Chromium Code Reviews Chromium Code Reviews
Issue 2490943002:
Block 'javascript:' navigation in the correct document. (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 <!DOCTYPE html> | |
| 2 <script src="/resources/testharness.js"></script> | |
| 3 <script src="/resources/testharnessreport.js"></script> | |
| 4 | |
| 5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> | |
| 6 | |
| 7 <body> | |
| 8 <iframe src="http://clients1.google.com/generate_204"></iframe> | |
|
foolip
2016/11/11 09:39:40
Should this really be here? None of the tests seem
| |
| 9 <iframe src="file:///etc/passwords"></iframe> | |
| 10 <script nonce="abc"> | |
| 11 function assert_csp_event_for_element(test, element) { | |
| 12 assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'."); | |
| 13 document.addEventListener("securitypolicyviolation", test.step_func(e => { | |
| 14 if (e.target != element) | |
| 15 return; | |
| 16 assert_equals(e.blockedURI, "inline"); | |
| 17 assert_equals(e.effectiveDirective, "script-src"); | |
| 18 assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fa il' doesn't appear in the child document."); | |
| 19 element.remove(); | |
| 20 test.done(); | |
| 21 })); | |
| 22 } | |
| 23 | |
| 24 function navigate_to_javascript_onload(test, iframe) { | |
| 25 iframe.addEventListener("load", test.step_func(e => { | |
| 26 assert_equals(typeof SecurityPolicyViolationEvent, "function"); | |
| 27 iframe.contentDocument.addEventListener( | |
| 28 "securitypolicyviolation", | |
| 29 test.unreached_func("The CSP event should be fired in the embedding docu ment, not in the embedee.") | |
| 30 ); | |
| 31 | |
| 32 iframe.setAttribute("src", "javascript:'Fail.'"); | |
|
foolip
2016/11/11 09:39:40
iframe.src?
| |
| 33 })); | |
| 34 } | |
| 35 | |
| 36 async_test(t => { | |
| 37 var i = document.createElement("iframe"); | |
| 38 i.src = "javascript:'Fail.'"; | |
| 39 i.id = "explicit-src"; | |
|
foolip
2016/11/11 09:39:40
Are the IDs used anywhere?
| |
| 40 | |
| 41 assert_csp_event_for_element(t, i); | |
| 42 | |
| 43 document.body.appendChild(i); | |
| 44 }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); | |
| 45 | |
| 46 async_test(t => { | |
| 47 var i = document.createElement("iframe"); | |
| 48 i.id = "no-src"; | |
| 49 | |
| 50 assert_csp_event_for_element(t, i); | |
| 51 navigate_to_javascript_onload(t, i); | |
| 52 | |
| 53 document.body.appendChild(i); | |
| 54 }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); | |
| 55 | |
| 56 async_test(t => { | |
| 57 var i = document.createElement("iframe"); | |
| 58 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'unsafe-inline'"); | |
| 59 i.id = "src-with-unsafe-inline"; | |
| 60 | |
| 61 assert_csp_event_for_element(t, i); | |
| 62 navigate_to_javascript_onload(t, i); | |
| 63 | |
| 64 document.body.appendChild(i); | |
| 65 }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); | |
| 66 | |
| 67 async_test(t => { | |
| 68 var i = document.createElement("iframe"); | |
| 69 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'none'"); | |
| 70 i.id = "src-without-unsafe-inline"; | |
| 71 | |
| 72 assert_csp_event_for_element(t, i); | |
| 73 navigate_to_javascript_onload(t, i); | |
| 74 | |
| 75 document.body.appendChild(i); | |
| 76 }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' bloc ked in this document."); | |
| 77 </script> | |
| OLD | NEW |
