Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(108)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)
Patch Set: Better format of ContentSecurityPolicyTest.ShouldEnforceEmbeddersPolicy Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
new file mode 100644
index 0000000000000000000000000000000000000000..6c5d8c67c2998c5b278e36a23c36c60ec1ec5530
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
+</head>
+<body>
+ <script>
+ var imgLineNumber = 20;
+ var scriptAbcLineNumber = 21;
+
+ async_test(t => {
+ csp = "img-src 'none'; script-src 'unsafe-inline';";
+ url = generateUrlWithAllowCSPFrom(SAME_ORIGIN, "");
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "0");
+ }, "Same origin iframes are always allowed.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "");
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "1");
+ }, "Cross origin iframe with requiredCSP but without Allow-CSP-From header gets blocked.")
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "2");
+ }, "iframe from cross origin does not load without Allow-CSP-From header.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "* ¢¥§");
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "3");
+ }, "Iframe with improper Allow-CSP-From header gets blocked.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "4");
+ }, "Star Allow-CSP-From header can be returned.");
+
+ async_test(t => {
+ csp = "script-src 'nonce-123';";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "&id=5";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)
+ return;
+ assert_equals(e.data["blockedURI"], "inline");
+ assert_equals(e.data["lineNumber"], scriptAbcLineNumber);
+ t.done();
+ }));
+
+ document.body.appendChild(i);
+ }, "Allow-CSP-From header enforces EmbeddingCSP.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = generateUrlWithAllowCSPFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "&id=6";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)
+ return;
+ assert_equals(e.data["blockedURI"],
+ "http://localhost:8000/security/contentSecurityPolicy/resources/green250x50.png");
+ assert_equals(e.data["lineNumber"], imgLineNumber);
+ t.done();
+ }));
+
+ document.body.appendChild(i);
+ }, "Star Allow-CSP-From header allows the parent to enforce its Embedding CSP.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-multiple-headers.php?allow_csp_from=";
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "http://localhost:8000" + "&allow_csp_from_2=*";
+
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "7");
+ }, "Only first Allow-CSP-From header is considered.");
+ </script>
+</body>
+</html>
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698