third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html - Issue 2255103002: CSP: Strip reported URLs for 'frame-src' and 'object-src'.

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html

Issue 2255103002: CSP: Strip reported URLs for 'frame-src' and 'object-src'. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: estark Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html

index 235d5a7f5f0244c14aabbd08277c921d5dde522f..143b753cfee1ff6db21eb8cbf38add235e6b30df 100644

--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html

@@ -1,17 +1,28 @@

-<!DOCTYPE html>

-<html>

-<head>

- <meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443">

- <script>

- testRunner.dumpAsText();

- testRunner.dumpChildFramesAsText();

- </script>

-</head>

-<body>

- The test verifies that Content-Security-Policy from the main frame

- restricts child frame's location even when the location is changed

- as a result of a navigation trigerred from within the child frame

- (which might reside in another renderer process due to --site-per-process).

- <iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html"></iframe>

-</body>

-</html>

+<!doctype html>

+<script src="/resources/testharness.js"></script>

+<script src="/resources/testharnessreport.js"></script>

+<meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443">

+<script>

+ async_test(t => {

+ var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);

+ watcher

+ .wait_for('securitypolicyviolation')

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");

+ assert_equals(e.lineNumber, 7, "This shouldn't actually be 7, since it happens in a cross-origin frame. :/");

+ t.done();

+ }));

+ window.onmessage = t.unreached_func('No message should be sent from the frame.');

+ window.onload = _ => {

+ // The test verifies that Content-Security-Policy from the main frame

+ // restricts child frame's location even when the location is changed

+ // as a result of a navigation trigerred from within the child frame

+ // (which might reside in another renderer process due to --site-per-process).

+ var url = "https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html";

+ var i = document.createElement('iframe');

+ i.src = url;

+ document.body.appendChild(i);

+ };

+ }, "The frame's navigation is blocked.");

+</script>