| OLD | NEW |
|---|
| (Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <title>Embedded Enforcement: Embedding-CSP header.</title> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script src="support/testharness-helper.sub.js"></script> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 var tests = [ |
| 12 { "name": "Embedding-CSP is not sent if `csp` attribute is not set on <ifr
ame>.", |
| 13 "csp": null, |
| 14 "expected": null }, |
| 15 { "name": "Send Embedding-CSP when `csp` attribute of <iframe> is not empt
y.", |
| 16 "csp": "script-src 'unsafe-inline'", |
| 17 "expected": "script-src 'unsafe-inline'" }, |
| 18 { "name": "Send Embedding-CSP Header on change of `src` attribute on ifram
e.", |
| 19 "csp": "script-src 'unsafe-inline'", |
| 20 "expected": "script-src 'unsafe-inline'" }, |
| 21 { "name": "Wrong value of `csp` should not trigger sending Embedding-CSP H
eader.", |
| 22 "csp": "completely wrong csp", |
| 23 "expected": null}, |
| 24 ]; |
| 25 |
| 26 tests.forEach(test => { |
| 27 async_test(t => { |
| 28 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); |
| 29 assert_embedding_csp(t, url, test.csp, test.expected); |
| 30 }, "Test same origin: " + test.name); |
| 31 |
| 32 async_test(t => { |
| 33 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); |
| 34 var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); |
| 35 assert_embedding_csp(t, redirect_url, test.csp, test.expected); |
| 36 }, "Test same origin redirect: " + test.name); |
| 37 |
| 38 async_test(t => { |
| 39 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); |
| 40 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); |
| 41 assert_embedding_csp(t, redirect_url, test.csp, test.expected); |
| 42 }, "Test cross origin redirect: " + test.name); |
| 43 |
| 44 async_test(t => { |
| 45 var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_CS
P); |
| 46 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); |
| 47 assert_embedding_csp(t, redirect_url, test.csp, test.expected); |
| 48 }, "Test cross origin redirect of cross origin iframe: " + test.name); |
| 49 |
| 50 async_test(t => { |
| 51 var i = document.createElement('iframe'); |
| 52 if (test.csp) |
| 53 i.csp = test.csp; |
| 54 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP); |
| 55 var loaded = false; |
| 56 |
| 57 window.addEventListener('message', t.step_func(e => { |
| 58 if (e.source != i.contentWindow || !('embedding_csp' in e.data)) |
| 59 return; |
| 60 if (!loaded) { |
| 61 assert_equals(test.expected, e.data['embedding_csp']); |
| 62 loaded = true; |
| 63 i.csp = "default-src 'unsafe-inline'"; |
| 64 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_
CSP); |
| 65 } else { |
| 66 // Once iframe has loaded, check that on change of `src` attribute |
| 67 // Embedding-CSP value is based on latest `csp` attribute value. |
| 68 assert_equals("default-src 'unsafe-inline'", e.data['embedding_csp']
); |
| 69 t.done(); |
| 70 } |
| 71 })); |
| 72 |
| 73 document.body.appendChild(i); |
| 74 }, "Test Embedding-CSP value on `csp` change: " + test.name); |
| 75 }); |
| 76 </script> |
| 77 </body> |
| 78 </html> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2695813009:
Import wpt@503f5b5f78ec4e87d144f78609f363f0ed0ea8db (Closed)
