Bug 1491127 [wpt PR 12995] - Implemented the correct 'self' matching logic according to the spec, a=testonly

Automatic update from web-platform-testsImplemented the correct 'self' matching logic according to the spec Spec: https://w3c.github.io/webappsec-csp/#match-url-to-source-expression The 'self' matching logic is similar to the host/scheme-source expression but different enough where it's causing issues because we're just reusing the csp_source Matches logic. This is incorrect as causes issues such as the related bug. This CL covers: * Added a new MatchesAsSelf function that is used for 'self' expression matching * Added unit tests for this function * Added new test covering the scenario in the bug (wss scheme that matches scheme) * Drive-by fixes to some connect-src tests There is similar work that needs to be done in the content/ CSP but since I don't want to duplicate any feedback, I will wait until this patch looks finalized. Bug: 815142 Change-Id: Ie1d6579e29b9d320e56fcdb556893c7675bd11b8 Reviewed-on: https://chromium-review.googlesource.com/1225570 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#591710} -- wpt-commits: aaa732df618787dbcbc6f7ce96a3bf95bd6b03b4 wpt-pr: 12995
2018-09-19 12:52:27 +00:00 · 2018-09-19 12:52:27 +00:00 · 84b9f2db40
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@ -328823,6 +328823,12 @@
     {}
    ]
   ],
+   "content-security-policy/connect-src/connect-src-websocket-self.sub.html": [
+    [
+     "/content-security-policy/connect-src/connect-src-websocket-self.sub.html",
+     {}
+    ]
+   ],
   "content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html": [
    [
     "/content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html",
@ -461003,11 +461009,11 @@
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html": [
-   "3025e8a571a5dbcc016d831e590e5df45b20416e",
+   "8922d99e0392fa6a4ecd30663981208d88e33d1f",
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html": [
-   "9b08365cec961473754beb5592ab7573376b6a0d",
+   "df8a9a1e3db136aaa43c62e8629ff46b1c230dfa",
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-eventsource-redirect-to-blocked.sub.html": [
@ -461015,11 +461021,15 @@
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-websocket-allowed.sub.html": [
-   "6216444e08ec3555089e5536fc58eff913bec548",
+   "4263d97fe2dfbb9e2a0f0851c07798d40a5671a9",
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-websocket-blocked.sub.html": [
-   "249c7a346a4e2bddab6d97f546ec6eeafab7623d",
+   "02c52837bb8bd5cbc26f54f899fe25b5d68bd561",
+   "testharness"
+  ],
+  "content-security-policy/connect-src/connect-src-websocket-self.sub.html": [
+   "6db324ea0e70350b1781b036afc14cc37f588dfc",
   "testharness"
  ],
  "content-security-policy/connect-src/connect-src-xmlhttprequest-allowed.sub.html": [
--- a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-allowed.sub.html
@ -7,23 +7,31 @@
    <title>connect-src-eventsource-allowed</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+    <script src='../support/logTest.sub.js?logs=["allowed"]'></script>
    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>

 <body>
    <script>
        window.addEventListener('securitypolicyviolation', function(e) {
-            log("FAIL");
+            log("allowed");
        });

        try {
-            var es = new EventSource("http://{{host}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
-            log("Pass");
-        } catch (e) {
-            log("Fail");
+            var es = new EventSource("http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
+            // Firefox and Chrome don't throw an exception and takes some time to close async
+            if (es.readyState == EventSource.CONNECTING) {
+                setTimeout( function() {
+                    es.readyState != EventSource.CLOSED ? log("allowed") : log("blocked");
+                }, 1000);
+            } else if (es.readyState == EventSource.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
        }
-
    </script>
    <div id="log"></div>
 </body>
--- a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-eventsource-blocked.sub.html
@ -7,7 +7,7 @@
    <title>connect-src-eventsource-blocked</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["Pass","violated-directive=connect-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script>
    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>

@ -18,19 +18,19 @@
        });

        try {
-            var es = new EventSource("http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
-            // Firefox doesn't throw an exception and takes some time to close async
+            var es = new EventSource("http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/connect-src/resources/simple-event-stream");
+            // Firefox and Chrome don't throw an exception and takes some time to close async
            if (es.readyState == EventSource.CONNECTING) {
                setTimeout( function() {
-                    es.readyState != EventSource.CLOSED ? log("Fail") : log("Pass");
-                }, 2);
+                    es.readyState != EventSource.CLOSED ? log("allowed") : log("blocked");
+                }, 1000);
            } else if (es.readyState == EventSource.CLOSED) {
-                log("Pass");
+                log("blocked");
            } else {
-                log("Fail");
+                log("allowed");
            }
        } catch (e) {
-            log("Pass");
+            log("blocked");
        }
    </script>
    <div id="log"></div>
--- a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-allowed.sub.html
@ -2,26 +2,31 @@
 <html>

 <head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';">
-    <title>connect-src-websocket-allowed</title>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' ws://{{domains[www1]}}:{{ports[http][0]}}/echo; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-websocket-blocked</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["Pass"]'></script>
+    <script src='../support/logTest.sub.js?logs=["allowed"]'></script>
    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>

 <body>
    <script>
        window.addEventListener('securitypolicyviolation', function(e) {
-            log("Fail");
+            log("violated-directive=" + e.violatedDirective);
        });

        try {
-            var ws = new WebSocket("ws://127.0.0.1:8880/echo");
-            log("Pass");
+            var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
        } catch (e) {
-            log("Fail");
+            log("blocked");
        }

    </script>
--- a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-blocked.sub.html
@ -2,12 +2,12 @@
 <html>

 <head>
-    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
-    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' ws://127.0.0.1:8880; script-src 'self' 'unsafe-inline';">
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncraciws.-->
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
    <title>connect-src-websocket-blocked</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
-    <script src='../support/logTest.sub.js?logs=["Pass","violated-directive=connect-src"]'></script>
+    <script src='../support/logTest.sub.js?logs=["blocked","violated-directive=connect-src"]'></script>
    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
 </head>

@ -18,10 +18,15 @@
        });

        try {
-            var ws = new WebSocket("ws://localhost:8880/echo");
-            log("Fail");
+            var ws = new WebSocket("ws://{{domains[www1]}}:{{ports[http][0]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
        } catch (e) {
-            log("Pass");
+            log("blocked");
        }

    </script>
--- a/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html
+++ b/testing/web-platform/tests/content-security-policy/connect-src/connect-src-websocket-self.sub.html
@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self' 'unsafe-inline';">
+    <title>connect-src-websocket-blocked</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["allowed", "allowed"]'></script>
+    <script src="../support/alertAssert.sub.js?alerts=[]"></script>
+</head>
+
+<body>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        try {
+            var ws = new WebSocket("ws://{{host}}:{{location[port]}}/echo");
+
+            if (ws.readyState == WebSocket.CLOSING || ws.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+        try {
+            var wss = new WebSocket("wss://{{host}}:{{location[port]}}/echo");
+
+            if (wss.readyState == WebSocket.CLOSING || wss.readyState == WebSocket.CLOSED) {
+                log("blocked");
+            } else {
+                log("allowed");
+            }
+        } catch (e) {
+            log("blocked");
+        }
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>