Block 'javascript:' navigation in the correct document.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
new file mode 100644
index 0000000000000000000000000000000000000000..715e9c2d017c46d053ce0d5f5258b3e71492c64a
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+<body>
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src");
+      assert_equals(element.contentDocument.body.innerText, "");

[foolip, 2016/11/10 09:25:01]

What's this checking? That it's still the about:blank document?

[Mike West, 2016/11/10 12:44:52]

We navigate the document to `javascript:'Fail.'` (see line 25, for instance). If
that navigation succeeds, then `'Fail.'` will be executed, resolved as a string,
and we'll end up navigating to a synthesized response that contains that string
(see
https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-docume...
(yes, this is bonkers and I'd love to burn it to the ground. Yay web.)).

Examining the text content of the document seems like a good way of validating
that that process hasn't happened.

[foolip, 2016/11/11 09:39:40]

OK, thanks for documenting.

+      element.parentNode.removeChild(element);

[foolip, 2016/11/10 09:25:01]

element.remove()

[Mike West, 2016/11/10 12:44:52]

Oh. Huh. :)

+      test.done();
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+
+    i.src = "javascript:'Fail.'";
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+
+    i.onload = _ => { i.src = "javascript:'Fail.'"; }
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'unsafe-inline'");
+    i.onload = _ => { i.src = "javascript:'Fail.'"; }
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+ 
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'none'");
+    i.onload = _ => { i.src = "javascript:'Fail.'"; }
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>