third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-protocols-paths.html - Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-protocols-paths.html

Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Rebasing on master Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE html>

	2 <html>

	3 <head>

	4 <script src="/resources/testharness.js"></script>

	5 <script src="/resources/testharnessreport.js"></script>

	6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></ script>

	7 </head>

	8 <body>

	9 <script>

	10 //

	11 // Protocols

	12 //

	13 async_test(t => {

	14 required_csp = "img-src http://c.com:* https://b.com";

	15 returned_csp = "img-src http://b.com";

	16 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	17 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0");

	18 }, "https is more restrictive than http.");

	19

	20 async_test(t => {

	21 required_csp = "img-src http://c.com:* http://b.com";

	22 returned_csp = "img-src https://b.com";

	23 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	24 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "1");

	25 }, "The reverse allows iframe be to be loaded.");

	26

	27 async_test(t => {

	28 required_csp = "img-src http://c.com:* https://b.com";

	29 returned_csp = "img-src https://b.com";

	30 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	31 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2");

	32 }, "Matching https protocols.");

	33

	34 //

	35 // Paths

	36 //

	37 async_test(t => {

	38 required_csp = "img-src http://c.com:* http://b.com/example.com";

	39 returned_csp = "img-src http://b.com";

	40 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	41 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "3");

	42 }, "Returned CSP has a specific path.");

	43

	44 async_test(t => {

	45 required_csp = "img-src http://c.com:* http://b.com";

	46 returned_csp = "img-src http://b.com/example.com";

	47 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	48 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "4");

	49 }, "Returned CSP is more specific.");

	50

	51 async_test(t => {

	52 required_csp = "img-src http://c.com:* http://b.com/example.com";

	53 returned_csp = "img-src http://b.com/example.com";

	54 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	55 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5");

	56 }, "Matching paths.");

	57

	58 async_test(t => {

	59 required_csp = "img-src http://c.com:* https://b.com/example.com";

	60 returned_csp = "img-src http://b.com/example.com";

	61 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	62 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "6");

	63 }, "Matching paths but not protocols.");

	64

	65 async_test(t => {

	66 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com http://b.com/page3.com";

	67 returned_csp = "img-src http://b.com/";

	68 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	69 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "7");

	70 }, "Returned CSP is less restrictive in paths.");

	71

	72 async_test(t => {

	73 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com http://b.com/page3.com";

	74 returned_csp = "img-src http://b.com/page2.com http://b.com/page3.com http://b.com/page1.com";

	75 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	76 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "8");

	77 }, "All specific paths match except the order.");

	78

	79 async_test(t => {

	80 required_csp = "img-src http://b.com/page1.com http://b.com/page2.com http://b.com/page3.com";

	81 returned_csp = "img-src http://b.com/page2.com";

	82 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	83 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "9");

	84 }, "Returned CSP allows only one path.");

	85

	86 //

	87 // Mixed

	88 //

	89 async_test(t => {

	90 required_csp = "img-src https://b.com/page1.com http://b.com/page2.com http://b.com/page3.com";

	91 returned_csp = "img-src https://b.com/page2.com";

	92 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	93 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "10");

	94 }, "Returned CSP allows only one path with stricter protocol.");

	95

	96 async_test(t => {

	97 required_csp = "img-src http://b.com/page1.com https://b.com/page2.com http://b.com/page3.com";

	98 returned_csp = "img-src http://b.com/page2.com";

	99 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	100 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "11");

	101 }, "Returned CSP allows only one path with less stricter protocol.");

	102

	103 async_test(t => {

	104 required_csp = "img-src https://*";

	105 returned_csp = "img-src https://b.com/page2.com";

	106 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	107 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "12");

	108 }, "Specified protocol should match any domain with that protocol.");

	109

	110 async_test(t => {

	111 required_csp = "img-src https://*";

	112 returned_csp = "img-src https://*";

	113 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	114 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "13");

	115 }, "Equal policies with protocols and host wildcards.");

	116

	117 async_test(t => {

	118 required_csp = "img-src https://b.com";

	119 returned_csp = "img-src https://*";

	120 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);

	121 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "14");

	122 }, "Returned CSP allows any https resources.");

	123 </script>

	124 </body>

	125 </html>

OLD	NEW