OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE html> | |
2 <script src="/resources/testharness.js"></script> | |
3 <script src="/resources/testharnessreport.js"></script> | |
4 | |
5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> | |
6 | |
7 <body> | |
8 <iframe src="http://clients1.google.com/generate_204"></iframe> | |
foolip
2016/11/11 09:39:40
Should this really be here? None of the tests seem
| |
9 <iframe src="file:///etc/passwords"></iframe> | |
10 <script nonce="abc"> | |
11 function assert_csp_event_for_element(test, element) { | |
12 assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'."); | |
13 document.addEventListener("securitypolicyviolation", test.step_func(e => { | |
14 if (e.target != element) | |
15 return; | |
16 assert_equals(e.blockedURI, "inline"); | |
17 assert_equals(e.effectiveDirective, "script-src"); | |
18 assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fa il' doesn't appear in the child document."); | |
19 element.remove(); | |
20 test.done(); | |
21 })); | |
22 } | |
23 | |
24 function navigate_to_javascript_onload(test, iframe) { | |
25 iframe.addEventListener("load", test.step_func(e => { | |
26 assert_equals(typeof SecurityPolicyViolationEvent, "function"); | |
27 iframe.contentDocument.addEventListener( | |
28 "securitypolicyviolation", | |
29 test.unreached_func("The CSP event should be fired in the embedding docu ment, not in the embedee.") | |
30 ); | |
31 | |
32 iframe.setAttribute("src", "javascript:'Fail.'"); | |
foolip
2016/11/11 09:39:40
iframe.src?
| |
33 })); | |
34 } | |
35 | |
36 async_test(t => { | |
37 var i = document.createElement("iframe"); | |
38 i.src = "javascript:'Fail.'"; | |
39 i.id = "explicit-src"; | |
foolip
2016/11/11 09:39:40
Are the IDs used anywhere?
| |
40 | |
41 assert_csp_event_for_element(t, i); | |
42 | |
43 document.body.appendChild(i); | |
44 }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); | |
45 | |
46 async_test(t => { | |
47 var i = document.createElement("iframe"); | |
48 i.id = "no-src"; | |
49 | |
50 assert_csp_event_for_element(t, i); | |
51 navigate_to_javascript_onload(t, i); | |
52 | |
53 document.body.appendChild(i); | |
54 }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); | |
55 | |
56 async_test(t => { | |
57 var i = document.createElement("iframe"); | |
58 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'unsafe-inline'"); | |
59 i.id = "src-with-unsafe-inline"; | |
60 | |
61 assert_csp_event_for_element(t, i); | |
62 navigate_to_javascript_onload(t, i); | |
63 | |
64 document.body.appendChild(i); | |
65 }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); | |
66 | |
67 async_test(t => { | |
68 var i = document.createElement("iframe"); | |
69 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'none'"); | |
70 i.id = "src-without-unsafe-inline"; | |
71 | |
72 assert_csp_event_for_element(t, i); | |
73 navigate_to_javascript_onload(t, i); | |
74 | |
75 document.body.appendChild(i); | |
76 }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' bloc ked in this document."); | |
77 </script> | |
OLD | NEW |