third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html - Issue 2404373003: Experimental Feature: Allow-CSP-From header

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)

Patch Set: Adding console message, moving to testharness tests, adding CSPTest Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html » ('j') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

new file mode 100644

index 0000000000000000000000000000000000000000..5029ad5abf8f1de5eb15b2cf90342ae1baf0c78d

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

@@ -0,0 +1,91 @@

+<!DOCTYPE html>

+<html>

+<head>

+ <script src="/resources/testharness.js"></script>

+ <script src="/resources/testharnessreport.js"></script>

+ <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>

+</head>

+<body>

+ <script>

+ var imgLineNumber = 19;

+ var scriptAbcLineNumber = 20;

+ async_test(t => {

+ csp = "img-src 'none'; script-src 'unsafe-inline';";

+ url = urlWithAlloCspFrom(SAME_ORIGIN, "");

Mike West 2016/10/17 14:54:28 s/Allo/Allow/g

+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "0");

+ }, "Same origin iframes are always allowed.");

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'; img-src 'none'";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "");

+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "1");

+ }, "Cross origin iframe with requiredCSP but without Allow-CSP-From header gets blocked.")

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");

+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "2");

+ }, "iframe from cross origin does not load without Allow-CSP-From header.");

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'; img-src 'none'";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "* ¢¥§");

+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "3");

+ }, "Iframe with improper Allow-CSP-From header gets blocked.");

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'; img-src 'none'";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";

+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "4");

+ }, "Star Allow-CSP-From header can be returned.");

+ async_test(t => {

+ csp = "script-src 'nonce-123';";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");

+ var i = document.createElement('iframe');

+ i.csp = csp;

+ i.src = url + "&id=5";

+ window.addEventListener('message', t.step_func(e => {

+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)

+ return;

+ assert_equals(e.data["blockedURI"], "inline");

+ assert_equals(e.data["lineNumber"], scriptAbcLineNumber);

+ t.done();

+ }));

+ document.body.appendChild(i);

+ }, "Allow-CSP-From header enforces EmbeddingCSP.");

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'; img-src 'none'";

+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";

+ var i = document.createElement('iframe');

+ i.csp = csp;

+ i.src = url + "&id=6";

+ window.addEventListener('message', t.step_func(e => {

+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)

+ return;

+ assert_equals(e.data["blockedURI"],

+ "http://localhost:8000/security/contentSecurityPolicy/resources/green250x50.png");

+ assert_equals(e.data["lineNumber"], imgLineNumber);

+ t.done();

+ }));

+ document.body.appendChild(i);

+ }, "Star Allow-CSP-From header allows the parent to enforce its Embedding CSP.");

+ async_test(t => {

+ csp = "script-src 'unsafe-inline'; img-src 'none'";

+ url = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-multiple-headers.php?allow_csp_from=";

+ var i = document.createElement('iframe');

+ i.csp = csp;

+ i.src = url + "http://localhost:8000" + "&allow_csp_from_2=*";

+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "7");

+ }, "Only first Allow-CSP-From header is considered.");

+ </script>

+</body>

+</html>