LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js - Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(106)

My Issues | Starred Open | Closed | All

Side by Side Diff: LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js ('k') | Source/core/dom/Document.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 if (window.testRunner) {	1 if (window.testRunner) {

2 testRunner.dumpAsText();	2 testRunner.dumpAsText();

3 testRunner.waitUntilDone();	3 testRunner.waitUntilDone();

4 }	4 }

5	5

6 tests = 4;	6 tests = 4;

7 window.addEventListener("message", function(message) {	7 window.addEventListener("message", function(message) {

8 tests -= 1;	8 tests -= 1;

9 test();	9 test();

10 }, false);	10 }, false);

11	11

12 function test() {	12 function test() {

13 function injectInlineStyle(shouldSucceed, tests) {	13 function injectInlineStyle(shouldSucceed, tests) {

14 var id = 'div' + tests;	14 var id = 'inline' + tests;

15 var div = document.createElement('div');	15 var div = document.createElement('div');

16 div.id = id;	16 div.id = id;

17 document.body.appendChild(div);	17 document.body.appendChild(div);

18 var style = document.createElement('style');	18 var style = document.createElement('style');

19 style.innerText = '#' + id + ' { color: red; }';	19 style.innerText = '#' + id + ' { color: red; }';

20 document.body.appendChild(style);	20 document.body.appendChild(style);

21 var success = window.getComputedStyle(document.getElementById(id)).color === "rgb(255, 0, 0)";	21 var success = window.getComputedStyle(document.getElementById(id)).color === "rgb(255, 0, 0)";

22 if (shouldSucceed) {	22 if (shouldSucceed) {

23 if (success)	23 if (success)

24 console.log("PASS: Style assignment in test " + tests + " was bl ocked by CSP.");	24 console.log("PASS: Style assignment in test " + tests + " was bl ocked by CSP.");

25 else	25 else

26 console.log("FAIL: Style assignment in test " + tests + " was no t blocked by CSP.");	26 console.log("FAIL: Style assignment in test " + tests + " was no t blocked by CSP.");

27 } else {	27 } else {

28 if (success)	28 if (success)

29 console.log("FAIL: Style assignment in test " + tests + " was bl ocked by CSP.");	29 console.log("FAIL: Style assignment in test " + tests + " was bl ocked by CSP.");

30 else	30 else

31 console.log("PASS: Style assignment in test " + tests + " was no t blocked by CSP.");	31 console.log("PASS: Style assignment in test " + tests + " was no t blocked by CSP.");

32 }	32 }

33 window.postMessage("next", "*");	33 window.postMessage("next", "*");

34 }	34 }

	35 function injectInlineStyleAttribute(shouldSucceed, tests) {

	36 var id = 'attribute' + tests;

	37 var div = document.createElement('div');

	38 div.id = id;

	39 document.body.appendChild(div);

	40 div.setAttribute('style', 'color: red;');

	41 var success = window.getComputedStyle(document.getElementById(id)).color === "rgb(255, 0, 0)";

	42 if (shouldSucceed) {

	43 if (success)

	44 console.log("PASS: Style attribute assignment in test " + tests + " was blocked by CSP.");

	45 else

	46 console.log("FAIL: Style attribute assignment in test " + tests + " was not blocked by CSP.");

	47 } else {

	48 if (success)

	49 console.log("FAIL: Style attribute assignment in test " + tests + " was blocked by CSP.");

	50 else

	51 console.log("PASS: Style attribute assignment in test " + tests + " was not blocked by CSP.");

	52 }

	53 window.postMessage("next", "*");

	54 }

35	55

36 switch (tests) {	56 switch (tests) {

37 case 4:	57 case 4:

38 console.log("Injecting in main world: this should fail.");	58 console.log("Injecting in main world: this should fail.");

39 injectInlineStyle(false, tests);	59 injectInlineStyle(false, tests);

40 break;	60 break;

41 case 3:	61 case 3:

42 console.log("Injecting into isolated world without bypass: this shou ld fail.");	62 console.log("Injecting into isolated world without bypass: this shou ld fail.");

43 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyle")) + "\ninjectInlineStyle(false," + tests + ");");	63 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyle")) + "\ninjectInlineStyle(false," + tests + ");");

	64 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyleAttribute")) + "\ninjectInlineStyleAttribute(false," + tests + ");");

44 break;	65 break;

45 case 2:	66 case 2:

46 console.log("Starting to bypass main world's CSP: this should pass!" );	67 console.log("Starting to bypass main world's CSP: this should pass!" );

47 testRunner.setIsolatedWorldContentSecurityPolicy(1, 'style-src \'uns afe-inline\' *');	68 testRunner.setIsolatedWorldContentSecurityPolicy(1, 'style-src \'uns afe-inline\' *');

48 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyle")) + "\ninjectInlineStyle(true," + tests + ");");	69 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyle")) + "\ninjectInlineStyle(true," + tests + ");");

	70 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlin eStyleAttribute")) + "\ninjectInlineStyleAttribute(true," + tests + ");");

49 break;	71 break;

50 case 1:	72 case 1:

51 console.log("Injecting into main world again: this should fail.");	73 console.log("Injecting into main world again: this should fail.");

52 injectInlineStyle(false, tests);	74 injectInlineStyle(false, tests);

53 break;	75 break;

54 case 0:	76 case 0:

55 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');	77 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');

56 testRunner.notifyDone();	78 testRunner.notifyDone();

57 break;	79 break;

58 }	80 }

59 }	81 }

60	82

61 document.addEventListener('DOMContentLoaded', test);	83 document.addEventListener('DOMContentLoaded', test);

OLD	NEW

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js ('k') | Source/core/dom/Document.cpp » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698