WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
[patch]
Patch and Layout Tests
bug-154122-20160307143137.patch (text/plain), 51.19 KB, created by
Daniel Bates
on 2016-03-07 14:31:50 PST
(
hide
)
Description:
Patch and Layout Tests
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2016-03-07 14:31:50 PST
Size:
51.19 KB
patch
obsolete
>Subversion Revision: 197693 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index fa30b0573969723e8009c7ab438180443051c206..8cee9c69e10dc77c1d5700c8e7b0e00ee6cc8321 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,44 @@ >+2016-03-07 Daniel Bates <dabates@apple.com> >+ >+ CSP: Source '*' should not match URLs with schemes blob, data, or filesystem >+ https://bugs.webkit.org/show_bug.cgi?id=154122 >+ <rdar://problem/24613336> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except >+ img-src and media-src. This policy is more restrictive than the policy described in section >+ Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>, >+ which restricts matching * to schemes that are not blob, data, or filesystem. >+ >+ For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive >+ media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a >+ more lenient interpretation of * for directives img-src and media-src than required by >+ the spec. to mitigate web compatibility issues. >+ >+ Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html >+ fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html >+ fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html >+ fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html >+ fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html >+ fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html >+ http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html >+ http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html >+ http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html >+ http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html >+ http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html >+ http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html >+ http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html >+ media/video-with-blob-url-allowed-by-csp-media-src-star.html >+ media/video-with-data-url-allowed-by-csp-media-src-star.html >+ media/video-with-file-url-blocked-by-csp-media-src-star.html >+ >+ * page/csp/ContentSecurityPolicySourceList.cpp: >+ (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added. >+ (WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar(). >+ evaluates to true. >+ * page/csp/ContentSecurityPolicySourceList.h: >+ > 2016-03-06 Gavin Barraclough <barraclough@apple.com> > > Convert DOMTimer to std::chrono::milliseconds >diff --git a/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp b/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp >index f3dac7bd59fcc15b8590d3534c6796537f55b42e..408b40e2bb07cbcee290f767bfe6d146cd7941b1 100644 >--- a/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp >+++ b/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp >@@ -95,13 +95,24 @@ void ContentSecurityPolicySourceList::parse(const String& value) > parse(characters, characters + value.length()); > } > >+bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const >+{ >+ // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match >+ // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility. >+ // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp. >+ // See <https://bugs.webkit.org/show_bug.cgi?id=155133>. >+ bool isAllowed = url.protocolIsInHTTPFamily(); >+ if (equalLettersIgnoringASCIICase(m_directiveName, "img-src")) >+ isAllowed |= url.protocolIsData(); >+ else if (equalLettersIgnoringASCIICase(m_directiveName, "media-src")) >+ isAllowed |= url.protocolIsData() || url.protocolIsBlob(); >+ return isAllowed; >+} >+ > bool ContentSecurityPolicySourceList::matches(const URL& url) > { >- if (m_allowStar) { >- // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem. >- // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details. >+ if (m_allowStar && isProtocolAllowedByStar(url)) > return true; >- } > > if (m_allowSelf && m_policy.urlMatchesSelf(url)) > return true; >diff --git a/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h b/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h >index 0646a9f5978a452a8c3a959d7fb505ca373e7b08..fdb9b7e0936795dd7e10744dd71977211ebc1a85 100644 >--- a/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h >+++ b/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h >@@ -55,6 +55,8 @@ private: > bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard); > bool parsePath(const UChar* begin, const UChar* end, String& path); > >+ bool isProtocolAllowedByStar(const URL&) const; >+ > const ContentSecurityPolicy& m_policy; > Vector<ContentSecurityPolicySource> m_list; > String m_directiveName; >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 11064a86e506a9c617b511c44f6046a2057c4b32..a1d3f898b6afc7f4e9a2640af70f795613a035a2 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,57 @@ >+2016-03-07 Daniel Bates <dabates@apple.com> >+ >+ CSP: Source '*' should not match URLs with schemes blob, data, or filesystem >+ https://bugs.webkit.org/show_bug.cgi?id=154122 >+ <rdar://problem/24613336> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add tests to ensure that we do not regress our interpretation of * with respect to directives >+ img-src, media-src, style-src, and default-src. >+ >+ When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html >+ and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(), >+ which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285> >+ before we can run these tests in WebKitTestRunner. >+ >+ * TestExpectations: >+ * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added. >+ * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added. >+ * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added. >+ * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added. >+ * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added. >+ * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added. >+ * fast/dom/HTMLImageElement/resources/green.png: Added. >+ * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added. >+ * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added. >+ * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added. >+ * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added. >+ * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added. >+ * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added. >+ * fast/dom/HTMLLinkElement/resources/red-background-color.css: Added. >+ (#test): >+ * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added. >+ * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added. >+ * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added. >+ * media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added. >+ * media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added. >+ * media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added. >+ * media/video-with-data-url-allowed-by-csp-media-src-star.html: Added. >+ * media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added. >+ * media/video-with-file-url-blocked-by-csp-media-src-star.html: Added. >+ * platform/wk2/TestExpectations: >+ > 2016-03-07 Ryan Haddad <ryanhaddad@apple.com> > > Rebaseline inspector/model/remote-object.html for mac after r197626 >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index 64ce329c590dd3013504df6bcafb182969f42922..9604fff7bf14d2639aa97a2e93fe6d3665d56280 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -858,6 +858,7 @@ webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing > webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ] > webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ] > webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html >+webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ] > http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ] > > # These state object tests purposefully stress a resource limit, and take multiple seconds to run. >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..32b3784e2694fd7f59d6df4b3ea07d1cb5c15bb9 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy "image-src *". To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p> >+<img width="128" height="128" alt="PASS"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..66a2a0002fce9ea624ed5700ea33de956daf3e23 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html >@@ -0,0 +1,56 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="img-src *"> >+</head> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+var fileInput; >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+ >+function loadImage(event) >+{ >+ var image = document.createElement("img"); >+ image.height = "128"; >+ image.width = "128"; >+ image.alt = "PASS"; >+ image.onload = testFinished; >+ image.onerror = testFinished; >+ image.src = window.URL.createObjectURL(event.target.files[0]); >+ >+ document.body.removeChild(fileInput); >+ document.body.appendChild(image); >+} >+ >+function runTest() >+{ >+ if (!window.eventSender) >+ return; >+ >+ var x = fileInput.offsetLeft + fileInput.offsetWidth / 2; >+ var y = fileInput.offsetTop + fileInput.offsetHeight / 2; >+ >+ eventSender.beginDragWithFiles(["../resources/abe.png"]); >+ eventSender.mouseMoveTo(x, y); >+ eventSender.mouseUp(); >+} >+ >+window.onload = function () >+{ >+ fileInput = document.getElementById("file"); >+ fileInput.onchange = loadImage; >+ runTest(); >+} >+</script> >+<body> >+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy "image-src *". To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p> >+<input type="file" id="file" accept="image/*"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cdf4d162d8f0bcf29f7267f5c6248c4f4b4e9e90 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy "image-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..0dff4c334f62443b77fa4b2d7af1019d47eb911f >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html >@@ -0,0 +1,10 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="img-src *"> >+</head> >+<body> >+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy "image-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5a394e3e6b03e79bde565472fde4290a842c74a7 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy "image-src *". This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p> >+<img src="" width="128" height="128" alt="PASS"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1dbeeda74e7a94dcb7ffdec9050270145672d373 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html >@@ -0,0 +1,10 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="img-src *"> >+</head> >+<body> >+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy "image-src *". This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p> >+<img src="resources/green.png" width="128" height="128" alt="PASS"> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLImageElement/resources/green.png b/LayoutTests/fast/dom/HTMLImageElement/resources/green.png >new file mode 100644 >index 0000000000000000000000000000000000000000..b3c8cf3eb4c89bd8f2d1ffde051856f375e3a3de >GIT binary patch >literal 218 >zcmeAS@N?(olHy`uVBq!ia0vp^HXzKw1SGf4^HT*<jKx9jP7LeL$-D$|I14-?iy0WW >zg+Z8+Vb&Z8pdfpRr>`sfEmlzu3yE9XPACF}BuiW)N}Tg^b5rw57@Uhz6H8K46v{J8 >zG8EiBeFMT9`NV;W+&x_!Lo)8YJ?F^Fz`((>;PMkU^HzRy4~NuGe(INq1>ePjdKrGS >TIXtNc8p+`4>gTe~DWM4fy9-d) > >literal 0 >HcmV?d00001 > >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..874bed44d81112746e349c114ceafd94facfa447 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div style="background-color: green; height: 128px; width: 128px"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..c9d228fc85f393980cf8ecea378a25ef5e297b45 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+#test { >+ background-color: green; >+ height: 128px; >+ width: 128px; >+} >+</style> >+<meta http-equiv="Content-Security-Policy" content="style-src *"> >+<script> >+function createLinkElementWithStylesheet(stylesheetURL) >+{ >+ var link = document.createElement("link"); >+ link.rel = "stylesheet"; >+ link.href = stylesheetURL; >+ return link; >+} >+ >+var blobURL = window.URL.createObjectURL(new Blob(["#test { background-color: red !important; }"], {type: "text/css"})); >+document.head.appendChild(createLinkElementWithStylesheet(blobURL)); >+</script> >+</head> >+<body> >+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div id="test"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..b4c59c767417b7869bdf35402b5b474f0b3484db >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div style="background-color: green; height: 128px; width: 128px"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..129d35750d14eaf6fb4b9069d0bb64dbe69f03f8 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+#test { >+ background-color: green; >+ height: 128px; >+ width: 128px; >+} >+</style> >+<meta http-equiv="Content-Security-Policy" content="style-src *"> >+<link rel="stylesheet" href="data:text/css, #test { background-color: red !important; }"> >+</head> >+<body> >+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div id="test"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4384846a4e6361bcacb1f4b58a46fe2902935900 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html >@@ -0,0 +1,7 @@ >+<!DOCTYPE html> >+<html> >+<body> >+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div style="background-color: green; height: 128px; width: 128px"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..d35c99469787bf47f64a14fdce1dd222bf165678 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+#test { >+ background-color: green; >+ height: 128px; >+ width: 128px; >+} >+</style> >+<meta http-equiv="Content-Security-Policy" content="style-src *"> >+<link rel="stylesheet" href="resources/red-background-color.css"> >+</head> >+<body> >+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy "style-src *". This test PASSED if you see a green square below. Otherwise, it FAILED.</p> >+<div id="test"></div> >+</body> >+</html> >diff --git a/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css b/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css >new file mode 100644 >index 0000000000000000000000000000000000000000..421f9f71192227be0183b543a633c05380ce8d00 >--- /dev/null >+++ b/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css >@@ -0,0 +1 @@ >+#test { background-color: red !important; } >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..256f7c4bfd9ceeedf4a4d89d52b297e5227a5ea6 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy "img-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load image. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..999bf0b3591531e77d8f4ec485407d022daee968 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="img-src *"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadImage() >+{ >+ testPassed("did load image."); >+ finishJSTest(); >+} >+ >+function failedToLoadImage() >+{ >+ testFailed("failed to load image."); >+ finishJSTest(); >+} >+</script> >+</head> >+<body> >+<script> >+description("This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy "img-src *"."); >+</script> >+<img src="http://127.0.0.1:8000/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()"> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..c48ed96c2b3fb740477bd3eeb389af03205e5755 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy "img-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load image. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..9b6853fcddd2af4e6e1f2133c93568269a017b07 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="img-src *"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadImage() >+{ >+ testPassed("did load image."); >+ finishJSTest(); >+} >+ >+function failedToLoadImage() >+{ >+ testFailed("failed to load image."); >+ finishJSTest(); >+} >+</script> >+</head> >+<body> >+<script> >+description("This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy "img-src *"."); >+</script> >+<img src="https://127.0.0.1:8443/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()"> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ed6a78ea7d6df7e37d0ecbcd8b0c1f683e027b55 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt >@@ -0,0 +1,7 @@ >+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src *". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. >+ >+CONSOLE MESSAGE: Refused to load frame 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback. >+ >+CONSOLE MESSAGE: Refused to load frame 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback. >+ >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..827367de99eb44bc4d32946e7d29cc3ef050bb95 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html >@@ -0,0 +1,12 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<script> >+if (window.testRunner) >+ testRunner.dumpAsText(); >+</script> >+</head> >+<body> >+ <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/javascript-url.pl?should_run=no&csp=default-src *"></iframe> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..1237b7c67e6477e4c5d64c1b5ed1668381f42d9a >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy "style-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load stylesheet. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..42a6766b8a0d734d2e24654fad5c57ecd0917b9f >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadStylesheet() >+{ >+ testPassed("did load stylesheet."); >+ finishJSTest(); >+} >+ >+function failedToLoadStylesheet() >+{ >+ testFailed("failed to load stylesheet."); >+ finishJSTest(); >+} >+</script> >+<link rel="stylesheet" href="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()"> >+</head> >+<body> >+<script> >+description("This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy "style-src *"."); >+</script> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f6e56fccdd02d18f9735331dc8e2ed4def3e2cee >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy "style-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load stylesheet. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..85bc106c7e860ace7b39cdec886968ea48044fa0 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html >@@ -0,0 +1,29 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadStylesheet() >+{ >+ testPassed("did load stylesheet."); >+ finishJSTest(); >+} >+ >+function failedToLoadStylesheet() >+{ >+ testFailed("failed to load stylesheet."); >+ finishJSTest(); >+} >+</script> >+<link rel="stylesheet" href="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()"> >+</head> >+<body> >+<script> >+description("This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy "style-src *"."); >+</script> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..ce7587282ab4c89cb743068035f4b8b6e4dbae05 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy "media-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load video. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..3826f3f8029129eef1417fb7e2a4ee1dbdc1e2a7 >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html >@@ -0,0 +1,45 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="media-src *"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script src="/media-resources/media-file.js"></script> >+<style> >+video { >+ background-color: red; >+ width: 128px; >+ height: 128px; >+} >+</style> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadVideo() >+{ >+ testPassed("did load video."); >+ finishJSTest(); >+} >+ >+function failedToLoadVideo() >+{ >+ testFailed("failed to load video."); >+ finishJSTest(); >+} >+ >+window.onload = function () >+{ >+ var video = document.getElementById("video"); >+ video.oncanplay = didLoadVideo; >+ video.onerror = failedToLoadVideo; >+ video.src = "http://127.0.0.1:8000/media-resources/" + findMediaFile("video", "content/test"); >+} >+</script> >+</head> >+<body> >+<script> >+description("This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy "media-src *"."); >+</script> >+<video id="video"></video> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..63bb7d6770c46f2028329d659e72bfc07adb156c >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt >@@ -0,0 +1,10 @@ >+This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy "media-src *". >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS did load video. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ca8f106ae433ae656792fec9572ece439d45fc3f >--- /dev/null >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html >@@ -0,0 +1,45 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="media-src *"> >+<script src="/js-test-resources/js-test-pre.js"></script> >+<script src="/media-resources/media-file.js"></script> >+<style> >+video { >+ background-color: red; >+ width: 128px; >+ height: 128px; >+} >+</style> >+<script> >+window.jsTestIsAsync = true; >+ >+function didLoadVideo() >+{ >+ testPassed("did load video."); >+ finishJSTest(); >+} >+ >+function failedToLoadVideo() >+{ >+ testFailed("failed to load video."); >+ finishJSTest(); >+} >+ >+window.onload = function () >+{ >+ var video = document.getElementById("video"); >+ video.oncanplay = didLoadVideo; >+ video.onerror = failedToLoadVideo; >+ video.src = "https://127.0.0.1:8443/media-resources/" + findMediaFile("video", "content/test"); >+} >+</script> >+</head> >+<body> >+<script> >+description("This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy "media-src *"."); >+</script> >+<video id="video"></video> >+<script src="/js-test-resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..51952f67a03bbcf1660fbaf2b1697f578eddb02b >--- /dev/null >+++ b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html >@@ -0,0 +1,28 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<script src="media-file.js"></script> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+ >+window.onload = function () >+{ >+ var video = document.getElementById("video"); >+ video.onloadedmetadata = testFinished; >+ video.onerror = testFinished; >+ video.src = findMediaFile("video", "content/test"); >+} >+</script> >+</head> >+<body> >+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy "media-src *". To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p> >+<video id="video"></video> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..5596fec32a613d933a2f3227c0039100447573a7 >--- /dev/null >+++ b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html >@@ -0,0 +1,54 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="media-src *"> >+<script src="media-file.js"></script> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+var fileInput; >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+ >+function loadVideo(event) >+{ >+ var video = document.createElement("video"); >+ video.onloadedmetadata = testFinished; >+ video.onerror = testFinished; >+ video.src = window.URL.createObjectURL(event.target.files[0]); >+ >+ document.body.removeChild(fileInput); >+ document.body.appendChild(video); >+} >+ >+function runTest() >+{ >+ if (!window.eventSender) >+ return; >+ >+ var x = fileInput.offsetLeft + fileInput.offsetWidth / 2; >+ var y = fileInput.offsetTop + fileInput.offsetHeight / 2; >+ >+ eventSender.beginDragWithFiles([findMediaFile("video", "content/test")]); >+ eventSender.mouseMoveTo(x, y); >+ eventSender.mouseUp(); >+} >+ >+window.onload = function () >+{ >+ fileInput = document.getElementById("file"); >+ fileInput.onchange = loadVideo; >+ runTest(); >+} >+</script> >+</head> >+<body> >+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy "media-src *". To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p> >+<input type="file" id="file"> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..32c890b20582b2023b57c976a6530f70f426bed0 >--- /dev/null >+++ b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html >@@ -0,0 +1,25 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+video { >+ width: 128px; >+ height: 128px; >+} >+</style> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+</script> >+</head> >+<body> >+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy "media-src *". This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p> >+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QAAAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G2m8n/Wa5" oncanplay="testFinished()"></video> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..ecc9ec2548f39642c48b51acf311c53ef1ceb32c >--- /dev/null >+++ b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html >@@ -0,0 +1,27 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="media-src *"> >+<style> >+video { >+ background-color: red; >+ width: 128px; >+ height: 128px; >+} >+</style> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+</script> >+</head> >+<body> >+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy "media-src *". This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p> >+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QAAAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G2m8n/Wa5" oncanplay="testFinished()" onerror="testFinished()"></video> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html >new file mode 100644 >index 0000000000000000000000000000000000000000..379988640e1f6bdc81971217336263872d1ae615 >--- /dev/null >+++ b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html >@@ -0,0 +1,16 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<style> >+#equivalent-expected-result { >+ background-color: green; >+ width: 128px; >+ height: 128px; >+} >+</style> >+</head> >+<body> >+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy "media-src *". This test PASSED if you see a solid green square. Otherwise, it FAILED.</p> >+<div id="equivalent-expected-result"></div> >+</body> >+</html> >diff --git a/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html >new file mode 100644 >index 0000000000000000000000000000000000000000..63bad1bfde901633e2e4bf7be0e07057dc93325b >--- /dev/null >+++ b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html >@@ -0,0 +1,36 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta http-equiv="Content-Security-Policy" content="media-src *"> >+<style> >+video { >+ background-color: green; >+ width: 128px; >+ height: 128px; >+} >+</style> >+<script src="media-file.js"></script> >+<script> >+if (window.testRunner) >+ testRunner.waitUntilDone(); >+ >+function testFinished() >+{ >+ if (window.testRunner) >+ testRunner.notifyDone(); >+} >+ >+window.onload = function () >+{ >+ var video = document.getElementById("video"); >+ video.onloadedmetadata = testFinished; >+ video.onerror = testFinished; >+ video.src = findMediaFile("video", "content/test"); >+} >+</script> >+</head> >+<body> >+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy "media-src *". This test PASSED if you see a solid green square. Otherwise, it FAILED.</p> >+<video id="video"></video> >+</body> >+</html> >diff --git a/LayoutTests/platform/wk2/TestExpectations b/LayoutTests/platform/wk2/TestExpectations >index 00539d7dbc3b7751193dc332ebbe35a13c1e7b57..93f1f150acd6f6a06f6226c2ae3e334f51cafb14 100644 >--- a/LayoutTests/platform/wk2/TestExpectations >+++ b/LayoutTests/platform/wk2/TestExpectations >@@ -625,6 +625,7 @@ platform/mac/fast/events/objc-event-api.html > # https://bugs.webkit.org/show_bug.cgi?id=64285 > editing/pasteboard/file-drag-to-editable.html > editing/pasteboard/file-input-files-access.html >+fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html > fast/dom/Window/window-postmessage-clone-frames.html > fast/dom/Window/window-postmessage-clone.html > fast/events/data-transfer-files-attribute-identity.html >@@ -677,6 +678,7 @@ http/tests/local/formdata/send-form-data.html > http/tests/local/formdata/send-form-data-with-empty-file-filename.html > http/tests/local/formdata/upload-events.html > http/tests/security/clipboard/clipboard-file-access.html >+media/video-with-blob-url-allowed-by-csp-media-src-star.html > media/video-src-blob.html > storage/indexeddb/noblobs.html > storage/indexeddb/noblobs-private.html
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 154122
:
273068
|
273212
|
273222
|
273223
|
273229