third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php - Issue 2002943002: CSP violation reports should report the pre-redirect URL.

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php

Issue 2002943002: CSP violation reports should report the pre-redirect URL. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Rebase. Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt ('k') | third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php

new file mode 100644

index 0000000000000000000000000000000000000000..321f56449ea0ea660ae4ed8b2e39547598a52f87

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php

@@ -0,0 +1,45 @@

+<?php

+ header("Content-Security-Policy-Report-Only: img-src http://allowed.test");

+?>

+<!DOCTYPE html>

+<script src="/resources/testharness.js"></script>

+<script src="/resources/testharnessreport.js"></script>

+<script>

+function createListener(expectedURL, test) {

+ var listener = test.step_func(e => {

+ if (e.blockedURI == expectedURL) {

+ document.removeEventListener('securitypolicyviolation', listener);

+ test.done();

+ }

+ });

+ document.addEventListener('securitypolicyviolation', listener);

+async_test(t => {

+ var i = document.createElement('img');

+ createListener("http://127.0.0.1:8000/security/resources/compass.jpg?t=1", t);

+ i.src = "http://127.0.0.1:8000/security/resources/compass.jpg?t=1";

+}, "Direct block, same-origin = full URL in report");

+async_test(t => {

+ var i = document.createElement('img');

+ createListener("http://blocked.test:8000/security/resources/compass.jpg?t=2", t);

+ i.src = "http://blocked.test:8000/security/resources/compass.jpg?t=2";

+}, "Direct block, cross-origin = full URL in report");

+async_test(t => {

+ var i = document.createElement('img');

+ // TODO(mkwst): This should be `http://allowed.test:8000/security/resources/redir.php?url=...`

+ // rather than the redirect target: https://crbug.com/613960

+ createListener("http://127.0.0.1:8000/security/resources/compass.jpg?t=3", t);

+ i.src = "http://allowed.test:8000/security/resources/redir.php?url=" + encodeURIComponent("http://127.0.0.1:8000/security/resources/compass.jpg?t=3");

+}, "Block after redirect, same-origin = original URL in report");

+async_test(t => {

+ var i = document.createElement('img');

+ // TODO(mkwst): This should be `http://allowed.test:8000/security/resources/redir.php?url=...`

+ // rather than the redirect target: https://crbug.com/613960

+ createListener("http://blocked.test:8000", t);

+ i.src = "http://allowed.test:8000/security/resources/redir.php?url=" + encodeURIComponent("http://blocked.test:8000/security/resources/compass.jpg?t=4");

+}, "Block after redirect, cross-origin = original URL in report");

+</script>