Bug 1491789 [wpt PR 13026] - Fixed object-src tests, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Tue, 09 Oct 2018 04:14:21 +0000
changeset 495963 ca58232beff9d49be9af2ff577535a55cbc59473
parent 495962 eaa0b6b2dc7579de4210325876dc0fd72516daf8
child 495964 929c3f751bddb30b55f8393b16f4542d742c91b5
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1491789, 13026, 240058, 1225886, 596662
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1491789 [wpt PR 13026] - Fixed object-src tests, a=testonly Automatic update from web-platform-testsFixed object-src tests As part of checking if the linked bug is still an issue, I have taken the opportunity to fix the current mostly non-sensical tests. Bug: 240058 Change-Id: I716d43d38be6dd161aa0437dbda03f2c77eb6d88 Reviewed-on: https://chromium-review.googlesource.com/c/1225886 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#596662} -- wpt-commits: 2a988396ac8b119e11fdb7d84b00eff0ed81bfe2 wpt-pr: 13026
testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html
testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html
testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html
testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.sub.html
testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html
testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.sub.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.sub.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.sub.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-blocked.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html
testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers
testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html
+++ /dev/null
@@ -1,66 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
-    <title>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
-    <meta name=timeout content=long>
-    <script src='/resources/testharness.js'></script>
-    <script src='/resources/testharnessreport.js'></script>
-</head>
-
-<body onLoad="object_loaded()">
-    <h1>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
-    <div id="log"></div>
-
-    <script>
-        var relativeMediaURL = "/support/media/flash.swf";
-        var pageURL = window.location.toString();
-        var temp1 = pageURL.split("//");
-        var temp2 = temp1[1].substring(0, temp1[1].lastIndexOf("/object-src/"));
-        var mediaURL = "http://www2." + temp2 + relativeMediaURL;
-        var htmlStr = "<object id='flashObject' type='application/x-shockwave-flash' data='" + mediaURL + "' width='200' height='200'></object>";
-        document.write(htmlStr);
-    </script>
-
-    <script>
-        var len = navigator.mimeTypes.length;
-        var allTypes = "";
-        var flashMimeType = "application/x-shockwave-flash";
-        for (var i = 0; i < len; i++) {
-            allTypes += navigator.mimeTypes[i].type;
-        }
-
-        var hasMimeType = allTypes.indexOf(flashMimeType) != -1;
-
-        <!-- The actual test. -->
-        var test1 = async_test("Async SWF load test")
-
-        function object_loaded() {
-            var elem = document.getElementById("flashObject");
-            var is_loaded = false;
-            try {
-                <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
-                var pct_loaded = elem.PercentLoaded();
-                is_loaded = true;
-            } catch (e) {}
-
-            if (hasMimeType) {
-                test1.step(function () {
-                    assert_false(is_loaded, "External object loaded.")
-                });
-                var s = document.createElement('script');
-                s.async = true;
-                s.defer = true;
-                s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
-                document.lastChild.appendChild(s);
-            } else {
-                test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
-                test1.phase = test1.phases.HAS_RESULT;
-            }
-            test1.done();
-        }
-    </script>
-
-</body>
-
-</html>
\ No newline at end of file
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_1.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: object-src-2_1={{$id:uuid()}}; Path=/content-security-policy/object-src/
-Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
\ No newline at end of file
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html
+++ /dev/null
@@ -1,61 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-    <title>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
-    <meta name=timeout content=long>
-    <script src='/resources/testharness.js'></script>
-    <script src='/resources/testharnessreport.js'></script>
-</head>
-<body onLoad="object_loaded()">
-    <h1>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
-    <div id="log"></div>
-
-    <script>
-      var relativeMediaURL = "/support/media/flash.swf";
-      var pageURL = window.location.toString();
-      var temp1 = pageURL.split("//");
-      var temp2 = temp1[1].substring (0, temp1[1].lastIndexOf("/object-src/"));
-      var mediaURL = "http://www2." + temp2 + relativeMediaURL;
-      var htmlStr = "<embed id='flashObject' type='application/x-shockwave-flash' src='" + mediaURL + "' width='200' height='200'></object>";
-      document.write (htmlStr);
-    </script>
-
-    <script>
-      var len = navigator.mimeTypes.length;
-      var allTypes = "";
-      var flashMimeType = "application/x-shockwave-flash";
-      for ( var i=0;i<len;i++ ) {
-        allTypes+=navigator.mimeTypes[i].type;
-      }
-
-      var hasMimeType = allTypes.indexOf(flashMimeType) != -1;
-
-      <!-- The actual test. -->
-      var test1 = async_test("Async SWF load test")
-
-      function object_loaded() {
-        var elem = document.getElementById("flashObject");
-        var is_loaded = false;
-        try {
-          <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
-          var pct_loaded = elem.PercentLoaded();
-          is_loaded = true;
-        } catch (e) {}
-
-        if (hasMimeType) {
-          test1.step(function() {assert_false(is_loaded, "External object loaded.")});
-          var s = document.createElement('script');
-              s.async = true;
-              s.defer = true;
-              s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
-          document.lastChild.appendChild(s);
-        } else {
-          //test1.step(function() {});
-          test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
-          test1.phase = test1.phases.HAS_RESULT;
-        }
-        test1.done();
-      }
-    </script>
-</body>
-</html>
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html.sub.headers
+++ /dev/null
@@ -1,6 +0,0 @@
-Expires: Mon, 26 Jul 1997 05:00:00 GMT
-Cache-Control: no-store, no-cache, must-revalidate
-Cache-Control: post-check=0, pre-check=0, false
-Pragma: no-cache
-Set-Cookie: object-src-2_2={{$id:uuid()}}; Path=/content-security-policy/object-src/
-Content-Security-Policy: script-src * 'unsafe-inline'; object-src 'self'; report-uri  ../support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+    <object type="application/x-webkit-test-netscape"></object>
+
+    <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-allowed.sub.html
+++ /dev/null
@@ -1,31 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
-    <title>object-src-no-url-allowed</title>
-    <script src="/resources/testharness.js"></script>
-    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["PASS"]'></script>
-    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
-</head>
-
-<body>
-    <p>This test passes if there isn&apos;t a CSP violation saying the plugin was blocked.</p>
-
-    <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
-            log("Fail");
-       });
-    </script>
-
-    <object type="application/x-webkit-test-netscape"></object>
-    <div id="log"></div>
-    
-    <script>
-        log("PASS");
-    </script>
-</body>
-
-</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+       var t = async_test("Should block the object and fire a spv");
+       window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+         assert_equals(e.violatedDirective, "object-src");
+       }));
+    </script>
+
+    <object type="application/x-webkit-test-netscape"></object>
+</body>
+
+</html>
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.sub.html
+++ /dev/null
@@ -1,27 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
-    <title>object-src-no-url-blocked</title>
-    <script src="/resources/testharness.js"></script>
-    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=object-src"]'></script>
-    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
-</head>
-
-<body>
-    <p>This test passes if there is a CSP violation saying the plugin was blocked.</p>
-
-    <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
-            log("violated-directive=" + e.violatedDirective);
-       });
-    </script>
-    
-    <object type="application/x-webkit-test-netscape"></object>
-    <div id="log"></div>
-</body>
-
-</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+    <object type="image/png" data="/content-security-policy/support/pass.png"></object>
+
+    <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-allowed.sub.html
+++ /dev/null
@@ -1,30 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="object-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
-    <title>object-src-url-allowed</title>
-    <script src="/resources/testharness.js"></script>
-    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
-    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
-</head>
-
-<body>
-    <p>This test passes if there is no CSP violation saying the plugin was blocked.</p>
-
-    <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
-            log("Fail");
-       });
-    </script>
-
-    <object data="/content-security-policy/support/pass.png"></object>
-    <div id="log"></div>
-    <script>
-        log("Pass");
-    </script>
-</body>
-
-</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should block the object and fire a spv");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "object-src");
+      }));
+    </script>
+
+    <object type="image/png" data="/content-security-policy/support/pass.png"></object>
+</body>
+
+</html>
deleted file mode 100644
--- a/testing/web-platform/tests/content-security-policy/object-src/object-src-url-blocked.sub.html
+++ /dev/null
@@ -1,27 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';">
-    <title>object-src-url-blocked</title>
-    <script src="/resources/testharness.js"></script>
-    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["violated-directive=object-src"]'></script>
-    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
-</head>
-
-<body>
-    <p>This test passes if there is a CSP violation saying the plugin was blocked.</p>
-    
-    <script>
-       window.addEventListener('securitypolicyviolation', function(e) {
-            log("violated-directive=" + e.violatedDirective);
-       });
-    </script>
-    
-    <object data="/plugins/resources/mock-plugin.pl"></object>
-    <div id="log"></div>
-</body>
-
-</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+  <embed height="40" width="40" type="image/png"
+         src="/content-security-policy/support/pass.png"></embed>
+
+         <!-- we rely on the report because we can't rely on the onload event for
+              "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-embed-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-embed-blocked.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should block the object and fire a spv");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "object-src");
+      }));
+    </script>
+
+    <embed height="40" width="40" type="image/png"
+           src="/content-security-policy/support/pass.png"></embed>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} -->
+</head>
+
+<body>
+    <object type="image/png" data="/common-redirect.py?location=/content-security-policy/support/pass.png"></object>
+
+    <!-- we rely on the report because we can't rely on the onload event for
+         "allowed" tests as it is not fired for object and embed -->
+    <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers
@@ -0,0 +1,2 @@
+Set-Cookie: object-src-url-redirect-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/
+Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="object-src 'self'; script-src 'self' 'unsafe-inline';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script>
+      var t = async_test("Should block the object and fire a spv");
+      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+        assert_equals(e.violatedDirective, "object-src");
+      }));
+    </script>
+
+    <object type="image/png" data="/common/redirect.py?location=http://{{domains[www1]}}/content-security-policy/support/pass.png"></object>
+</body>
+
+</html>