third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js - Issue 2404373003: Experimental Feature: Allow-CSP-From header

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js

Issue 2404373003: Experimental Feature: Allow-CSP-From header (Closed)

Patch Set: Adding console message, moving to testharness tests, adding CSPTest Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html ('K') | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js

new file mode 100644

index 0000000000000000000000000000000000000000..bc7caf81fd6a2a5f658125a4c89d73e343017462

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js

@@ -0,0 +1,49 @@

+var CROSS_ORIGIN_URL = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php";

+var SAME_ORIGIN_URL = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php";

+var EXPECT_BLOCK = true;

+var EXPECT_LOAD = false;

+var CROSS_ORIGIN = true;

+var SAME_ORIGIN = false;

+function injectIframeWithCSP(url, shouldBlock, csp, t, urlId) {

+ var i = document.createElement('iframe');

+ i.src = url + "&id=" + urlId;

+ i.csp = csp;

+ if (shouldBlock) {

+ window.onmessage = t.unreached_func('No message should be sent from the frame.');

+ i.onload = iframeLoaded(shouldBlock, t);

+ } else {

+ document.addEventListener("securitypolicyviolation",

+ t.unreached_func("There should not be any violations."));

+ window.onerror = t.unreached_func("Error should not be triggered.");

Mike West 2016/10/17 14:54:28 Why `window.onerror`?

+ window.addEventListener('message', t.step_func(e => {

+ if (e.source != i.contentWindow || e.data["loaded"] != true)

+ return;

+ assert_equals(urlId, e.data["id"]);

+ t.done();

+ }));

+ }

+ document.body.appendChild(i);

+function iframeLoaded(expectBlock, t) {

+ return function(ev) {

+ var blocked = true;

+ try {

+ console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'.");

Mike West 2016/10/17 14:54:28 This is always going to throw for cross-origin fra

+ blocked = false;

+ } catch (ex) {

+ blocked = true;

+ }

+ assert_equals(expectBlock, blocked);

+ t.done();

+ };

+function urlWithAlloCspFrom(useCrossOrigin, allowCspFrom) {

Mike West 2016/10/17 14:54:28 Nit: Perhaps `generateUrlWith...` for clarity?

+ var url = useCrossOrigin ? CROSS_ORIGIN_URL : SAME_ORIGIN_URL;

+ return url + "?allow_csp_from=" + allowCspFrom;