@ -4,4 +4,7 @@
CSP_1_2_1.php
CSP_1_2_4.php
CSP_1_3.php
+CSP_1_4.php
+CSP_1_4_1.php
+CSP_1_5.php
support support/clearCookies.html
--- a/tests/csp/submitted/WG/support/assertTrue.php Fri May 10 15:32:46 2013 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-<?php
-
-//Prevent Caching
-header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
-header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
-header("Cache-Control: no-store, no-cache, must-revalidate");
-header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache");
-header("Content-Type: text/javascript");
-
-
-print("(function () { test(function() {assert_true( (typeof " . $_GET["varName"] . " === 'undefined') ? false : " . $_GET["varName"] . ")}, \"assert_true with " . $_GET["varName"] . "\"); })();");
-
-?>
-
--- a/tests/csp/submitted/WG/support/checkReportFieldJs.php Fri May 10 15:32:46 2013 -0700
+++ b/tests/csp/submitted/WG/support/checkReportFieldJs.php Fri May 17 08:56:50 2013 -0700
@@ -53,7 +53,8 @@
eraseCookie(<?php echo $cleanQuotedCookieId ?>);
report = JSON.parse(x);
-
+
+ assert_false(report === null, "Report not sent.");
assert_equals(report['csp-report'][<?php echo $cleanReportField ?>],<?php echo $cleanReportValue ?>);
}, "Verify report contents.");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/evalSuccess.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+ eval('test(function() {assert_true(true)}, "Generic positive signal that test suite is working...");');
+})()
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/verifyNoReportHtml.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,22 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/html");
+
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src="http://www.w3c-test.org/resources/testharness.js"></script>
+ <script src="http://www.w3c-test.org/resources/testharnessreport.js"></script>
+ <script src="verifyNoReportJs.php?reportID=<?php echo urlencode($_GET['reportID']) ?>&reportField=<?php echo urlencode($_GET['reportField']) ?>&reportValue=<?php echo $_GET['reportValue'] ?>"></script>
+ </head>
+ <body>
+ <div id=log></div>
+ <body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/verifyNoReportJs.php Fri May 17 08:56:50 2013 -0700
@@ -0,0 +1,60 @@
+<?php
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-Type: text/javascript");
+
+$cleanQuotedCookieId = json_encode($_GET['reportID']);
+$cleanReportField = json_encode($_GET['reportField']);
+$cleanReportValue = json_encode($_GET['reportValue']);
+
+?>
+
+(function ()
+{
+
+ function readCookie(name) {
+ var nameEQ = name + "=";
+ var ca = document.cookie.split(';');
+ for(var i=0;i < ca.length;i++) {
+ var c = ca[i];
+ while (c.charAt(0)==' ') c = c.substring(1,c.length);
+ if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+ undefined}
+ return null;
+}
+
+ function createCookie(name,value,days) {
+ if (days) {
+ var date = new Date();
+ date.setTime(date.getTime()+(days*24*60*60*1000));
+ var expires = "; expires="+date.toGMTString();
+ }
+ else var expires = "";
+ document.cookie = name+"="+value+expires+"; path=/";
+}
+
+ function eraseCookie(name) {
+ createCookie(name,"",-1);
+}
+
+function reportdecode (str) {
+
+ if(str!= null){ str = str.replace(/"/g, '$'); }
+
+ return decodeURIComponent((str + '').replace(/\+/g, '%20'));
+}
+ test(function() {
+
+ var x = reportdecode(readCookie(<?php echo $cleanQuotedCookieId ?>));
+ assert_equals(x, "null");
+ eraseCookie(<?php echo $cleanQuotedCookieId ?>);
+
+}, "Verified no report sent.");
+
+})();
+