Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(514)

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)
Patch Set: Adding console message, moving to testharness tests, adding CSPTest Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js
new file mode 100644
index 0000000000000000000000000000000000000000..bc7caf81fd6a2a5f658125a4c89d73e343017462
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js
@@ -0,0 +1,49 @@
+var CROSS_ORIGIN_URL = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php";
+var SAME_ORIGIN_URL = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php";
+
+var EXPECT_BLOCK = true;
+var EXPECT_LOAD = false;
+
+var CROSS_ORIGIN = true;
+var SAME_ORIGIN = false;
+
+function injectIframeWithCSP(url, shouldBlock, csp, t, urlId) {
+ var i = document.createElement('iframe');
+ i.src = url + "&id=" + urlId;
+ i.csp = csp;
+
+ if (shouldBlock) {
+ window.onmessage = t.unreached_func('No message should be sent from the frame.');
+ i.onload = iframeLoaded(shouldBlock, t);
+ } else {
+ document.addEventListener("securitypolicyviolation",
+ t.unreached_func("There should not be any violations."));
+ window.onerror = t.unreached_func("Error should not be triggered.");
Mike West 2016/10/17 14:54:28 Why `window.onerror`?
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source != i.contentWindow || e.data["loaded"] != true)
+ return;
+ assert_equals(urlId, e.data["id"]);
+ t.done();
+ }));
+ }
+ document.body.appendChild(i);
+}
+
+function iframeLoaded(expectBlock, t) {
+ return function(ev) {
+ var blocked = true;
+ try {
+ console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'.");
Mike West 2016/10/17 14:54:28 This is always going to throw for cross-origin fra
+ blocked = false;
+ } catch (ex) {
+ blocked = true;
+ }
+ assert_equals(expectBlock, blocked);
+ t.done();
+ };
+}
+
+function urlWithAlloCspFrom(useCrossOrigin, allowCspFrom) {
Mike West 2016/10/17 14:54:28 Nit: Perhaps `generateUrlWith...` for clarity?
+ var url = useCrossOrigin ? CROSS_ORIGIN_URL : SAME_ORIGIN_URL;
+ return url + "?allow_csp_from=" + allowCspFrom;
+}

Powered by Google App Engine
This is Rietveld 408576698