[CSP] Added new policy violation source: wasm-eval

This extends the suite of policy violation sources to include a WebAssembly specific source: wasm-eval. This has also been reflected in the PR (w3c/webappsec-csp#293 (review)) against the CSP spec. Added test for proper security violation event of the right form. Bug: 948834 Change-Id: I0b76fd725136b7ddda92e629f147f5ba77c50ffb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3197842 Commit-Queue: Francis McCabe <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Reviewed-by: Mike West <[email protected]> Reviewed-by: Antonio Sartori <[email protected]> Reviewed-by: Andrey Kosyakov <[email protected]> Reviewed-by: David Tseng <[email protected]> Cr-Commit-Position: refs/heads/main@{#931206}
web-platform-tests · Oct 13, 2021 · 6ccfe6f · 6ccfe6f
1 parent 2d8f176
commit 6ccfe6f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js
@@ -0,0 +1,18 @@
+// META: global=window,worker
+let code = new Uint8Array([0x53, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0]);
+async_test(t => {
+  self.addEventListener('securitypolicyviolation', t.step_func_done(e => {
+    assert_equals(e.violatedDirective, "script-src");
+    assert_equals(e.originalPolicy, "default-src 'self' 'unsafe-inline'")
+    assert_equals(e.blockedURI, "wasm-eval")
+  }));
+}, "Securitypolicyviolation event looks like it should");
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(code));
+});
+
+
+
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline'