Bug 1497208 [wpt PR 13422] - Directive names should be case-insensitive, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Thu, 11 Oct 2018 09:32:15 +0000
changeset 489278 dbb2466146ff7847973ba2be51753fa78d2a79a4
parent 489277 48ded72d05a229249f1a3087872507385831b5c4
child 489279 419ac57e1e50a056783bcdd9b5bcc767bf3e69d0
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewerstestonly
bugs1497208, 13422, 893119, 1268316, 597873
milestone64.0a1
Bug 1497208 [wpt PR 13422] - Directive names should be case-insensitive, a=testonly Automatic update from web-platform-testsDirective names should be case-insensitive Spec: https://w3c.github.io/webappsec-csp/#parse-serialized-policy Fixed Chromium's behaviour Added unit tests Added WPT tests Bug: 893119 Change-Id: I0ee1114fd90a933071ff03c9a64b95431a17be95 Reviewed-on: https://chromium-review.googlesource.com/c/1268316 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#597873} -- wpt-commits: 21913d5409b0467bec6fa7029924e5973cc013a6 wpt-pr: 13422
testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/generic/directive-name-case-insensitive.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="
+      IMg-sRC 'self' 'unsafe-inline' http://{{domains[www1]}}:{{ports[http][0]}};
+      img-src 'self' 'unsafe-inline' http://{{domains[www2]}}:{{ports[http][0]}};">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+  <script>
+    var t1 = async_test("Test that the www1 image is allowed to load");
+    var t2 = async_test("Test that the www2 image is not allowed to load");
+    var t_spv = async_test("Test that the www2 image throws a violation event");
+    window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
+      assert_equals(e.violatedDirective, "img-src");
+      assert_equals(e.blockedURI, "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
+    }));
+  </script>
+
+  <img src="http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png"
+       onload="t1.done();"
+       onerror="t1.step(function() { assert_unreached('www1 image should have loaded'); t1.done(); });">
+
+  <img src="http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"
+       onerror="t2.done();"
+       onload="t2.step(function() { assert_unreached('www2 image should not have loaded'); t2.done(); });">
+</body>
+
+</html>