OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE html> | |
2 <html> | |
3 <head> | |
4 <script src="/resources/testharness.js"></script> | |
5 <script src="/resources/testharnessreport.js"></script> | |
6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></ script> | |
7 </head> | |
8 <body> | |
9 <script> | |
10 var imgLineNumber = 19; | |
11 var scriptAbcLineNumber = 20; | |
12 | |
13 async_test(t => { | |
14 csp = "img-src 'none'; script-src 'unsafe-inline';"; | |
15 url = urlWithAlloCspFrom(SAME_ORIGIN, ""); | |
Mike West
2016/10/17 14:54:28
s/Allo/Allow/g
| |
16 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "0"); | |
17 }, "Same origin iframes are always allowed."); | |
18 | |
19 async_test(t => { | |
20 csp = "script-src 'unsafe-inline'; img-src 'none'"; | |
21 url = urlWithAlloCspFrom(CROSS_ORIGIN, ""); | |
22 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "1"); | |
23 }, "Cross origin iframe with requiredCSP but without Allow-CSP-From header gets blocked.") | |
24 | |
25 async_test(t => { | |
26 csp = "script-src 'unsafe-inline'"; | |
27 url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000"); | |
28 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "2"); | |
29 }, "iframe from cross origin does not load without Allow-CSP-From header." ); | |
30 | |
31 async_test(t => { | |
32 csp = "script-src 'unsafe-inline'; img-src 'none'"; | |
33 url = urlWithAlloCspFrom(CROSS_ORIGIN, "* ¢¥§"); | |
34 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "3"); | |
35 }, "Iframe with improper Allow-CSP-From header gets blocked."); | |
36 | |
37 async_test(t => { | |
38 csp = "script-src 'unsafe-inline'; img-src 'none'"; | |
39 url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *"; | |
40 injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "4"); | |
41 }, "Star Allow-CSP-From header can be returned."); | |
42 | |
43 async_test(t => { | |
44 csp = "script-src 'nonce-123';"; | |
45 url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000"); | |
46 var i = document.createElement('iframe'); | |
47 i.csp = csp; | |
48 i.src = url + "&id=5"; | |
49 | |
50 window.addEventListener('message', t.step_func(e => { | |
51 if (e.source != i.contentWindow || e.data["securitypolicyviolation"] ! = true) | |
52 return; | |
53 assert_equals(e.data["blockedURI"], "inline"); | |
54 assert_equals(e.data["lineNumber"], scriptAbcLineNumber); | |
55 t.done(); | |
56 })); | |
57 | |
58 document.body.appendChild(i); | |
59 }, "Allow-CSP-From header enforces EmbeddingCSP."); | |
60 | |
61 async_test(t => { | |
62 csp = "script-src 'unsafe-inline'; img-src 'none'"; | |
63 url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *"; | |
64 var i = document.createElement('iframe'); | |
65 i.csp = csp; | |
66 i.src = url + "&id=6"; | |
67 | |
68 window.addEventListener('message', t.step_func(e => { | |
69 if (e.source != i.contentWindow || e.data["securitypolicyviolation"] ! = true) | |
70 return; | |
71 assert_equals(e.data["blockedURI"], | |
72 "http://localhost:8000/security/contentSecurityPolicy/resources/gree n250x50.png"); | |
73 assert_equals(e.data["lineNumber"], imgLineNumber); | |
74 t.done(); | |
75 })); | |
76 | |
77 document.body.appendChild(i); | |
78 }, "Star Allow-CSP-From header allows the parent to enforce its Embedding CSP."); | |
79 | |
80 async_test(t => { | |
81 csp = "script-src 'unsafe-inline'; img-src 'none'"; | |
82 url = "http://localhost:8000/security/contentSecurityPolicy/resources/re spond-with-allow-csp-from-multiple-headers.php?allow_csp_from="; | |
83 var i = document.createElement('iframe'); | |
84 i.csp = csp; | |
85 i.src = url + "http://localhost:8000" + "&allow_csp_from_2=*"; | |
86 | |
87 injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "7"); | |
88 }, "Only first Allow-CSP-From header is considered."); | |
89 </script> | |
90 </body> | |
91 </html> | |
OLD | NEW |