[CSP] Added new policy violation source: wasm-eval

This extends the suite of policy violation sources to include a WebAssembly specific source: wasm-eval. This has also been reflected in the PR (w3c/webappsec-csp#293 (review)) against the CSP spec. Added test for proper security violation event of the right form. Bug: 948834 Change-Id: I0b76fd725136b7ddda92e629f147f5ba77c50ffb
web-platform-tests · Oct 12, 2021 · 727ac19 · 727ac19
1 parent 1cc2d8c
commit 727ac19
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js
@@ -0,0 +1,21 @@
+// META: global=window,worker
+let code = new Uint8Array([0x53, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0]);
+async_test(t => {
+  self.addEventListener('securitypolicyviolation', e => {
+    t.step(function(){
+      assert_equals(e.violatedDirective, "script-src");
+      assert_equals(e.originalPolicy, "default-src 'self' 'unsafe-inline'")
+      assert_equals(e.blockedURI, "wasm-eval")
+    })
+    t.done();
+  });
+}, "Securitypolicyviolation event looks like it should");
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(code));
+});
+
+
+
diff --git a/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers b/content-security-policy/wasm-unsafe-eval/script-src-spv-asynch.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline'