Block 'javascript:' navigation in the correct document.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
new file mode 100644
index 0000000000000000000000000000000000000000..e2574584ecf15aac2f66a20f10a0a4ac1a59829e
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+  <iframe src="http://clients1.google.com/generate_204"></iframe>

[foolip, 2016/11/11 09:39:40]

Should this really be here? None of the tests seem to poke at it.

+  <iframe src="file:///etc/passwords"></iframe>
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src");
+      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+      element.remove();
+      test.done();
+    }));
+  }
+
+  function navigate_to_javascript_onload(test, iframe) {
+    iframe.addEventListener("load", test.step_func(e => {
+      assert_equals(typeof SecurityPolicyViolationEvent, "function");
+      iframe.contentDocument.addEventListener(
+        "securitypolicyviolation",
+        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+      );
+
+      iframe.setAttribute("src", "javascript:'Fail.'");

[foolip, 2016/11/11 09:39:40]

iframe.src?

+    }));
+  }
+  
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "javascript:'Fail.'";
+    i.id = "explicit-src";

[foolip, 2016/11/11 09:39:40]

Are the IDs used anywhere?

+
+    assert_csp_event_for_element(t, i); 
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.id = "no-src";
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'unsafe-inline'");
+    i.id = "src-with-unsafe-inline";
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+ 
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'none'");
+    i.id = "src-without-unsafe-inline";
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>