| OLD | NEW |
|---|
| 1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
| 2 <head> | 2 <head> |
| 3 <title>Upgrade Insecure Requests: IFrames.</title> | 3 <title>Upgrade Insecure Requests: IFrames.</title> |
| 4 <script src="/resources/testharness.js"></script> | 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> | 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="./resources/testharness-helper.js"></script> |
| 6 | 7 |
| 7 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> | 8 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> |
| 8 </head> | 9 </head> |
| 9 <body> | 10 <body> |
| 10 <script> | 11 <script> |
| 11 async_test(t => { | 12 var tests = [ |
| 12 var i = document.createElement('iframe'); | 13 generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.FRAME), |
| 14 generateURL(Host.SAME_ORIGIN, Protocol.SECURE, ResourceType.FRAME), |
| 15 generateURL(Host.CROSS_ORIGIN, Protocol.INSECURE, ResourceType.FRAME), |
| 16 generateURL(Host.CROSS_ORIGIN, Protocol.SECURE, ResourceType.FRAME), |
| 17 ]; |
| 13 | 18 |
| 14 // This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we | 19 tests.forEach(test => { |
| 15 // specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't | 20 async_test(t => assert_frame_loads(t, test.url), test.name); |
| 16 // work, it won't load. | 21 }); |
| 17 i.src = "http://127.0.0.1:8443/security/resources/post-origin-to-parent.html
"; | |
| 18 | |
| 19 window.addEventListener('message', t.step_func(e => { | |
| 20 if (e.source == i.contentWindow) { | |
| 21 assert_equals("https://127.0.0.1:8443", e.data.origin); | |
| 22 t.done(); | |
| 23 } | |
| 24 })); | |
| 25 document.body.appendChild(i); | |
| 26 }, "Same-host frames are upgraded."); | |
| 27 | |
| 28 async_test(t => { | |
| 29 var i = document.createElement('iframe'); | |
| 30 | |
| 31 // This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we | |
| 32 // specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't | |
| 33 // work, it won't load. | |
| 34 i.src = "http://example.test:8443/security/resources/post-origin-to-parent.h
tml"; | |
| 35 | |
| 36 window.addEventListener('message', t.step_func(e => { | |
| 37 if (e.source == i.contentWindow) { | |
| 38 assert_equals("https://example.test:8443", e.data.origin); | |
| 39 t.done(); | |
| 40 } | |
| 41 })); | |
| 42 document.body.appendChild(i); | |
| 43 }, "Cross-host frames are upgraded."); | |
| 44 | |
| 45 async_test(t => { | |
| 46 var i = document.createElement('iframe'); | |
| 47 i.srcdoc = "<a href='http://127.0.0.1:8443/security/resources/post-origin-to
-parent.html'>Navigate!</a>" + | |
| 48 "<script>document.querySelector('a').click()</scr" + "ipt>"; | |
| 49 | |
| 50 window.addEventListener('message', t.step_func(e => { | |
| 51 if (e.source == i.contentWindow) { | |
| 52 assert_equals("https://127.0.0.1:8443", e.data.origin); | |
| 53 t.done(); | |
| 54 } | |
| 55 })); | |
| 56 | |
| 57 document.body.appendChild(i); | |
| 58 }, "Upgrade policy cascades to nested, same-host frames."); | |
| 59 | |
| 60 async_test(t => { | |
| 61 var i = document.createElement('iframe'); | |
| 62 i.srcdoc = "<a href='http://example.test:8443/security/resources/post-origin
-to-parent.html'>Navigate!</a>" + | |
| 63 "<script>document.querySelector('a').click()</scr" + "ipt>"; | |
| 64 | |
| 65 window.addEventListener('message', t.step_func(e => { | |
| 66 if (e.source == i.contentWindow) { | |
| 67 assert_equals("https://example.test:8443", e.data.origin); | |
| 68 t.done(); | |
| 69 } | |
| 70 })); | |
| 71 | |
| 72 document.body.appendChild(i); | |
| 73 }, "Upgrade policy cascades to nested, cross-host frames."); | |
| 74 </script> | 22 </script> |
| 75 </body> | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2053693002:
WIP: Move 'Upgrade-Insecure-Requests' to the browser process.
Base URL: https://chromium.googlesource.com/chromium/src.git@replicate