content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-script-src-elem.html · 8ffc98fd1e428fe06ca7ff63b75809c14c894762 · Valentino Dalla Valle / wpt

May 27, 2022

[WPT] Fix and extend content-security-policy/unsafe-hashes/ · ba1428c9

Hiroshige Hayashizaki authored May 27, 2022

The tests using `<a>` elements were largely broken:

- Some tests execute `t.unreached_func()` instead of
  `t.unreached_func()()`, and thus didn't terminate
  tests on failures.
- `target="_blank"`, `rel="opener"` and `opener` in
  JavaScript URL should be used together but weren't.
  `javascript_src_denied_wrong_hash-href_blank.html` had
  `target="_blank"` but not other two.
- Filenames and test contents didn't match. For example,
  javascript_src_denied_missing_unsafe_hashes-href_blank.html
  had actually wrong hashes while
  javascript_src_denied_wrong_hash-href_blank.html
  missed 'unsafe-hash'.

This CL refactors and fixes these tests.
The common parts are moved into `helper.js` and
only two javascript: URLs are used to simplify
CSP hashes:
- `javascript:opener.navigated();`
- `javascript:navigated();`

This CL also adds tests to confirm that
`script-src-elem` is used, not `script-src-attr`.

Bug: 941246
Change-Id: Ieb6e665b34abced26fcc6cc2bbefe3c3eb6749b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3669066


Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008357}

ba1428c9

[WPT] Fix and extend content-security-policy/unsafe-hashes/

Hiroshige Hayashizaki authored May 27, 2022

The tests using `<a>` elements were largely broken:

- Some tests execute `t.unreached_func()` instead of
  `t.unreached_func()()`, and thus didn't terminate
  tests on failures.
- `target="_blank"`, `rel="opener"` and `opener` in
  JavaScript URL should be used together but weren't.
  `javascript_src_denied_wrong_hash-href_blank.html` had
  `target="_blank"` but not other two.
- Filenames and test contents didn't match. For example,
  javascript_src_denied_missing_unsafe_hashes-href_blank.html
  had actually wrong hashes while
  javascript_src_denied_wrong_hash-href_blank.html
  missed 'unsafe-hash'.

This CL refactors and fixes these tests.
The common parts are moved into `helper.js` and
only two javascript: URLs are used to simplify
CSP hashes:
- `javascript:opener.navigated();`
- `javascript:navigated();`

This CL also adds tests to confirm that
`script-src-elem` is used, not `script-src-attr`.

Bug: 941246
Change-Id: Ieb6e665b34abced26fcc6cc2bbefe3c3eb6749b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3669066


Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008357}