CSP: Enhance WPTs to check inline and eval blockedURIs

This adds a few assertions to Web Platform Tests for Content Security Policies checking if inline script execution and eval are allowed, so that they also ensure that the blockedURI in the CSP violation matches 'inline' or 'eval'. Bug: 563976 Change-Id: Ie2b93fe838768703e652dcfd5bd25b1334abcf57 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2743762 Auto-Submit: Antonio Sartori <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Antonio Sartori <[email protected]> Cr-Commit-Position: refs/heads/master@{#862765}
valerioadm · Mar 15, 2021 · accfb3c · accfb3c
1 parent 182810f
commit accfb3c
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 3 deletions.
diff --git a/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html b/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html
@@ -14,6 +14,6 @@
     }
   </script>
 
-  <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27"></script>
+  <script async defer src="../support/checkReport.sub.js?reportField=blocked-uri&reportValue=eval"></script>
 </body>
 </html>
diff --git a/...rity-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers b/...rity-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.sub.headers
@@ -1,2 +1,2 @@
 Set-Cookie: eval-allowed-in-report-only-mode-and-sends-report={{$id:uuid()}}; Path=/content-security-policy/script-src
-Content-Security-Policy-Report-Only: script-src 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
+Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/content-security-policy/script-src/injected-inline-script-blocked.sub.html b/content-security-policy/script-src/injected-inline-script-blocked.sub.html
@@ -7,14 +7,15 @@
     <title>injected-inline-script-blocked</title>
     <script nonce='abc' src="/resources/testharness.js"></script>
     <script nonce='abc' src="/resources/testharnessreport.js"></script>
-    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem",]'></script>
+    <script nonce='abc' src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem","blocked-uri=inline"]'></script>
     <script nonce='abc' src='../support/alertAssert.sub.js?alerts=[]'></script>
 </head>
 
 <body>
     <script nonce='abc'>
        window.addEventListener('securitypolicyviolation', function(e) {
             log("violated-directive=" + e.violatedDirective);
+            log("blocked-uri=" + e.blockedURI);
         });
     </script>
     <script src="support/inject-script.js"></script>

diff --git a/content-security-policy/script-src/script-src-strict_dynamic_eval.html b/content-security-policy/script-src/script-src-strict_dynamic_eval.html
@@ -20,6 +20,7 @@ <h1>Scripts injected via `eval` are not allowed with `strict-dynamic` without `u
             window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
                 assert_false(evalScriptRan);
                 assert_equals(e.effectiveDirective, 'script-src');
+                assert_equals(e.blockedURI, 'eval');
             }));
 
             assert_throws_js(Error,