LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js - Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(401)

My Issues | Starred Open | Closed | All

Side by Side Diff: LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js

Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt ('k') | LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 if (window.testRunner) {	1 if (window.testRunner) {

2 testRunner.dumpAsText();	2 testRunner.dumpAsText();

3 testRunner.waitUntilDone();	3 testRunner.waitUntilDone();

4 }	4 }

5	5

6 tests = 4;	6 tests = 4;

7 window.addEventListener("message", function(message) {	7 window.addEventListener("message", function(message) {

8 tests -= 1;	8 tests -= 1;

9 test();	9 test();

10 }, false);	10 }, false);

11	11

12 // This is needed because isolated worlds are not reset between test runs and a	12 // This is needed because isolated worlds are not reset between test runs and a

13 // previous test's CSP may interfere with this test. See	13 // previous test's CSP may interfere with this test. See

14 // https://crbug.com/415845.	14 // https://crbug.com/415845.

15 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');	15 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');

16	16

17 function test() {	17 function test() {

18 function injectInlineScript(isolated) {	18 function injectInlineScript(isolated) {

19 var script = document.createElement('script');	19 var script = document.createElement('script');

20 script.innerText = "console.log('EXECUTED in " + (isolated ? "isolated w orld" : "main world") + ".');";	20 script.innerText = "console.log('EXECUTED in " + (isolated ? "isolated w orld" : "main world") + ".');";

21 document.body.appendChild(script);	21 document.body.appendChild(script);

22 window.postMessage("next", "*");	22 window.postMessage("next", "*");

23 }	23 }

	24 function injectInlineEventHandler(isolated) {

	25 var div = document.createElement('div');

	26 div.innerHTML = "<div onclick='function () {}'></div>";

	27 document.body.appendChild(div);

	28 window.postMessage("next", "*");

	29 }

24	30

25 switch (tests) {	31 switch (tests) {

26 case 4:	32 case 4:

27 console.log("Injecting in main world: this should fail.");	33 console.log("Injecting in main world: this should fail.");

28 injectInlineScript(false);	34 injectInlineScript(false);

	35 injectInlineEventHandler(false);

29 break;	36 break;

30 case 3:	37 case 3:

31 console.log("Injecting into isolated world without bypass: this shou ld fail.");	38 console.log("Injecting into isolated world without bypass: this shou ld fail.");

32 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eScript")) + "\ninjectInlineScript(true);");	39 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eScript")) + "\ninjectInlineScript(true);");

	40 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eEventHandler")) + "\injectInlineEventHandler(true);");

33 break;	41 break;

34 case 2:	42 case 2:

35 console.log("Starting to bypass main world's CSP: this should pass!" );	43 console.log("Starting to bypass main world's CSP: this should pass!" );

36 testRunner.setIsolatedWorldContentSecurityPolicy(1, 'script-src \'un safe-inline\' *');	44 testRunner.setIsolatedWorldContentSecurityPolicy(1, 'script-src \'un safe-inline\' *');

37 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eScript")) + "\ninjectInlineScript(true);");	45 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eScript")) + "\ninjectInlineScript(true);");

	46 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eEventHandler")) + "\injectInlineEventHandler(true);");

38 break;	47 break;

39 case 1:	48 case 1:

40 console.log("Injecting into main world again: this should fail.");	49 console.log("Injecting into main world again: this should fail.");

41 injectInlineScript(false);	50 injectInlineScript(false);

	51 injectInlineEventHandler(false);

42 break;	52 break;

43 case 0:	53 case 0:

44 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');	54 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');

45 testRunner.notifyDone();	55 testRunner.notifyDone();

46 break;	56 break;

47 }	57 }

48 }	58 }

49	59

50 document.addEventListener('DOMContentLoaded', test);	60 document.addEventListener('DOMContentLoaded', test);

OLD	NEW

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-inline-style-expected.txt ('k') | LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698