--- a/tests/csp/submitted/WG/CSP_1_1.php Tue May 07 09:20:07 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_1_1.php Fri May 10 15:27:37 2013 -0700
@@ -43,7 +43,6 @@
<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
<h1><?php echo $title ?></h1>
<div id=log></div>
- </body>
<!-- Often when testing CSP you want something *not* to happen. Including this support script
(from an allowed source!) will give you and the test runner a guaranteed positive signal that
@@ -63,4 +62,5 @@
>
</iframe>
+ </body>
</html>
--- a/tests/csp/submitted/WG/CSP_1_2.php Tue May 07 09:20:07 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_1_2.php Fri May 10 15:27:37 2013 -0700
@@ -43,7 +43,6 @@
<body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
<h1><?php echo $title ?></h1>
<div id=log></div>
- </body>
<!-- Often when testing CSP you want something *not* to happen. Including this support script
(from an allowed source!) will give you and the test runner a guaranteed positive signal that
@@ -63,4 +62,5 @@
>
</iframe>
+ </body>
</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_2_1.php Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,72 @@
+<?php
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "default-src *";
+//$policy_string = "default-src * 'unsafe-inline'";
+
+$title = "Inline script attached by DOM manipulation should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie. Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe.
+*****/
+$reportID=rand();
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+ header("X-Content-Security-Policy: $policy_string; $report_string");
+ header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="<?php echo $title ?>" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body onLoad="test(function() {assert_false(true, 'Unsafe inline onLoad() event handler ran.')});">
+ <h1><?php echo $title ?></h1>
+ <div id=log></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+ <script src="support/success.php"></script>
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <div id=attachHere></div>
+
+ <script id=emptyScript></script>
+
+ <div id=emptyDiv></div>
+
+ <script src="support/addInlineTestsWithDOMManipulation.js"></script>
+
+ <!-- This iframe will execute a test on the report contents. It will pull a field out of
+ the report, specified by reportField, and compare it's value to to reportValue. It will
+ also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+ <iframe width="100%" height="300"
+ src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ >
+ </iframe>
+
+ </body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_2_4.php Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,46 @@
+<?php
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src http://www2.w3c-test.org";
+$title = "XSLT should not run with policy \"$policy_string\".";
+$reportID=rand();
+
+?>
+<!DOCTYPE html>
+<html>
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+ <meta description="<?php echo $title ?>" />
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <h1><?php echo $title ?></h1>
+ <div id=log></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+
+ <iframe width="100%" height="300"
+ src="CSP_1_2_4_inner.php?reportID=<?php echo $reportID?>&prefixed=<?php echo $_GET['prefixed']?>">
+ </iframe>
+
+ <!-- This iframe will execute a test on the report contents. It will pull a field out of
+ the report, specified by reportField, and compare it's value to to reportValue. It will
+ also delete the report cookie to prevent the overall cookie header from becoming too long. -->
+ <iframe width="100%" height="300"
+ src="support/checkReportFieldHtml.php?reportID=<?php echo $reportID ?>&reportField=violated-directive&reportValue=<?php echo urlencode($policy_string) ?>"
+ >
+ </iframe>
+
+ </body>
+</html>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/CSP_1_2_4_inner.php Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,58 @@
+<?php
+
+header("Content-Type: application/xml");
+
+/*****
+* First, some generic setup. It is good to define the policy string as a variable once
+* as we are likely to need to reference it later in describing the policy and checking
+* reports. For the same reason, we set the report-uri as a distinct variable and
+* combine it to form the full CSP header.
+*****/
+$policy_string = "script-src http://www2.w3c-test.org";
+$title = "XSLT should not run with policy \"$policy_string\".";
+
+/*****
+* The support script setReportAsCookie.php will echo the contents of the CSP report
+* back as a cookie. Note that you can't read this value immediately in this context
+* because the reporting is asynchronous and non-deterministic. As a rule of thumb,
+* you can test it in an iframe.
+*****/
+$reportID=$_GET['reportID'];
+$report_string = "report-uri support/setReportAsCookie.php?reportID=$reportID";
+
+header("Content-Security-Policy: $policy_string; $report_string");
+/*****
+* Run tests with prefixed headers if requested.
+* Note this will not really work for Mozilla, as they use
+* the old, pre-1.0 directive grammar and vocabulary
+*****/
+if($_GET['prefixed'] == 'true') {
+ header("X-Content-Security-Policy: $policy_string; $report_string");
+ header("X-Webkit-CSP: $policy_string; $report_string");
+}
+?>
+<?php echo <<< EOXMLD
+<?xml-stylesheet type="text/xsl" href="support/test.xsl.php"?>
+EOXMLD;
+?>
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <!-- Yes, this metadata is important in making these test cases useful
+ in assessing conformance. Please preserve and update it. -->
+ <title><?php echo $title ?></title>
+ <!--meta description='<?php echo $title ?>' /-->
+ <link rel="author" title="bhill@paypal-inc.com" />
+ <script src="http://www2.w3c-test.org/resources/testharness.js"></script>
+ <script src="http://www2.w3c-test.org/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <div id="log"></div>
+
+ <!-- Often when testing CSP you want something *not* to happen. Including this support script
+ (from an allowed source!) will give you and the test runner a guaranteed positive signal that
+ something is happening. -->
+ <script src="http://www2.w3c-test.org/webappsec/tests/csp/submitted/WG/support/fail.php"></script>
+
+ </body>
+</html>
--- a/tests/csp/submitted/WG/CSP_ExampleTest.php Tue May 07 09:20:07 2013 -0700
+++ b/tests/csp/submitted/WG/CSP_ExampleTest.php Fri May 10 15:27:37 2013 -0700
@@ -43,7 +43,6 @@
<body>
<h1><?php echo $title ?></h1>
<div id=log></div>
- </body>
<!-- Often when testing CSP you want something *not* to happen. Including this support script
(from an allowed source!) will give you and the test runner a guaranteed positive signal that
@@ -63,4 +62,5 @@
>
</iframe>
+ </body>
</html>
--- a/tests/csp/submitted/WG/MANIFEST Tue May 07 09:20:07 2013 -0700
+++ b/tests/csp/submitted/WG/MANIFEST Fri May 10 15:27:37 2013 -0700
@@ -1,4 +1,6 @@
support support/clearCookies.html
CSP_1_1.php
CSP_1_2.php
+CSP_1_2_1.php
+manual CSP_1_2_4.php
support support/clearCookies.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/addInlineTestsWithDOMManipulation.js Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,22 @@
+(function ()
+{
+ var attachPoint = document.getElementById('attachHere');
+
+ var inlineScript = document.createElement('script');
+ var scriptText = document.createTextNode('test(function() {assert_false(true, "Unsafe inline script ran - createTextNode.")});');
+
+ inlineScript.appendChild(scriptText);
+
+ attachPoint.appendChild(inlineScript);
+
+ document.getElementById('emptyScript').innerHTML = 'test(function() {assert_false(true, "Unsafe inline script ran - innerHTML.")});';
+
+ // Note, this doesn't execute in Chrome 27 even without CSP.
+ document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>test(function() {assert_false(true, "Unsafe inline script ran - outerHTML.")});</script>';
+
+
+ document.write('<script>test(function() {assert_false(true, "Unsafe inline script ran - document.write")});</script>');
+ document.writeln('<script>test(function() {assert_false(true, "Unsafe inline script ran - document.writeln")});</script>');
+
+
+})();
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/fail.php Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,7 @@
+<?php
+header("Content-type: text/javascript");
+?>
+(function ()
+{
+ test(function() {assert_true(false)}, "Script should not execute from "+document.location);
+})()
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/csp/submitted/WG/support/test.xsl.php Fri May 10 15:27:37 2013 -0700
@@ -0,0 +1,18 @@
+<?php
+header("Content-Type: application/xml");
+
+//Prevent Caching
+header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+?>
+<?php echo<<<EOXML
+<?xml version="1.0" encoding="utf-8"?>
+EOXML;
+?>
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:xhtml="http://www.w3.org/1999/xhtml" version="1.0" exclude-result-prefixes="xhtml">
+
+</xsl:stylesheet>