Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..715e9c2d017c46d053ce0d5f5258b3e71492c64a |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
@@ -0,0 +1,57 @@ |
+<!DOCTYPE html> |
+<script src="/resources/testharness.js"></script> |
+<script src="/resources/testharnessreport.js"></script> |
+ |
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> |
+<body> |
+<script nonce="abc"> |
+ function assert_csp_event_for_element(test, element) { |
+ document.addEventListener("securitypolicyviolation", test.step_func(e => { |
+ if (e.target != element) |
+ return; |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.effectiveDirective, "script-src"); |
+ assert_equals(element.contentDocument.body.innerText, ""); |
foolip
2016/11/10 09:25:01
What's this checking? That it's still the about:bl
Mike West
2016/11/10 12:44:52
We navigate the document to `javascript:'Fail.'` (
foolip
2016/11/11 09:39:40
OK, thanks for documenting.
|
+ element.parentNode.removeChild(element); |
foolip
2016/11/10 09:25:01
element.remove()
Mike West
2016/11/10 12:44:52
Oh. Huh. :)
|
+ test.done(); |
+ })); |
+ } |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ |
+ assert_csp_event_for_element(t, i); |
+ |
+ i.src = "javascript:'Fail.'"; |
+ document.body.appendChild(i); |
+ }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ |
+ assert_csp_event_for_element(t, i); |
+ |
+ i.onload = _ => { i.src = "javascript:'Fail.'"; } |
+ document.body.appendChild(i); |
+ }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ |
+ assert_csp_event_for_element(t, i); |
+ |
+ i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'unsafe-inline'"); |
+ i.onload = _ => { i.src = "javascript:'Fail.'"; } |
+ document.body.appendChild(i); |
+ }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ |
+ assert_csp_event_for_element(t, i); |
+ |
+ i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'none'"); |
+ i.onload = _ => { i.src = "javascript:'Fail.'"; } |
+ document.body.appendChild(i); |
+ }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document."); |
+</script> |