| Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..7edb8723a7ee759b937dce20c573b67593ae5624
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html
|
| @@ -0,0 +1,108 @@
|
| +<!DOCTYPE html>
|
| +<html>
|
| +<head>
|
| + <script src="/resources/testharness.js"></script>
|
| + <script src="/resources/testharnessreport.js"></script>
|
| + <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
|
| +</head>
|
| +<body>
|
| + <script>
|
| + // Note that the origin for embedder is "http://127.0.0.1:8000".
|
| + // The origin for the embedee is "http://localhost:8000".
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://c.com:* http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "0");
|
| + }, "'self' is `localhost` in this case so iframe should be blocked.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:8000 http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2");
|
| + }, "'self' is `127.0.0.1` in this case so iframe should be blocked.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src 'self' http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "4");
|
| + }, "Exact match of returned csp to required csp should load iframe.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src 'self' http://b.com:*";
|
| + returned_csp = "img-src http://127.0.0.1:8000 http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
|
| + }, "'self' refers to `http://localhost:8000`.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:499 http://localhost:8000 http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "5");
|
| + }, "Multiple sources with locahost should still allow iframe to load since it is more restrictive.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "6");
|
| + }, "Iframe's returned csp is less restrictive.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "7");
|
| + }, "Iframe's returned csp is again less restrictive.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src https://localhost.com:* http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "8");
|
| + }, "Protocol of 'self' matches https:// of the required csp");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost.com:443 http://b.com:*";
|
| + returned_csp = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "9");
|
| + }, "Ports of 'self' have to match.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:8000 http://b.com:*";
|
| + returned_csp1 = "img-src http://localhost:8000 http://b.com:8000";
|
| + returned_csp2 = "img-src 'self' http://b.com:*";
|
| + url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_csp2, null);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "10");
|
| + }, "'self' can be matched to the actual origin.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:8000 http://b.com:*";
|
| + returned_csp1 = "img-src https://b.com:8000 'self'";
|
| + returned_csp2 = "img-src http://localhost:8000 https://b.com:*";
|
| + url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_csp2, null);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "11");
|
| + }, "'self' can be matched to the actual origin despite order.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:8000 http://b.com:*";
|
| + returned_csp1 = "img-src https://b.com:8000 'self'";
|
| + returned_csp2 = "img-src http://localhost:4343 https://b.com:*";
|
| + url = generateUrlWithCSPMultiple(CROSS_ORIGIN, returned_csp, returned_csp2, null);
|
| + injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "12");
|
| + }, "'self' can be matched to the actual origin with the port.");
|
| +
|
| + async_test(t => {
|
| + required_csp = "img-src http://localhost:8000 http://b.com:*";
|
| + returned_csp = "img-src http://localhost:8000 'self' http://b.com:*";
|
| + url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
|
| + injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "13");
|
| + }, "Repetitions of sources should not influence subsumption .");
|
| + </script>
|
| +</body>
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 2526473005:
Part 4.1: Is policy list subsumed under subsuming policy? (Closed)
