OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></
script> |
| 7 </head> |
| 8 <body> |
| 9 <script> |
| 10 var imgLineNumber = 20; |
| 11 var scriptAbcLineNumber = 21; |
| 12 |
| 13 async_test(t => { |
| 14 csp = "img-src 'none'; script-src 'unsafe-inline';"; |
| 15 url = generateUrlWithAllowCSPFrom(SAME_ORIGIN, ""); |
| 16 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "0"); |
| 17 }, "Same origin iframes are always allowed."); |
| 18 |
| 19 async_test(t => { |
| 20 csp = "script-src 'unsafe-inline'; img-src 'none'"; |
| 21 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, ""); |
| 22 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "1"); |
| 23 }, "Cross origin iframe with requiredCSP but without Allow-CSP-From header
gets blocked.") |
| 24 |
| 25 async_test(t => { |
| 26 csp = "script-src 'unsafe-inline'"; |
| 27 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "http://127.0.0.1:8000")
; |
| 28 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "2"); |
| 29 }, "iframe from cross origin does not load without Allow-CSP-From header."
); |
| 30 |
| 31 async_test(t => { |
| 32 csp = "script-src 'unsafe-inline'; img-src 'none'"; |
| 33 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "* ¢¥§"); |
| 34 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "3"); |
| 35 }, "Iframe with improper Allow-CSP-From header gets blocked."); |
| 36 |
| 37 async_test(t => { |
| 38 csp = "script-src 'unsafe-inline'; img-src 'none'"; |
| 39 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "*") + "&csp=img-src *"; |
| 40 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "4"); |
| 41 }, "Star Allow-CSP-From header can be returned."); |
| 42 |
| 43 async_test(t => { |
| 44 csp = "script-src 'nonce-123';"; |
| 45 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "http://127.0.0.1:8000")
; |
| 46 var i = document.createElement('iframe'); |
| 47 i.csp = csp; |
| 48 i.src = url + "&id=5"; |
| 49 |
| 50 window.addEventListener('message', t.step_func(e => { |
| 51 if (e.source != i.contentWindow || e.data["securitypolicyviolation"] !
= true) |
| 52 return; |
| 53 assert_equals(e.data["blockedURI"], "inline"); |
| 54 assert_equals(e.data["lineNumber"], scriptAbcLineNumber); |
| 55 t.done(); |
| 56 })); |
| 57 |
| 58 document.body.appendChild(i); |
| 59 }, "Allow-CSP-From header enforces EmbeddingCSP."); |
| 60 |
| 61 async_test(t => { |
| 62 csp = "script-src 'unsafe-inline'; img-src 'none'"; |
| 63 url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "*") + "&csp=img-src *"; |
| 64 var i = document.createElement('iframe'); |
| 65 i.csp = csp; |
| 66 i.src = url + "&id=6"; |
| 67 |
| 68 window.addEventListener('message', t.step_func(e => { |
| 69 if (e.source != i.contentWindow || e.data["securitypolicyviolation"] !
= true) |
| 70 return; |
| 71 assert_equals(e.data["blockedURI"], |
| 72 "http://localhost:8000/security/contentSecurityPolicy/resources/gree
n250x50.png"); |
| 73 assert_equals(e.data["lineNumber"], imgLineNumber); |
| 74 t.done(); |
| 75 })); |
| 76 |
| 77 document.body.appendChild(i); |
| 78 }, "Star Allow-CSP-From header allows the parent to enforce its Embedding
CSP."); |
| 79 |
| 80 async_test(t => { |
| 81 csp = "script-src 'unsafe-inline'; img-src 'none'"; |
| 82 url = "http://localhost:8000/security/contentSecurityPolicy/resources/re
spond-with-allow-csp-from-multiple-headers.php?allow_csp_from="; |
| 83 var i = document.createElement('iframe'); |
| 84 i.csp = csp; |
| 85 i.src = url + "http://localhost:8000" + "&allow_csp_from_2=*"; |
| 86 |
| 87 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "7"); |
| 88 }, "Only first Allow-CSP-From header is considered."); |
| 89 </script> |
| 90 </body> |
| 91 </html> |
OLD | NEW |