diff --git a/system-tests/__snapshots__/experimental_csp_allow_list_spec.ts.js b/system-tests/__snapshots__/experimental_csp_allow_list_spec.ts.js index 1ac1219e54c7..4e3a9106b6be 100644 --- a/system-tests/__snapshots__/experimental_csp_allow_list_spec.ts.js +++ b/system-tests/__snapshots__/experimental_csp_allow_list_spec.ts.js @@ -1,4 +1,4 @@ -exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / strips out [\'script-src-elem\', \'script-src\', \'default-src\'] directives'] = ` +exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / always strips known problematic directives and is passive with known working directives'] = ` ==================================================================================================== @@ -7,24 +7,23 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / str ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Cypress: 1.2.3 │ │ Browser: FooBrowser 88 │ - │ Specs: 1 found (with_allow_list_true.cy.ts) │ - │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_true.cy.ts │ + │ Specs: 1 found (with_allow_list_custom_or_true.cy.ts) │ + │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ ──────────────────────────────────────────────────────────────────────────────────────────────────── - Running: with_allow_list_true.cy.ts (1 of 1) + Running: with_allow_list_custom_or_true.cy.ts (1 of 1) - experimentalCspAllowList=true - ✓ passes on inline form action - content-security-policy directive script-src-elem should be stripped and - ✓ regardless of nonces/hashes - content-security-policy directive script-src should be stripped and - ✓ regardless of nonces/hashes - content-security-policy directive default-src should be stripped and - ✓ regardless of nonces/hashes + experimentalCspAllowList is custom or true + disallowed + ✓ frame-ancestors are always stripped + ✓ trusted-types & require-trusted-types-for are always stripped + allowed + ✓ sample: style-src is not stripped + ✓ sample: upgrade-insecure-requests is not stripped 4 passing @@ -41,7 +40,7 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / str │ Screenshots: 0 │ │ Video: true │ │ Duration: X seconds │ - │ Spec Ran: with_allow_list_true.cy.ts │ + │ Spec Ran: with_allow_list_custom_or_true.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ @@ -52,14 +51,15 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / str Spec Tests Passing Failing Pending Skipped ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ - │ ✔ with_allow_list_true.cy.ts XX:XX 4 4 - - - │ + │ ✔ with_allow_list_custom_or_true.cy.t XX:XX 4 4 - - - │ + │ s │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ ✔ All specs passed! XX:XX 4 4 - - - ` -exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / always strips known problematic directives and is passive with known working directives'] = ` +exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] / always strips known problematic directives and is passive with known working directives'] = ` ==================================================================================================== @@ -120,7 +120,7 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / alw ` -exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] / works with [\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] directives'] = ` +exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=true / strips out [\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] directives'] = ` ==================================================================================================== @@ -129,44 +129,41 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script- ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Cypress: 1.2.3 │ │ Browser: FooBrowser 88 │ - │ Specs: 1 found (with_allow_list_custom.cy.ts) │ - │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom.cy.ts │ + │ Specs: 1 found (with_allow_list_true.cy.ts) │ + │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_true.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ ──────────────────────────────────────────────────────────────────────────────────────────────────── - Running: with_allow_list_custom.cy.ts (1 of 1) + Running: with_allow_list_true.cy.ts (1 of 1) - experimentalCspAllowList=['script-src-elem', 'script-src', 'default-src'] - ✓ fails on inline form action - content-security-policy directive script-src-elem should not be stripped and - ✓ allows Cypress to run, including configured inline nonces/hashes - ✓ allows Cypress to run, but doesn't allow none configured inline scripts - content-security-policy directive script-src should not be stripped and - ✓ allows Cypress to run, including configured inline nonces/hashes - ✓ allows Cypress to run, but doesn't allow none configured inline scripts - content-security-policy directive default-src should not be stripped and - ✓ allows Cypress to run, including configured inline nonces/hashes - ✓ allows Cypress to run, but doesn't allow none configured inline scripts + experimentalCspAllowList=true + ✓ passes on inline form action + content-security-policy directive script-src-elem should be stripped and + ✓ regardless of nonces/hashes + content-security-policy directive script-src should be stripped and + ✓ regardless of nonces/hashes + content-security-policy directive default-src should be stripped and + ✓ regardless of nonces/hashes - 7 passing + 4 passing (Results) ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ - │ Tests: 7 │ - │ Passing: 7 │ + │ Tests: 4 │ + │ Passing: 4 │ │ Failing: 0 │ │ Pending: 0 │ │ Skipped: 0 │ │ Screenshots: 0 │ │ Video: true │ │ Duration: X seconds │ - │ Spec Ran: with_allow_list_custom.cy.ts │ + │ Spec Ran: with_allow_list_true.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ @@ -177,14 +174,14 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script- Spec Tests Passing Failing Pending Skipped ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ - │ ✔ with_allow_list_custom.cy.ts XX:XX 7 7 - - - │ + │ ✔ with_allow_list_true.cy.ts XX:XX 4 4 - - - │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ - ✔ All specs passed! XX:XX 7 7 - - - + ✔ All specs passed! XX:XX 4 4 - - - ` -exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] / always strips known problematic directives and is passive with known working directives'] = ` +exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] / works with [\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] directives'] = ` ==================================================================================================== @@ -193,40 +190,44 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script- ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ │ Cypress: 1.2.3 │ │ Browser: FooBrowser 88 │ - │ Specs: 1 found (with_allow_list_custom_or_true.cy.ts) │ - │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts │ + │ Specs: 1 found (with_allow_list_custom.cy.ts) │ + │ Searched: cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ ──────────────────────────────────────────────────────────────────────────────────────────────────── - Running: with_allow_list_custom_or_true.cy.ts (1 of 1) + Running: with_allow_list_custom.cy.ts (1 of 1) - experimentalCspAllowList is custom or true - disallowed - ✓ frame-ancestors are always stripped - ✓ trusted-types & require-trusted-types-for are always stripped - allowed - ✓ sample: style-src is not stripped - ✓ sample: upgrade-insecure-requests is not stripped + experimentalCspAllowList=['script-src-elem', 'script-src', 'default-src'] + ✓ fails on inline form action + content-security-policy directive script-src-elem should not be stripped and + ✓ allows Cypress to run, including configured inline nonces/hashes + ✓ allows Cypress to run, but doesn't allow none configured inline scripts + content-security-policy directive script-src should not be stripped and + ✓ allows Cypress to run, including configured inline nonces/hashes + ✓ allows Cypress to run, but doesn't allow none configured inline scripts + content-security-policy directive default-src should not be stripped and + ✓ allows Cypress to run, including configured inline nonces/hashes + ✓ allows Cypress to run, but doesn't allow none configured inline scripts - 4 passing + 7 passing (Results) ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ - │ Tests: 4 │ - │ Passing: 4 │ + │ Tests: 7 │ + │ Passing: 7 │ │ Failing: 0 │ │ Pending: 0 │ │ Skipped: 0 │ │ Screenshots: 0 │ │ Video: true │ │ Duration: X seconds │ - │ Spec Ran: with_allow_list_custom_or_true.cy.ts │ + │ Spec Ran: with_allow_list_custom.cy.ts │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ @@ -237,10 +238,9 @@ exports['e2e experimentalCspAllowList=true / experimentalCspAllowList=[\'script- Spec Tests Passing Failing Pending Skipped ┌────────────────────────────────────────────────────────────────────────────────────────────────┐ - │ ✔ with_allow_list_custom_or_true.cy.t XX:XX 4 4 - - - │ - │ s │ + │ ✔ with_allow_list_custom.cy.ts XX:XX 7 7 - - - │ └────────────────────────────────────────────────────────────────────────────────────────────────┘ - ✔ All specs passed! XX:XX 4 4 - - - + ✔ All specs passed! XX:XX 7 7 - - - ` diff --git a/system-tests/test/experimental_csp_allow_list_spec.ts b/system-tests/test/experimental_csp_allow_list_spec.ts index eb5f55fa7bec..042f76fbb835 100644 --- a/system-tests/test/experimental_csp_allow_list_spec.ts +++ b/system-tests/test/experimental_csp_allow_list_spec.ts @@ -42,7 +42,8 @@ describe('e2e experimentalCspAllowList=true', () => { }) describe('experimentalCspAllowList=true', () => { - systemTests.it('strips out [\'script-src-elem\', \'script-src\', \'default-src\'] directives', { + systemTests.it('strips out [\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] directives', { + browser: '!webkit', // TODO(webkit): fix+unskip port: PORT, spec: 'experimental_csp_allow_list_spec/with_allow_list_true.cy.ts', snapshot: true, @@ -55,6 +56,7 @@ describe('e2e experimentalCspAllowList=true', () => { }) systemTests.it('always strips known problematic directives and is passive with known working directives', { + browser: '!webkit', // TODO(webkit): fix+unskip port: PORT, spec: 'experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts', snapshot: true, @@ -69,6 +71,7 @@ describe('e2e experimentalCspAllowList=true', () => { describe('experimentalCspAllowList=[\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\']', () => { systemTests.it('works with [\'script-src-elem\', \'script-src\', \'default-src\', \'form-action\'] directives', { + browser: '!webkit', // TODO(webkit): fix+unskip port: PORT, spec: 'experimental_csp_allow_list_spec/with_allow_list_custom.cy.ts', snapshot: true, @@ -81,6 +84,7 @@ describe('e2e experimentalCspAllowList=true', () => { }) systemTests.it('always strips known problematic directives and is passive with known working directives', { + browser: '!webkit', // TODO(webkit): fix+unskip port: PORT, spec: 'experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts', snapshot: true,