Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..e2574584ecf15aac2f66a20f10a0a4ac1a59829e |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html |
@@ -0,0 +1,77 @@ |
+<!DOCTYPE html> |
+<script src="/resources/testharness.js"></script> |
+<script src="/resources/testharnessreport.js"></script> |
+ |
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> |
+ |
+<body> |
+ <iframe src="http://clients1.google.com/generate_204"></iframe> |
foolip
2016/11/11 09:39:40
Should this really be here? None of the tests seem
|
+ <iframe src="file:///etc/passwords"></iframe> |
+<script nonce="abc"> |
+ function assert_csp_event_for_element(test, element) { |
+ assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'."); |
+ document.addEventListener("securitypolicyviolation", test.step_func(e => { |
+ if (e.target != element) |
+ return; |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.effectiveDirective, "script-src"); |
+ assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document."); |
+ element.remove(); |
+ test.done(); |
+ })); |
+ } |
+ |
+ function navigate_to_javascript_onload(test, iframe) { |
+ iframe.addEventListener("load", test.step_func(e => { |
+ assert_equals(typeof SecurityPolicyViolationEvent, "function"); |
+ iframe.contentDocument.addEventListener( |
+ "securitypolicyviolation", |
+ test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.") |
+ ); |
+ |
+ iframe.setAttribute("src", "javascript:'Fail.'"); |
foolip
2016/11/11 09:39:40
iframe.src?
|
+ })); |
+ } |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ i.src = "javascript:'Fail.'"; |
+ i.id = "explicit-src"; |
foolip
2016/11/11 09:39:40
Are the IDs used anywhere?
|
+ |
+ assert_csp_event_for_element(t, i); |
+ |
+ document.body.appendChild(i); |
+ }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ i.id = "no-src"; |
+ |
+ assert_csp_event_for_element(t, i); |
+ navigate_to_javascript_onload(t, i); |
+ |
+ document.body.appendChild(i); |
+ }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'unsafe-inline'"); |
+ i.id = "src-with-unsafe-inline"; |
+ |
+ assert_csp_event_for_element(t, i); |
+ navigate_to_javascript_onload(t, i); |
+ |
+ document.body.appendChild(i); |
+ }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'none'"); |
+ i.id = "src-without-unsafe-inline"; |
+ |
+ assert_csp_event_for_element(t, i); |
+ navigate_to_javascript_onload(t, i); |
+ |
+ document.body.appendChild(i); |
+ }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document."); |
+</script> |