third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html - Issue 2657623005: WIP: Give developers an opt-in mechanism to block some parser-inserted scripts.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html

Issue 2657623005: WIP: Give developers an opt-in mechanism to block some parser-inserted scripts.

Patch Set: Refactor. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML.html ('k') | third_party/WebKit/Source/core/dom/Document.h » ('j') | third_party/WebKit/Source/core/dom/Document.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html

new file mode 100644

index 0000000000000000000000000000000000000000..f63d9c41d10db08299ac752cd8a2b89ff1cb6751

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/innerHTML-srcdoc.html

@@ -0,0 +1,53 @@

+<!DOCTYPE html>

+<meta http-equiv="Content-Security-Policy" content="script-src 'disallow-all-the-parser-inserted-scripts-ever-except-for-the-ones-we-like' 'self' 'unsafe-inline'">

+<script src="/resources/testharness.js"></script>

+<script src="/resources/testharnessreport.js"></script>

+<body>

+<script>

+ var payload = `

+ <script>

+ var current = window;

+ while (current.frameElement) {

+ current.frameElement.executedScript = true;

+ current = current.parent;

+ }

+ </scr` + `ipt>

+ `;

+ function assert_no_execution(name, html) {

+ async_test(t => {

+ var container = document.createElement('div');

+ document.body.appendChild(container);

+ var observer = new MutationObserver(mutations => {

+ for (var mutation of mutations) {

+ for (var node of mutation.addedNodes) {

+ if (node.dataset['test'] == name) {

+ observer.disconnect();

+ node.addEventListener('load', t.step_func(e => {

+ // Give nested scripts a frame or so to execute:

+ requestAnimationFrame(t.step_func_done(_ => {

+ assert_equals(node.executedScript, undefined, "Script should not execute.");

+ container.remove();

+ }));

+ }

+ });

+ observer.observe(container, { childList: true });

+ container.innerHTML = html.replace(/<iframe/, `<iframe data-test="${name}"`);

+ }, name);

+ }

+</script>

+<script>

+ assert_no_execution("script in srcdoc", `<iframe srcdoc="${payload}"></iframe>`);

+</script>

+<script>

+ assert_no_execution("script in nested srcdoc", `<iframe srcdoc="<iframe srcdoc='${payload}'></iframe>"></iframe>`);

+</script>

+<script>

+ assert_no_execution("script in nested srcdoc in nested srcdoc", `<iframe srcdoc="<iframe srcdoc="<iframe srcdoc='${payload}'></iframe>"></iframe>"></iframe>`);

+</script>