Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(32)

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)
Patch Set: Adding console message, moving to testharness tests, adding CSPTest Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
new file mode 100644
index 0000000000000000000000000000000000000000..5029ad5abf8f1de5eb15b2cf90342ae1baf0c78d
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
+</head>
+<body>
+ <script>
+ var imgLineNumber = 19;
+ var scriptAbcLineNumber = 20;
+
+ async_test(t => {
+ csp = "img-src 'none'; script-src 'unsafe-inline';";
+ url = urlWithAlloCspFrom(SAME_ORIGIN, "");
Mike West 2016/10/17 14:54:28 s/Allo/Allow/g
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "0");
+ }, "Same origin iframes are always allowed.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "");
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "1");
+ }, "Cross origin iframe with requiredCSP but without Allow-CSP-From header gets blocked.")
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "2");
+ }, "iframe from cross origin does not load without Allow-CSP-From header.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "* ¢¥§");
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "3");
+ }, "Iframe with improper Allow-CSP-From header gets blocked.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";
+ injectIframeWithCSP(url, EXPECT_LOAD, csp, t, "4");
+ }, "Star Allow-CSP-From header can be returned.");
+
+ async_test(t => {
+ csp = "script-src 'nonce-123';";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "http://127.0.0.1:8000");
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "&id=5";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)
+ return;
+ assert_equals(e.data["blockedURI"], "inline");
+ assert_equals(e.data["lineNumber"], scriptAbcLineNumber);
+ t.done();
+ }));
+
+ document.body.appendChild(i);
+ }, "Allow-CSP-From header enforces EmbeddingCSP.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = urlWithAlloCspFrom(CROSS_ORIGIN, "*") + "&csp=img-src *";
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "&id=6";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source != i.contentWindow || e.data["securitypolicyviolation"] != true)
+ return;
+ assert_equals(e.data["blockedURI"],
+ "http://localhost:8000/security/contentSecurityPolicy/resources/green250x50.png");
+ assert_equals(e.data["lineNumber"], imgLineNumber);
+ t.done();
+ }));
+
+ document.body.appendChild(i);
+ }, "Star Allow-CSP-From header allows the parent to enforce its Embedding CSP.");
+
+ async_test(t => {
+ csp = "script-src 'unsafe-inline'; img-src 'none'";
+ url = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-multiple-headers.php?allow_csp_from=";
+ var i = document.createElement('iframe');
+ i.csp = csp;
+ i.src = url + "http://localhost:8000" + "&allow_csp_from_2=*";
+
+ injectIframeWithCSP(url, EXPECT_BLOCK, csp, t, "7");
+ }, "Only first Allow-CSP-From header is considered.");
+ </script>
+</body>
+</html>

Powered by Google App Engine
This is Rietveld 408576698