rbri
commented
1 year ago @daniel-beck it will be great and a real help if you can provide a pr with testcases similar to the one's in the mentioned commit. Is this an option for you?
Open daniel-beck opened 1 year ago
rbri
commented
1 year ago @daniel-beck it will be great and a real help if you can provide a pr with testcases similar to the one's in the mentioned commit. Is this an option for you?
daniel-beck
commented
1 year ago @rbri I'll take a look when I can find some time. What I currently have depends heavily on Jenkins and combines a bunch of rules into one test, which doesn't make for a reasonable minimal test case.
HTMLUnit does not appear to support most of Content-Security-Policy.
Previously requested in https://sourceforge.net/p/htmlunit/feature-requests/259/ which was closed as resolved, but it seems most of Content-Security-Policy remains unimplemented. In some local testing using HTMLUnit through jenkins-test-harness, tests asserting CSP violations are not reported pass with only HTMLUnit navigating to affected pages, but fail when I set a breakpoint and navigate to the same URL in Firefox. Looking through reasons for the linked issue to be closed, it seems https://github.com/HtmlUnit/htmlunit/commit/56bd6c3a151896d3a84c5c02870dd4fe286d2b71 implements a small subset of Content-Security-Policy, but nothing related to the various
*-srcdirectives, orreport-uri.Use case: I want tests to fail if Content-Security-Policy violations (e.g.,
unsafe-inlinescripts) are encountered.