OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></
script> |
| 7 </head> |
| 8 <body> |
| 9 <script> |
| 10 // Note that the origin for embedder is "http://127.0.0.1:8000". |
| 11 // The origin for the embedee is "http://localhost:8000". |
| 12 |
| 13 async_test(t => { |
| 14 required_csp = "img-src http://c.com:* http://b.com:*"; |
| 15 returned_csp = "img-src 'self' http://b.com:*"; |
| 16 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 17 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0"); |
| 18 }, "'self' is `localhost` in this case so iframe should be blocked."); |
| 19 |
| 20 async_test(t => { |
| 21 required_csp = "img-src http://localhost:8000 http://b.com:*"; |
| 22 returned_csp = "img-src 'self' http://b.com:*"; |
| 23 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 24 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2"); |
| 25 }, "'self' is `127.0.0.1` in this case so iframe should be blocked."); |
| 26 |
| 27 async_test(t => { |
| 28 required_csp = "img-src 'self' http://b.com:*"; |
| 29 returned_csp = "img-src 'self' http://b.com:*"; |
| 30 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 31 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "4"); |
| 32 }, "Exact match of returned csp to required csp should load iframe."); |
| 33 |
| 34 async_test(t => { |
| 35 required_csp = "img-src 'self' http://b.com:*"; |
| 36 returned_csp = "img-src http://127.0.0.1:8000 http://b.com:*"; |
| 37 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 38 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4"); |
| 39 }, "'self' refers to `http://localhost:8000`."); |
| 40 |
| 41 async_test(t => { |
| 42 required_csp = "img-src http://localhost:499 http://localhost:8000 ht
tp://b.com:*"; |
| 43 returned_csp = "img-src 'self' http://b.com:*"; |
| 44 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 45 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5"); |
| 46 }, "Multiple sources with locahost should still allow iframe to load sin
ce it is more restrictive."); |
| 47 |
| 48 async_test(t => { |
| 49 required_csp = "img-src http://localhost.com:*"; |
| 50 returned_csp = "img-src 'self' http://b.com:*"; |
| 51 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 52 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "6"); |
| 53 }, "Iframe's returned csp is less restrictive."); |
| 54 |
| 55 async_test(t => { |
| 56 required_csp = "img-src http://b.com:*"; |
| 57 returned_csp = "img-src 'self' http://b.com:*"; |
| 58 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 59 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "7"); |
| 60 }, "Iframe's returned csp is again less restrictive."); |
| 61 |
| 62 async_test(t => { |
| 63 required_csp = "img-src https://localhost.com:* http://b.com:*"; |
| 64 returned_csp = "img-src 'self' http://b.com:*"; |
| 65 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 66 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "8"); |
| 67 }, "Protocol of 'self' matches https:// of the required csp"); |
| 68 |
| 69 async_test(t => { |
| 70 required_csp = "img-src http://localhost.com:443 http://b.com:*"; |
| 71 returned_csp = "img-src 'self' http://b.com:*"; |
| 72 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 73 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "9"); |
| 74 }, "Ports of 'self' have to match."); |
| 75 |
| 76 async_test(t => { |
| 77 required_csp = "img-src http://localhost:8000 http://b.com:*"; |
| 78 returned_csp1 = "img-src http://localhost:8000 http://b.com:8000"; |
| 79 returned_csp2 = "img-src 'self' http://b.com:*"; |
| 80 url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_
csp2, null); |
| 81 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "10"); |
| 82 }, "'self' can be matched to the actual origin."); |
| 83 |
| 84 async_test(t => { |
| 85 required_csp = "img-src http://localhost:8000 http://b.com:*"; |
| 86 returned_csp1 = "img-src https://b.com:8000 'self'"; |
| 87 returned_csp2 = "img-src http://localhost:8000 https://b.com:*"; |
| 88 url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_
csp2, null); |
| 89 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "11"); |
| 90 }, "'self' can be matched to the actual origin despite order."); |
| 91 |
| 92 async_test(t => { |
| 93 required_csp = "img-src http://localhost:8000 http://b.com:*"; |
| 94 returned_csp1 = "img-src https://b.com:8000 'self'"; |
| 95 returned_csp2 = "img-src http://localhost:4343 https://b.com:*"; |
| 96 url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_
csp2, null); |
| 97 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "12"); |
| 98 }, "'self' can be matched to the actual origin with the port."); |
| 99 |
| 100 async_test(t => { |
| 101 required_csp = "img-src http://localhost:8000 http://b.com:*"; |
| 102 returned_csp = "img-src http://localhost:8000 'self' http://b.com:*"; |
| 103 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 104 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "13"); |
| 105 }, "Repetitions of sources should not influence subsumption ."); |
| 106 </script> |
| 107 </body> |
| 108 </html> |
OLD | NEW |