CSP: Add a test for * in pattern's host-part.

mikewest · chromium-wpt-export-bot · commit d0649743f613 · 2024-04-24T01:34:21.000-07:00
This tests the change made in w3c/webappsec-csp#657. Bug: 334278797 Change-Id: I7ecab785ac44456af00d0ec1af3f6d09aac02782 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5471523 Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1291742}
diff --git a/content-security-policy/generic/wildcard-host-part.sub.window.js b/content-security-policy/generic/wildcard-host-part.sub.window.js
@@ -0,0 +1,27 @@
+setup(_ => {
+  const meta = document.createElement("meta");
+  meta.httpEquiv = "content-security-policy";
+  meta.content = "img-src http://*:{{ports[http][0]}}";
+  document.head.appendChild(meta);
+});
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onerror = t.step_func_done();
+  img.onload = t.unreached_func("`data:` image should have been blocked.");
+  img.src = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="
+}, "Host wildcard doesn't affect scheme matching.");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www1).");
+
+async_test((t) => {
+  const img = document.createElement("img");
+  img.onload = t.step_func_done();
+  img.onerror = t.unreached_func("Image from www2 host should have loaded.");
+  img.src = "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/pass.png";
+}, "Host wildcard allows arbitrary hosts (www2).");
