[CSP] Added new policy violation source: wasm-eval

This extends the suite of policy violation sources to include a WebAssembly specific source: wasm-eval. This has also been reflected in the PR (w3c/webappsec-csp#293 (review)) against the CSP spec. Added test for proper security violation event of the right form. Bug: 948834 Change-Id: I0b76fd725136b7ddda92e629f147f5ba77c50ffb
web-platform-tests · Oct 13, 2021 · d92bb61 · d92bb61
1 parent bfeb1dd
commit d92bb61
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js
@@ -0,0 +1,18 @@
+// META: global=window,worker
+let code = new Uint8Array([0x53, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0]);
+async_test(t => {
+ self.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+ assert_equals(e.violatedDirective, "script-src");
+ assert_equals(e.originalPolicy, "default-src 'self' 'unsafe-inline'")
+ assert_equals(e.blockedURI, "wasm-eval")
+ }));
+}, "Securitypolicyviolation event looks like it should");
+
+promise_test(t => {
+ return promise_rejects_js(
+ t, WebAssembly.CompileError,
+ WebAssembly.instantiate(code));
+});
+
+
+
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline'