Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/embedded-enforcement/subsumption_algorithm-source_list-wildcards.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Subsumption Algorithm - Wildcard lists.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/testharness-helper.sub.js"></script>
</head>
<body>
<script>
var tests = [
{ "name" : "Wildcard list subsumes an empty source list.",
"required_csp": "img-src *",
"returned_csp_1": "img-src ",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list subsumes a source list with `none`.",
"required_csp": "img-src *",
"returned_csp_1": "img-src 'none'",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list subsumes another wildcard list.",
"required_csp": "img-src *",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list subsumes a list of policies with wildcards in source lists.",
"required_csp": "img-src *",
"returned_csp_1": "img-src *",
"returned_csp_2": "img-src *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list is equivalent to a specific list of scheme expressions and their secure variants.",
"required_csp": "https: http: ftp: ws: wss:",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list is equivalent to a specific list of scheme expressions.",
"required_csp": "img-src http: ftp: ws:",
"returned_csp_1": "img-src *",
"returned_csp_2": "img-src https: http: ftp: ws: wss:",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list subsumption logic should not affect other keyword expressions.",
"required_csp": "img-src http: ftp: ws: 'self'",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard list might include other scheme source expressions.",
"required_csp": "img-src data: blob: *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Effective wildcard list should be properly found.",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_LOAD },
{ "name" : "Wildcard does not subsume empty list.",
"required_csp": "img-src *",
"returned_csp_1": null,
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Empty source list does not subsume a wildcard source list.",
"required_csp": "img-src ",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "'none' does not subsume a wildcard source list.",
"required_csp": "img-src 'none'",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard source list does not subsume `data:` scheme source expression.",
"required_csp": "img-src *",
"returned_csp_1": "img-src data:",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard source list does not subsume `blob:` scheme source expression.",
"required_csp": "img-src *",
"returned_csp_1": "img-src blob:",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Source expressions do not subsume effective nonce expressions.",
"required_csp": "script-src http: ftp: ws:",
"returned_csp_1": "script-src * 'nonce-abc'",
"returned_csp_2": "script-src https: 'nonce-abc'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard source list is not subsumed by a host expression.",
"returned_csp_1": "img-src *",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard list with keywords is not subsumed by a wildcard list.",
"required_csp": "style-src *",
"returned_csp_1": "style-src * 'unsafe-eval'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard list with 'unsafe-hashes' is not subsumed by a wildcard list.",
"required_csp": "style-src *",
"returned_csp_1": "style-src * 'unsafe-hashes'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard list with 'unsafe-inline' is not subsumed by a wildcard list.",
"required_csp": "style-src *",
"returned_csp_1": "style-src * 'unsafe-inline'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard list with 'unsafe-eval' is not subsumed by a wildcard list.",
"required_csp": "img-src 'unsafe-eval'",
"returned_csp_1": "img-src * 'unsafe-eval'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "Wildcard list with 'unsafe-eval' is not subsumed by list with a single expression.",
"required_csp": "img-src 'unsafe-hashed-attributes'",
"returned_csp_1": "img-src * 'unsafe-hashed-attributes'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "The same as above but for 'unsafe-inline'.",
"required_csp": "img-src 'unsafe-inline'",
"returned_csp_1": "img-src * 'unsafe-inline'",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "`data:` is not subsumed by a wildcard list.",
"required_csp": "img-src *",
"returned_csp_1": "img-src data: blob:",
"expected": IframeLoad.EXPECT_BLOCK },
{ "name" : "`blob:` is not subsumed by a wildcard list.",
"required_csp": "img-src * data:",
"returned_csp_1": "img-src data: blob:",
"expected": IframeLoad.EXPECT_BLOCK },
];
tests.forEach(test => {
async_test(t => {
var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
if (test.returned_csp_2)
url.searchParams.append("policy2", test.returned_csp_2);
assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
}, test.name);
});
</script>
</body>
</html>