OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></
script> |
| 7 </head> |
| 8 <body> |
| 9 <script> |
| 10 // |
| 11 // Protocols |
| 12 // |
| 13 async_test(t => { |
| 14 required_csp = "img-src http://c.com:* https://b.com"; |
| 15 returned_csp = "img-src http://b.com"; |
| 16 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 17 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0"); |
| 18 }, "https is more restrictive than http."); |
| 19 |
| 20 async_test(t => { |
| 21 required_csp = "img-src http://c.com:* http://b.com"; |
| 22 returned_csp = "img-src https://b.com"; |
| 23 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 24 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "1"); |
| 25 }, "The reverse allows iframe be to be loaded."); |
| 26 |
| 27 async_test(t => { |
| 28 required_csp = "img-src http://c.com:* https://b.com"; |
| 29 returned_csp = "img-src https://b.com"; |
| 30 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 31 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2"); |
| 32 }, "Matching https protocols."); |
| 33 |
| 34 // |
| 35 // Paths |
| 36 // |
| 37 async_test(t => { |
| 38 required_csp = "img-src http://c.com:* http://b.com/example.com"; |
| 39 returned_csp = "img-src http://b.com"; |
| 40 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 41 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "3"); |
| 42 }, "Returned CSP has a specific path."); |
| 43 |
| 44 async_test(t => { |
| 45 required_csp = "img-src http://c.com:* http://b.com"; |
| 46 returned_csp = "img-src http://b.com/example.com"; |
| 47 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 48 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "4"); |
| 49 }, "Returned CSP is more specific."); |
| 50 |
| 51 async_test(t => { |
| 52 required_csp = "img-src http://c.com:* http://b.com/example.com"; |
| 53 returned_csp = "img-src http://b.com/example.com"; |
| 54 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 55 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5"); |
| 56 }, "Matching paths."); |
| 57 |
| 58 async_test(t => { |
| 59 required_csp = "img-src http://c.com:* https://b.com/example.com"; |
| 60 returned_csp = "img-src http://b.com/example.com"; |
| 61 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 62 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "6"); |
| 63 }, "Matching paths but not protocols."); |
| 64 |
| 65 async_test(t => { |
| 66 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com
http://b.com/page3.com"; |
| 67 returned_csp = "img-src http://b.com/"; |
| 68 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 69 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "7"); |
| 70 }, "Returned CSP is less restrictive in paths."); |
| 71 |
| 72 async_test(t => { |
| 73 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com
http://b.com/page3.com"; |
| 74 returned_csp = "img-src http://b.com/page2.com http://b.com/page3.com
http://b.com/page1.com"; |
| 75 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 76 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "8"); |
| 77 }, "All specific paths match except the order."); |
| 78 |
| 79 async_test(t => { |
| 80 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com
http://b.com/page3.com"; |
| 81 returned_csp = "img-src http://b.com/page2.com"; |
| 82 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 83 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "9"); |
| 84 }, "Returned CSP allows only one path."); |
| 85 |
| 86 // |
| 87 // Mixed |
| 88 // |
| 89 async_test(t => { |
| 90 required_csp = "img-src https://b.com/page1.com http://b.com/page2.com
http://b.com/page3.com"; |
| 91 returned_csp = "img-src https://b.com/page2.com"; |
| 92 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 93 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "10"); |
| 94 }, "Returned CSP allows only one path with stricter protocol."); |
| 95 |
| 96 async_test(t => { |
| 97 required_csp = "img-src http://b.com/page1.com https://b.com/page2.com
http://b.com/page3.com"; |
| 98 returned_csp = "img-src http://b.com/page2.com"; |
| 99 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 100 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "11"); |
| 101 }, "Returned CSP allows only one path with less stricter protocol."); |
| 102 |
| 103 async_test(t => { |
| 104 required_csp = "img-src https://*"; |
| 105 returned_csp = "img-src https://b.com/page2.com"; |
| 106 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 107 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "12"); |
| 108 }, "Specified protocol should match any domain with that protocol."); |
| 109 |
| 110 async_test(t => { |
| 111 required_csp = "img-src https://*"; |
| 112 returned_csp = "img-src https://*"; |
| 113 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 114 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "13"); |
| 115 }, "Equal policies with protocols and host wildcards."); |
| 116 |
| 117 async_test(t => { |
| 118 required_csp = "img-src https://b.com"; |
| 119 returned_csp = "img-src https://*"; |
| 120 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 121 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "14"); |
| 122 }, "Returned CSP allows any https resources."); |
| 123 </script> |
| 124 </body> |
| 125 </html> |
OLD | NEW |