From c954f77f15529788048f087a0d8c65dc8c3a4735 Mon Sep 17 00:00:00 2001 From: Francis McCabe Date: Thu, 14 Oct 2021 09:39:17 +0000 Subject: [PATCH] Bug 1733579 [wpt PR 31041] - [CSP] Added new policy violation source: wasm-eval, a=testonly Automatic update from web-platform-tests [CSP] Added new policy violation source: wasm-eval This extends the suite of policy violation sources to include a WebAssembly specific source: wasm-eval. This has also been reflected in the PR (https://github.com/w3c/webappsec-csp/pull/293#pullrequestreview-772234071) against the CSP spec. Added test for proper security violation event of the right form. Bug: 948834 Change-Id: I0b76fd725136b7ddda92e629f147f5ba77c50ffb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3197842 Commit-Queue: Francis McCabe Reviewed-by: Arthur Sonzogni Reviewed-by: Mike West Reviewed-by: Antonio Sartori Reviewed-by: Andrey Kosyakov Reviewed-by: David Tseng Cr-Commit-Position: refs/heads/main@{#931206} -- wpt-commits: 6ccfe6fafab233ee6063b7bfeabb107ad847a205 wpt-pr: 31041 --- .../script-src-spv-asynch.any.js | 18 ++++++++++++++++++ .../script-src-spv-asynch.any.js.headers | 1 + 2 files changed, 19 insertions(+) create mode 100644 testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js create mode 100644 testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js new file mode 100644 index 0000000000000..360e00c7154ca --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js @@ -0,0 +1,18 @@ +// META: global=window,worker +let code = new Uint8Array([0x53, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0]); +async_test(t => { + self.addEventListener('securitypolicyviolation', t.step_func_done(e => { + assert_equals(e.violatedDirective, "script-src"); + assert_equals(e.originalPolicy, "default-src 'self' 'unsafe-inline'") + assert_equals(e.blockedURI, "wasm-eval") + })); +}, "Securitypolicyviolation event looks like it should"); + +promise_test(t => { + return promise_rejects_js( + t, WebAssembly.CompileError, + WebAssembly.instantiate(code)); +}); + + + diff --git a/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers new file mode 100644 index 0000000000000..d3790b6fbe049 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers @@ -0,0 +1 @@ +Content-Security-Policy: default-src 'self' 'unsafe-inline' \ No newline at end of file