| # This is the complete set of content-security-policy tests |
| # as of https://lbshell-internal.googlesource.com/external/web-platform-tests/+/96dfec5fc4b1bb362681e8245dc3a72184751fbc |
| |
| # <base> is not supported |
| blink-contrib-2/base-uri-allow.sub.html,DISABLE |
| blink-contrib-2/base-uri-deny.sub.html,DISABLE |
| |
| # <iframe> not supported |
| blink-contrib-2/form-action-src-allowed.sub.html,DISABLE |
| blink-contrib-2/form-action-src-blocked.sub.html,DISABLE |
| blink-contrib-2/form-action-src-default-ignored.sub.html,DISABLE |
| blink-contrib-2/form-action-src-get-allowed.sub.html,DISABLE |
| blink-contrib-2/form-action-src-get-blocked.sub.html,DISABLE |
| blink-contrib-2/form-action-src-javascript-blocked.sub.html,DISABLE |
| blink-contrib-2/form-action-src-redirect-blocked.sub.html,DISABLE |
| |
| blink-contrib-2/meta-outside-head.sub.html,PASS |
| |
| # <object> not supported |
| blink-contrib-2/plugintypes-mismatched-data.sub.html,DISABLE |
| blink-contrib-2/plugintypes-mismatched-url.sub.html,DISABLE |
| blink-contrib-2/plugintypes-notype-data.sub.html,DISABLE |
| blink-contrib-2/plugintypes-notype-url.sub.html,DISABLE |
| blink-contrib-2/plugintypes-nourl-allowed.sub.html,DISABLE |
| blink-contrib-2/plugintypes-nourl-blocked.sub.html,DISABLE |
| |
| # hashes not supported |
| blink-contrib-2/scripthash-allowed.sub.html,DISABLE |
| # Note, the test below is an unreliable test: It depends on the alert_assert() |
| # being handled by the inline script allowed with a hash, but when that script |
| # itself is not allowed to run, the test still passes. |
| blink-contrib-2/scripthash-basic-blocked.sub.html,PASS |
| blink-contrib-2/scripthash-default-src.sub.html,DISABLE |
| blink-contrib-2/scripthash-ignore-unsafeinline.sub.html,PASS |
| blink-contrib-2/scripthash-unicode-normalization.sub.html,DISABLE |
| |
| blink-contrib-2/scriptnonce-allowed.sub.html,PASS |
| |
| # hashes not supported |
| # This test was modified to expect the hash-allowed script to fail, so that |
| # the rest of the behavior tested by this test can still be verified. |
| blink-contrib-2/scriptnonce-and-scripthash.sub.html,PASS |
| |
| blink-contrib-2/scriptnonce-basic-blocked.sub.html,PASS |
| blink-contrib-2/scriptnonce-ignore-unsafeinline.sub.html,PASS |
| blink-contrib-2/scriptnonce-redirect.sub.html,PASS |
| blink-contrib-2/script-src-wildcards-disallowed.html,PASS |
| blink-contrib-2/securitypolicyviolation-block-cross-origin-image-from-script.sub.html,PASS |
| blink-contrib-2/securitypolicyviolation-block-cross-origin-image.sub.html,PASS |
| blink-contrib-2/securitypolicyviolation-block-image-from-script.sub.html,PASS |
| blink-contrib-2/securitypolicyviolation-block-image.sub.html,PASS |
| |
| # hashes not supported |
| blink-contrib-2/stylehash-allowed.sub.html,DISABLE |
| blink-contrib-2/stylehash-basic-blocked.sub.html,DISABLE |
| blink-contrib-2/stylehash-default-src.sub.html,DISABLE |
| |
| blink-contrib-2/stylenonce-allowed.sub.html,PASS |
| blink-contrib-2/stylenonce-blocked.sub.html,PASS |
| |
| # Blob not supported |
| blink-contrib/blob-urls-do-not-match-self.sub.html,DISABLE |
| blink-contrib/blob-urls-match-blob.sub.html,DISABLE |
| |
| blink-contrib/combine-header-and-meta-policies.sub.html,PASS |
| |
| # Beacons and event sources are not supported. |
| blink-contrib/connect-src-beacon-allowed.sub.html,DISABLE |
| blink-contrib/connect-src-beacon-blocked.sub.html,DISABLE |
| blink-contrib/connect-src-beacon-redirect-to-blocked.sub.html,DISABLE |
| blink-contrib/connect-src-eventsource-allowed.sub.html,DISABLE |
| blink-contrib/connect-src-eventsource-blocked.sub.html,DISABLE |
| blink-contrib/connect-src-eventsource-redirect-to-blocked.sub.html,DISABLE |
| |
| # Websockets not supported, but maybe someday. |
| blink-contrib/connect-src-websocket-allowed.sub.html,DISABLE |
| blink-contrib/connect-src-websocket-blocked.sub.html,DISABLE |
| |
| blink-contrib/connect-src-xmlhttprequest-allowed.sub.html,PASS |
| blink-contrib/connect-src-xmlhttprequest-blocked.sub.html,PASS |
| blink-contrib/connect-src-xmlhttprequest-redirect-to-blocked.sub.html,PASS |
| |
| blink-contrib/default-src-inline-allowed.sub.html,PASS |
| blink-contrib/default-src-inline-blocked.sub.html,PASS |
| blink-contrib/duplicate-directive.sub.html,PASS |
| blink-contrib/eval-allowed.sub.html,PASS |
| blink-contrib/eval-blocked-and-sends-report.sub.html,PASS |
| |
| # <iframe> not supported |
| blink-contrib/eval-blocked-in-about-blank-iframe.sub.html,DISABLE |
| |
| blink-contrib/eval-blocked.sub.html,PASS |
| # setTimeout() and setInterval() overloads that take DOMString argument are not |
| # supported |
| blink-contrib/eval-scripts-setInterval-allowed.sub.html,DISABLE |
| blink-contrib/eval-scripts-setInterval-blocked.sub.html,PASS |
| blink-contrib/eval-scripts-setTimeout-allowed.sub.html,DISABLE |
| blink-contrib/eval-scripts-setTimeout-blocked.sub.html,PASS |
| |
| # No filesystem:// support |
| blink-contrib/filesystem-urls-do-not-match-self.sub.html,DISABLE |
| blink-contrib/filesystem-urls-match-filesystem.sub.html,DISABLE |
| |
| # <iframe> not supported |
| blink-contrib/frame-src-about-blank-allowed-by-default.sub.html,DISABLE |
| blink-contrib/frame-src-about-blank-allowed-by-scheme.sub.html,DISABLE |
| blink-contrib/frame-src-allowed.sub.html,DISABLE |
| blink-contrib/frame-src-blocked.sub.html,DISABLE |
| blink-contrib/frame-src-cross-origin-load.sub.html,DISABLE |
| |
| blink-contrib/function-constructor-allowed.sub.html,PASS |
| blink-contrib/function-constructor-blocked.sub.html,PASS |
| |
| # <link rel='icon'> is not supported, and test is missing test harness. |
| blink-contrib/icon-allowed.sub.html,DISABLE |
| blink-contrib/icon-blocked.sub.html,DISABLE |
| |
| # <iframe> not supported |
| blink-contrib/iframe-inside-csp.sub.html,DISABLE |
| |
| blink-contrib/image-allowed.sub.html,PASS |
| blink-contrib/image-blocked.sub.html,PASS |
| blink-contrib/image-full-host-wildcard-allowed.sub.html,PASS |
| |
| blink-contrib/injected-inline-script-allowed.sub.html,PASS |
| blink-contrib/injected-inline-script-blocked.sub.html,PASS |
| blink-contrib/injected-inline-style-allowed.sub.html,PASS |
| blink-contrib/injected-inline-style-blocked.sub.html,PASS |
| |
| blink-contrib/inline-style-allowed.sub.html,PASS |
| blink-contrib/inline-style-allowed-while-cloning-objects.sub.html,PASS |
| blink-contrib/inline-style-attribute-allowed.sub.html,PASS |
| blink-contrib/inline-style-attribute-blocked.sub.html,PASS |
| blink-contrib/inline-style-attribute-on-html.sub.html,PASS |
| blink-contrib/inline-style-blocked.sub.html,PASS |
| |
| # manifest-src not supported in CSP2. |
| blink-contrib/manifest-src-allowed.sub.html,DISABLE |
| blink-contrib/manifest-src-blocked.sub.html,DISABLE |
| |
| # These are broken tests, they refer to nonexistent |
| # media-resources/video-test.js and media-resources/media-file.js and call |
| # an undefined waitForEvent, also using Chrome on upstream at |
| # http://w3c-test.org/. |
| blink-contrib/media-src-allowed.sub.html,DISABLE |
| blink-contrib/media-src-blocked.sub.html,DISABLE |
| |
| # <track> not supported |
| blink-contrib/media-src-track-block.sub.html,DISABLE |
| |
| # <svg> not supported |
| blink-contrib/object-in-svg-foreignobject.sub.html,DISABLE |
| |
| # object-src not supported. |
| blink-contrib/object-src-applet-archive-codebase.sub.html,DISABLE |
| blink-contrib/object-src-applet-archive.sub.html,DISABLE |
| blink-contrib/object-src-applet-code-codebase.sub.html,DISABLE |
| blink-contrib/object-src-applet-code.sub.html,DISABLE |
| blink-contrib/object-src-no-url-allowed.sub.html,DISABLE |
| blink-contrib/object-src-no-url-blocked.sub.html,DISABLE |
| blink-contrib/object-src-url-allowed.sub.html,DISABLE |
| blink-contrib/object-src-url-blocked.sub.html,DISABLE |
| |
| # Child not supported |
| blink-contrib/policy-does-not-affect-child.sub.html,DISABLE |
| |
| blink-contrib/report-blocked-data-uri.sub.html,PASS |
| blink-contrib/report-cross-origin-no-cookies.sub.html,PASS |
| |
| blink-contrib/report-disallowed-from-meta.sub.html,PASS |
| blink-contrib/report-same-origin-with-cookies.sub.html,PASS |
| blink-contrib/report-uri-from-inline-javascript.sub.html,PASS |
| blink-contrib/report-uri-from-javascript.sub.html,PASS |
| |
| # File missing in original test suite |
| blink-contrib/report-uri.sub.html,DISABLE |
| |
| # <iframe> not supported |
| blink-contrib/sandbox-allow-scripts-subframe.sub.html,DISABLE |
| |
| # Sandbox not supported |
| blink-contrib/sandbox-allow-scripts.sub.html,DISABLE |
| blink-contrib/sandbox-empty-subframe.sub.html,DISABLE |
| blink-contrib/sandbox-empty.sub.html,DISABLE |
| |
| blink-contrib/script-src-overrides-default-src.sub.html,PASS |
| |
| # Blob not supported |
| blink-contrib/self-doesnt-match-blob.sub.html,DISABLE |
| |
| # Workers are not supported |
| blink-contrib/shared-worker-connect-src-allowed.sub.html,DISABLE |
| blink-contrib/shared-worker-connect-src-blocked.sub.html,DISABLE |
| |
| blink-contrib/source-list-parsing-paths-03.sub.html,PASS |
| |
| # <iframe> not supported |
| blink-contrib/srcdoc-doesnt-bypass-script-src.sub.html,DISABLE |
| |
| # Blob not supported |
| blink-contrib/star-doesnt-match-blob.sub.html,DISABLE |
| |
| blink-contrib/style-allowed.sub.html,PASS |
| blink-contrib/style-blocked.sub.html,PASS |
| |
| # Workers are not supported |
| blink-contrib/worker-connect-src-allowed.sub.html,DISABLE |
| blink-contrib/worker-connect-src-blocked.sub.html,DISABLE |
| blink-contrib/worker-eval-blocked.sub.html,DISABLE |
| blink-contrib/worker-from-guid.sub.html,DISABLE |
| blink-contrib/worker-function-function-blocked.sub.html,DISABLE |
| blink-contrib/worker-importscripts-blocked.sub.html,DISABLE |
| blink-contrib/worker-script-src.sub.html,DISABLE |
| blink-contrib/worker-set-timeout-blocked.sub.html,DISABLE |
| |
| # <iframe> not supported |
| child-src/child-src-about-blank-allowed-by-default.sub.html,DISABLE |
| child-src/child-src-about-blank-allowed-by-scheme.sub.html,DISABLE |
| child-src/child-src-allowed.sub.html,DISABLE |
| child-src/child-src-blocked.sub.html,DISABLE |
| child-src/child-src-conflicting-frame-src.sub.html,DISABLE |
| child-src/child-src-cross-origin-load.sub.html,DISABLE |
| |
| # Workers are not supported |
| child-src/child-src-worker-allowed.sub.html,DISABLE |
| child-src/child-src-worker-blocked.sub.html,DISABLE |
| |
| # frame-ancestors, Cross-document messaging, <iframe> not supported |
| frame-ancestors/deep-allows-none.sub.html,DISABLE |
| frame-ancestors/intermediate-reporting-frame-allows-self.sub.html,DISABLE |
| frame-ancestors/intermediate-reporting-frame-allows-star.sub.html,DISABLE |
| frame-ancestors/multiple-frames-meta-ignored.sub.html,DISABLE |
| frame-ancestors/multiple-frames-one-blocked.sub.html,DISABLE |
| frame-ancestors/multiple-frames-self-allowed.sub.html,DISABLE |
| frame-ancestors/nested-traversing-allowed.sub.html,DISABLE |
| frame-ancestors/nested-traversing-banned.sub.html,DISABLE |
| frame-ancestors/nested-traversing-banned-top-is-self.sub.html,DISABLE |
| |
| # frame-ancestors, Cross-document messaging not supported |
| frame-ancestors/reporting-frame-allows-none.html,DISABLE |
| frame-ancestors/reporting-frame-allows-none-meta.html,DISABLE |
| frame-ancestors/reporting-frame-allows-self.html,DISABLE |
| frame-ancestors/single-frame-self-allowed.sub.html,DISABLE |
| |
| generic/generic-0_10_1.sub.html,PASS |
| generic/generic-0_10.html,PASS |
| generic/generic-0_1-img-src.html,PASS |
| generic/generic-0_1-script-src.html,PASS |
| generic/generic-0_2_2.sub.html,PASS |
| generic/generic-0_2_3.html,PASS |
| generic/generic-0_2.html,PASS |
| generic/generic-0_8_1.sub.html,PASS |
| generic/generic-0_8.html,PASS |
| |
| generic/generic-0_9.sub.html,PASS |
| img-src/img-src-4_1.html,PASS |
| |
| # Event attribute not supported, <source> is not supported, the used mp4 file is |
| # not compatible. |
| media-src/media-src-7_1_2.html,DISABLE |
| media-src/media-src-7_1.html,DISABLE |
| media-src/media-src-7_2_2.html,DISABLE |
| media-src/media-src-7_2.html,DISABLE |
| media-src/media-src-7_3_2.html,DISABLE |
| media-src/media-src-7_3.html,DISABLE |
| |
| # Custom tests that verifies media-src |
| media-src/media-src-allowed.html,PASS |
| media-src/media-src-disallowed-blob.html,PASS |
| media-src/media-src-disallowed.html,PASS |
| |
| meta/meta-img-src.html,PASS |
| meta/meta-modified.html,PASS |
| |
| # object-src not supported by Cobalt. |
| object-src/object-src-2_1.html,DISABLE |
| object-src/object-src-2_2.html,DISABLE |
| |
| script-src/script-src-1_1.html,PASS |
| |
| # data: as script src |
| script-src/script-src-1_10.html,PASS |
| script-src/script-src-1_10_1.html,PASS |
| script-src/script-src-1_2_1.html,PASS |
| script-src/script-src-1_2.html,PASS |
| script-src/script-src-1_3.html,PASS |
| |
| # setTimeout() and setInterval() should not run without 'unsafe-eval' |
| # script-src directive. |
| # setTimeout() and setInterval() overloads that take DOMString argument are not |
| # supported, as a result the function calls are treated as a syntax error, and |
| # the CSP violation report will not be sent. |
| script-src/script-src-1_4_1.html,DISABLE |
| |
| # Function() called as a constructor |
| script-src/script-src-1_4_2.html,PASS |
| |
| # eval() should not run without 'unsafe-eval' script-src directive |
| script-src/script-src-1_4.html,PASS |
| |
| # svg not supported |
| svg/svg-from-guid.html,DISABLE |
| svg/svg-inline.sub.html,DISABLE |
| svg/svg-policy-resource-doc-includes.html,DISABLE |
| svg/svg-policy-with-resource.html,DISABLE |
| |
| style-src/style-src-3_1.html,PASS |
| style-src/style-src-3_2.html,PASS |
| style-src/style-src-3_3.html,PASS |
| |
| # @import rules are not supported |
| style-src/style-src-3_4.html,DISABLE |