OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <script src="/resources/testharness.js"></script> |
| 3 <script src="/resources/testharnessreport.js"></script> |
| 4 |
| 5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> |
| 6 |
| 7 <body> |
| 8 |
| 9 <script nonce="abc"> |
| 10 function assert_csp_event_for_element(test, element) { |
| 11 assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests
require 'SecurityPolicyViolationEvent'."); |
| 12 document.addEventListener("securitypolicyviolation", test.step_func(e => { |
| 13 if (e.target != element) |
| 14 return; |
| 15 assert_equals(e.blockedURI, "inline"); |
| 16 assert_equals(e.effectiveDirective, "script-src"); |
| 17 assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fa
il' doesn't appear in the child document."); |
| 18 element.remove(); |
| 19 test.done(); |
| 20 })); |
| 21 } |
| 22 |
| 23 function navigate_to_javascript_onload(test, iframe) { |
| 24 iframe.addEventListener("load", test.step_func(e => { |
| 25 assert_equals(typeof SecurityPolicyViolationEvent, "function"); |
| 26 iframe.contentDocument.addEventListener( |
| 27 "securitypolicyviolation", |
| 28 test.unreached_func("The CSP event should be fired in the embedding docu
ment, not in the embedee.") |
| 29 ); |
| 30 |
| 31 iframe.src = "javascript:'Fail.'"; |
| 32 })); |
| 33 } |
| 34 |
| 35 async_test(t => { |
| 36 var i = document.createElement("iframe"); |
| 37 i.src = "javascript:'Fail.'"; |
| 38 |
| 39 assert_csp_event_for_element(t, i); |
| 40 |
| 41 document.body.appendChild(i); |
| 42 }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); |
| 43 |
| 44 async_test(t => { |
| 45 var i = document.createElement("iframe"); |
| 46 |
| 47 assert_csp_event_for_element(t, i); |
| 48 navigate_to_javascript_onload(t, i); |
| 49 |
| 50 document.body.appendChild(i); |
| 51 }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); |
| 52 |
| 53 async_test(t => { |
| 54 var i = document.createElement("iframe"); |
| 55 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI
Component("script-src 'unsafe-inline'"); |
| 56 |
| 57 assert_csp_event_for_element(t, i); |
| 58 navigate_to_javascript_onload(t, i); |
| 59 |
| 60 document.body.appendChild(i); |
| 61 }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked
in this document"); |
| 62 |
| 63 async_test(t => { |
| 64 var i = document.createElement("iframe"); |
| 65 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI
Component("script-src 'none'"); |
| 66 |
| 67 assert_csp_event_for_element(t, i); |
| 68 navigate_to_javascript_onload(t, i); |
| 69 |
| 70 document.body.appendChild(i); |
| 71 }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' bloc
ked in this document."); |
| 72 </script> |
OLD | NEW |