OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <title>Embedded Enforcement: Allow-CSP-From header.</title> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script src="support/testharness-helper.sub.js"></script> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 var tests = [ |
| 12 { "name": "Same origin iframes are always allowed.", |
| 13 "origin": Host.SAME_ORIGIN, |
| 14 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
| 15 "allow_csp_from": "¢¥§", |
| 16 "expected": IframeLoad.EXPECT_LOAD, |
| 17 "blockedURI": null}, |
| 18 { "name": "Same origin iframes are allowed even if the Allow-CSP-From is e
mpty.", |
| 19 "origin": Host.SAME_ORIGIN, |
| 20 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
| 21 "allow_csp_from": "", |
| 22 "expected": IframeLoad.EXPECT_LOAD, |
| 23 "blockedURI": null}, |
| 24 { "name": "Same origin iframes are allowed even if the Allow-CSP-From is n
ot present.", |
| 25 "origin": Host.SAME_ORIGIN, |
| 26 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
| 27 "allow_csp_from": null, |
| 28 "expected": IframeLoad.EXPECT_LOAD, |
| 29 "blockedURI": null}, |
| 30 { "name": "Same origin iframes are allowed even if Allow-CSP-From does not
match origin.", |
| 31 "origin": Host.SAME_ORIGIN, |
| 32 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
| 33 "allow_csp_from": "http://example.com:888", |
| 34 "expected": IframeLoad.EXPECT_LOAD, |
| 35 "blockedURI": null}, |
| 36 { "name": "Cross origin iframe with an empty Allow-CSP-From header gets bl
ocked.", |
| 37 "origin": Host.CROSS_ORIGIN, |
| 38 "csp": "script-src 'unsafe-inline'", |
| 39 "allow_csp_from": "", |
| 40 "expected": IframeLoad.EXPECT_BLOCK, |
| 41 "blockedURI": null}, |
| 42 { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.
", |
| 43 "origin": Host.CROSS_ORIGIN, |
| 44 "csp": "script-src 'unsafe-inline'", |
| 45 "allow_csp_from": null, |
| 46 "expected": IframeLoad.EXPECT_BLOCK, |
| 47 "blockedURI": null}, |
| 48 { "name": "iframe from cross origin does not load without Allow-CSP-From h
eader.", |
| 49 "origin": Host.CROSS_ORIGIN, |
| 50 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
| 51 "allow_csp_from": getOrigin(), |
| 52 "expected": IframeLoad.EXPECT_LOAD, |
| 53 "blockedURI": null}, |
| 54 { "name": "Iframe with improper Allow-CSP-From header gets blocked.", |
| 55 "origin": Host.CROSS_ORIGIN, |
| 56 "csp": "script-src 'unsafe-inline'", |
| 57 "allow_csp_from": "* ¢¥§", |
| 58 "expected": IframeLoad.EXPECT_BLOCK, |
| 59 "blockedURI": null}, |
| 60 { "name": "Allow-CSP-From header with a star value can be returned.", |
| 61 "origin": Host.CROSS_ORIGIN, |
| 62 "csp": "script-src 'unsafe-inline'", |
| 63 "allow_csp_from": "*", |
| 64 "expected": IframeLoad.EXPECT_LOAD, |
| 65 "blockedURI": null}, |
| 66 { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.", |
| 67 "origin": Host.CROSS_ORIGIN, |
| 68 "csp": "script-src 'nonce-123'", |
| 69 "allow_csp_from": "*", |
| 70 "expected": IframeLoad.EXPECT_LOAD, |
| 71 "blockedURI": "inline"}, |
| 72 { "name": "Allow-CSP-From header enforces EmbeddingCSP.", |
| 73 "origin": Host.CROSS_ORIGIN, |
| 74 "csp": "style-src 'none'; script-src 'nonce-123'", |
| 75 "allow_csp_from": getOrigin(), |
| 76 "expected": IframeLoad.EXPECT_LOAD, |
| 77 "blockedURI": "inline"}, |
| 78 ]; |
| 79 |
| 80 tests.forEach(test => { |
| 81 async_test(t => { |
| 82 var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from); |
| 83 assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.
blockedURI); |
| 84 }, test.name); |
| 85 }); |
| 86 </script> |
| 87 </body> |
| 88 </html> |
OLD | NEW |