Block 'javascript:' navigation in the correct document.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
new file mode 100644
index 0000000000000000000000000000000000000000..41b80c9c475193163198e47056ac46adb7ba4baf
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/navigation/to-javascript-url.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src");
+      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+      element.remove();
+      test.done();
+    }));
+  }
+
+  function navigate_to_javascript_onload(test, iframe) {
+    iframe.addEventListener("load", test.step_func(e => {
+      assert_equals(typeof SecurityPolicyViolationEvent, "function");
+      iframe.contentDocument.addEventListener(
+        "securitypolicyviolation",
+        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+      );
+
+      iframe.src = "javascript:'Fail.'";
+    }));
+  }
+  
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "javascript:'Fail.'";
+
+    assert_csp_event_for_element(t, i); 
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'unsafe-inline'");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+ 
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURIComponent("script-src 'none'");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>