Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(367)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window.html

Issue 2487973004: Enforce form-action CSP even when form.target is present. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-blank-expected.txt ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window.html
new file mode 100644
index 0000000000000000000000000000000000000000..1b2dfe864fc8a1e7c62859fbeb70e6abed963f9e
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="form-action 'none'">
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setCanOpenWindows();
+ }
+
+ // Open a new window with the name matching form.target attribute below.
+ window.open(
+ 'http://localhost:8080/security/resources/empty.html',
+ 'namedCrossSiteWindow')
+
+ window.addEventListener('load', function() {
+ document.getElementById('theform').addEventListener('submit', function(e) {
+ console.log('submit event fired.');
+ });
+
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ }, 0);
+ });
+
+ document.addEventListener('securitypolicyviolation', function(e) {
+ console.log('securitypolicyviolation event fired.');
+ console.log('securitypolicyviolation_event.documentURI=' + e.documentURI);
+ console.log('securitypolicyviolation_event.blockedURI=' + e.blockedURI);
+ console.log('securitypolicyviolation_event.violatedDirective=' + e.violatedDirective);
+ setTimeout(function() {
+ testRunner.notifyDone();
+ }, 0);
+ });
+</script>
+</head>
+<body>
+ <form action='/navigation/resources/form-target.pl' id='theform'
+ method='post' target="namedCrossSiteWindow">
+ <input type='text' name='fieldname' value='fieldvalue'>
+ <input type='submit' id='submit' value='submit'>
+ </form>
+
+ <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>
+</body>
+</html>
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-blank-expected.txt ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-blocked-when-target-cross-site-window-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698