Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html

Issue 2490943002: Block 'javascript:' navigation in the correct document. (Closed)
Patch Set: remove redundant tests Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <script src="/resources/testharness.js"></script>
3 <script src="/resources/testharnessreport.js"></script>
4
5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
6
7 <body>
8 <iframe src="http://clients1.google.com/generate_204"></iframe>
foolip 2016/11/11 09:39:40 Should this really be here? None of the tests seem
9 <iframe src="file:///etc/passwords"></iframe>
10 <script nonce="abc">
11 function assert_csp_event_for_element(test, element) {
12 assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
13 document.addEventListener("securitypolicyviolation", test.step_func(e => {
14 if (e.target != element)
15 return;
16 assert_equals(e.blockedURI, "inline");
17 assert_equals(e.effectiveDirective, "script-src");
18 assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fa il' doesn't appear in the child document.");
19 element.remove();
20 test.done();
21 }));
22 }
23
24 function navigate_to_javascript_onload(test, iframe) {
25 iframe.addEventListener("load", test.step_func(e => {
26 assert_equals(typeof SecurityPolicyViolationEvent, "function");
27 iframe.contentDocument.addEventListener(
28 "securitypolicyviolation",
29 test.unreached_func("The CSP event should be fired in the embedding docu ment, not in the embedee.")
30 );
31
32 iframe.setAttribute("src", "javascript:'Fail.'");
foolip 2016/11/11 09:39:40 iframe.src?
33 }));
34 }
35
36 async_test(t => {
37 var i = document.createElement("iframe");
38 i.src = "javascript:'Fail.'";
39 i.id = "explicit-src";
foolip 2016/11/11 09:39:40 Are the IDs used anywhere?
40
41 assert_csp_event_for_element(t, i);
42
43 document.body.appendChild(i);
44 }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
45
46 async_test(t => {
47 var i = document.createElement("iframe");
48 i.id = "no-src";
49
50 assert_csp_event_for_element(t, i);
51 navigate_to_javascript_onload(t, i);
52
53 document.body.appendChild(i);
54 }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
55
56 async_test(t => {
57 var i = document.createElement("iframe");
58 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'unsafe-inline'");
59 i.id = "src-with-unsafe-inline";
60
61 assert_csp_event_for_element(t, i);
62 navigate_to_javascript_onload(t, i);
63
64 document.body.appendChild(i);
65 }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
66
67 async_test(t => {
68 var i = document.createElement("iframe");
69 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'none'");
70 i.id = "src-without-unsafe-inline";
71
72 assert_csp_event_for_element(t, i);
73 navigate_to_javascript_onload(t, i);
74
75 document.body.appendChild(i);
76 }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' bloc ked in this document.");
77 </script>
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698