LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js - Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes.

Unified Diff: LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-script.js ('k') | Source/core/dom/Document.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

diff --git a/LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js b/LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

index ce26eb0bd6417089ff0be8f03561d894b7ade4f4..23086956faa5ca3eb908a69043d7f18bcd999b05 100644

--- a/LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

+++ b/LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js

@@ -11,7 +11,7 @@ window.addEventListener("message", function(message) {

function test() {

function injectInlineStyle(shouldSucceed, tests) {

- var id = 'div' + tests;

+ var id = 'inline' + tests;

var div = document.createElement('div');

div.id = id;

document.body.appendChild(div);

@@ -32,6 +32,26 @@ function test() {

}

window.postMessage("next", "*");

}

+ function injectInlineStyleAttribute(shouldSucceed, tests) {

+ var id = 'attribute' + tests;

+ var div = document.createElement('div');

+ div.id = id;

+ document.body.appendChild(div);

+ div.setAttribute('style', 'color: red;');

+ var success = window.getComputedStyle(document.getElementById(id)).color === "rgb(255, 0, 0)";

+ if (shouldSucceed) {

+ if (success)

+ console.log("PASS: Style attribute assignment in test " + tests + " was blocked by CSP.");

+ else

+ console.log("FAIL: Style attribute assignment in test " + tests + " was not blocked by CSP.");

+ } else {

+ if (success)

+ console.log("FAIL: Style attribute assignment in test " + tests + " was blocked by CSP.");

+ else

+ console.log("PASS: Style attribute assignment in test " + tests + " was not blocked by CSP.");

+ }

+ window.postMessage("next", "*");

+ }

switch (tests) {

case 4:

@@ -41,11 +61,13 @@ function test() {

case 3:

console.log("Injecting into isolated world without bypass: this should fail.");

testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlineStyle")) + "\ninjectInlineStyle(false," + tests + ");");

+ testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlineStyleAttribute")) + "\ninjectInlineStyleAttribute(false," + tests + ");");

break;

case 2:

console.log("Starting to bypass main world's CSP: this should pass!");

testRunner.setIsolatedWorldContentSecurityPolicy(1, 'style-src \'unsafe-inline\' *');

testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlineStyle")) + "\ninjectInlineStyle(true," + tests + ");");

+ testRunner.evaluateScriptInIsolatedWorld(1, String(eval("injectInlineStyleAttribute")) + "\ninjectInlineStyleAttribute(true," + tests + ");");

break;

case 1:

console.log("Injecting into main world again: this should fail.");