OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></
script> |
| 7 </head> |
| 8 <body> |
| 9 <script> |
| 10 // |
| 11 // Total of one wildcard. |
| 12 // |
| 13 async_test(t => { |
| 14 required_csp = "frame-src http://c.com:* http://b.com:80"; |
| 15 returned_csp = "frame-src http://b.com:*"; |
| 16 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 17 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0"); |
| 18 }, "Wildcard in port in returned_csp vs no wildcard in port in required_
csp should be 'Blocked'."); |
| 19 |
| 20 async_test(t => { |
| 21 required_csp = "frame-src http://c.com:* http://b.com:*"; |
| 22 returned_csp = "frame-src http://b.com:80"; |
| 23 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 24 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "1"); |
| 25 }, "Wildcard in port in returned_csp vs a wildcard in port in required_c
sp should be 'Allowed'."); |
| 26 |
| 27 async_test(t => { |
| 28 required_csp = "frame-src http://c.com:* http://b.com:80"; |
| 29 returned_csp = "frame-src http://*.b.com:80"; |
| 30 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 31 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "2"); |
| 32 }, "Wildcard in host in returned_csp vs no wildcard in host in required_
csp should be 'Blocked'."); |
| 33 |
| 34 async_test(t => { |
| 35 required_csp = "frame-src http://c.com:* http://*.b.com:80"; |
| 36 returned_csp = "frame-src http://b.com:80"; |
| 37 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 38 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3"); |
| 39 }, "Wildcard in host in returned_csp vs a wildcard in port in required_c
sp should be 'Allowed'."); |
| 40 |
| 41 // |
| 42 // Total of two wildcards. |
| 43 // |
| 44 async_test(t => { |
| 45 required_csp = "img-src http://c.com:* http://b.com:80"; |
| 46 returned_csp = "img-src http://*.b.com:*"; |
| 47 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 48 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4"); |
| 49 }, "Wildcards in returned_csp are less restrictive."); |
| 50 |
| 51 async_test(t => { |
| 52 required_csp = "img-src http://c.com:* http://*.b.com:*"; |
| 53 returned_csp = "img-src http://b.com:80"; |
| 54 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 55 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5"); |
| 56 }, "Returned csp with no wildcards should be 'Allowed'."); |
| 57 |
| 58 async_test(t => { |
| 59 required_csp = "img-src http://c.com:* http://*.b.com:80"; |
| 60 returned_csp = "img-src http://*.b.com:80"; |
| 61 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 62 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6"); |
| 63 }, "'Allowed' if exact match of wildcards in hosts."); |
| 64 |
| 65 async_test(t => { |
| 66 required_csp = "img-src http://c.com:* http://b.com:*"; |
| 67 returned_csp = "img-src http://b.com:*"; |
| 68 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 69 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "7"); |
| 70 }, "'Allowed' if exact match of wildcards in ports."); |
| 71 |
| 72 async_test(t => { |
| 73 required_csp = "img-src http://c.com:* http://d.com:*"; |
| 74 returned_csp = "img-src http://b.com:*"; |
| 75 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 76 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "8"); |
| 77 }, "'Blocked' if exact match of wildcards in ports but not matching host
s."); |
| 78 |
| 79 async_test(t => { |
| 80 required_csp = "img-src http://c.com:* http://b.com:*"; |
| 81 returned_csp = "img-src http://*.b.com:80"; |
| 82 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 83 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "9"); |
| 84 }, "Cross wildcards so the iframe should be 'Blocked'."); |
| 85 |
| 86 async_test(t => { |
| 87 required_csp = "img-src http://c.com:* http://*.b.com:80"; |
| 88 returned_csp = "img-src http://b.com:*"; |
| 89 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 90 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "10"); |
| 91 }, "Cross wildcards again so the iframe should be 'Blocked'."); |
| 92 |
| 93 // |
| 94 // Total of three wildcards. |
| 95 // |
| 96 async_test(t => { |
| 97 required_csp = "img-src http://c.com:* http://*.b.com:*"; |
| 98 returned_csp = "img-src http://b.com:*"; |
| 99 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 100 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "11"); |
| 101 }, "Two out of three wildcards in required_csp should correspond to ifra
me being 'Allowed'."); |
| 102 |
| 103 async_test(t => { |
| 104 required_csp = "img-src http://c.com:* http://*.b.com:*"; |
| 105 returned_csp = "img-src http://*.b.com:80"; |
| 106 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 107 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "12"); |
| 108 }, "Two out of three wildcards in required_csp again should correspond t
o iframe being 'Allowed'."); |
| 109 |
| 110 async_test(t => { |
| 111 required_csp = "img-src http://c.com:* http://*.b.com:80"; |
| 112 returned_csp = "img-src http://*.b.com:*"; |
| 113 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 114 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "13"); |
| 115 }, "Two out of three wildcards in returned_csp should correspond to ifra
me being 'Blocked'."); |
| 116 |
| 117 async_test(t => { |
| 118 required_csp = "img-src http://c.com:* http://b.com:*"; |
| 119 returned_csp = "img-src http://*.b.com:*"; |
| 120 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 121 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "14"); |
| 122 }, "Two out of three wildcards in returned_csp again should correspond t
o iframe being 'Blocked'."); |
| 123 |
| 124 // |
| 125 // Total of four wildcards. |
| 126 // |
| 127 async_test(t => { |
| 128 required_csp = "img-src http://c.com:* http://*.b.com:*"; |
| 129 returned_csp = "img-src http://*.b.com:*"; |
| 130 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 131 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "15"); |
| 132 }, "Origins with wildcards in hosts and ports should be matched."); |
| 133 |
| 134 async_test(t => { |
| 135 required_csp = "img-src http://c.com:* https://*.b.com:*"; |
| 136 returned_csp = "img-src http://*.b.com:*"; |
| 137 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 138 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "16"); |
| 139 }, "Origins with wildcards in hosts and ports should be matched but also
protocols."); |
| 140 |
| 141 async_test(t => { |
| 142 required_csp = "img-src http://c.com:* http://*.d.com:*"; |
| 143 returned_csp = "img-src https://*.b.com:*"; |
| 144 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 145 injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "17"); |
| 146 }, "Not matching four wildcards."); |
| 147 |
| 148 async_test(t => { |
| 149 required_csp = "img-src http://c.com:* http://*.b.com:*"; |
| 150 returned_csp = "img-src https://*.b.com:*"; |
| 151 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 152 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "18"); |
| 153 }, "Four wildcards and https in returned_csp should be 'Allowed'."); |
| 154 |
| 155 // |
| 156 // Total of zero wildcards. |
| 157 // |
| 158 async_test(t => { |
| 159 required_csp = "img-src http://c.com:* http://b.com"; |
| 160 returned_csp = "img-src http://b.com"; |
| 161 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 162 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "19"); |
| 163 }, "Exact match."); |
| 164 |
| 165 async_test(t => { |
| 166 required_csp = "img-src http://c.com:* https://b.com"; |
| 167 returned_csp = "img-src https://b.com"; |
| 168 url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp); |
| 169 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "20"); |
| 170 }, "Exact match in https."); |
| 171 |
| 172 async_test(t => { |
| 173 required_csp = "img-src http://c.com; frame-src http://b.com"; |
| 174 returned_csp1 = "img-src http://c.com; frame-src http://b.com:*"; |
| 175 returned_csp2 = "frame-src http://b.com; img-src http://c.com:*"; |
| 176 url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp1, returned
_csp2); |
| 177 injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "21"); |
| 178 }, "Exact match in https."); |
| 179 </script> |
| 180 </body> |
| 181 </html> |
OLD | NEW |