OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <title>Embedded Enforcement: Subsumption Algorithm - 'none' keyword.</title> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script src="support/testharness-helper.sub.js"></script> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 var tests = [ |
| 12 { "name": "Empty required csp subsumes empty list of returned policies.", |
| 13 "required_csp": "", |
| 14 "returned_csp_1": "", |
| 15 "returned_csp_2": null, |
| 16 "expected": IframeLoad.EXPECT_LOAD }, |
| 17 { "name": "Empty required csp subsumes any list of policies.", |
| 18 "required_csp": "", |
| 19 "returned_csp_1": "img-src http://example.com", |
| 20 "returned_csp_2": null, |
| 21 "expected": IframeLoad.EXPECT_LOAD }, |
| 22 { "name": "Empty required csp subsumes a policy with `none`.", |
| 23 "required_csp": "", |
| 24 "returned_csp_1": "img-src 'none'", |
| 25 "returned_csp_2": null, |
| 26 "expected": IframeLoad.EXPECT_LOAD }, |
| 27 { "name": "Required policy that allows `none` does not subsume empty list
of policies.", |
| 28 "required_csp": "img-src ", |
| 29 "returned_csp_1": "", |
| 30 "returned_csp_2": null, |
| 31 "expected": IframeLoad.EXPECT_BLOCK }, |
| 32 { "name": "Required csp with effective `none` does not subsume a host sour
ce expression.", |
| 33 "required_csp": "img-src ", |
| 34 "returned_csp_1": "img-src http://example.com", |
| 35 "returned_csp_2": null, |
| 36 "expected": IframeLoad.EXPECT_BLOCK }, |
| 37 { "name": "Required csp with `none` does not subsume a host source express
ion.", |
| 38 "required_csp": "img-src 'none'", |
| 39 "returned_csp_1": "img-src http://example.com", |
| 40 "returned_csp_2": null, |
| 41 "expected": IframeLoad.EXPECT_BLOCK }, |
| 42 { "name": "Required csp with effective `none` does not subsume `none` of a
nother directive.", |
| 43 "required_csp": "img-src ", |
| 44 "returned_csp_1": "frame-src 'none'", |
| 45 "returned_csp_2": null, |
| 46 "expected": IframeLoad.EXPECT_BLOCK }, |
| 47 { "name": "Required csp with `none` does not subsume `none` of another dir
ective.", |
| 48 "required_csp": "img-src 'none'", |
| 49 "returned_csp_1": "frame-src 'none'", |
| 50 "returned_csp_2": null, |
| 51 "expected": IframeLoad.EXPECT_BLOCK }, |
| 52 { "name": "Required csp with `none` does not subsume `none` of different d
irectives.", |
| 53 "required_csp": "img-src ", |
| 54 "returned_csp_1": "img-src http://*.one.com", |
| 55 "returned_csp_2": "frame-src https://two.com", |
| 56 "expected": IframeLoad.EXPECT_BLOCK }, |
| 57 { "name": "Required csp with `none` subsumes effective list of `none`.", |
| 58 "required_csp": "img-src ", |
| 59 "returned_csp_1": "img-src http://*.one.com", |
| 60 "returned_csp_2": "img-src https://two.com", |
| 61 "expected": IframeLoad.EXPECT_LOAD }, |
| 62 { "name": "Required csp with `none` subsumes effective list of `none` desp
ite other keywords.", |
| 63 "required_csp": "img-src 'none'", |
| 64 "returned_csp_1": "img-src http://*.one.com", |
| 65 "returned_csp_2": "img-src 'self'", |
| 66 "expected": IframeLoad.EXPECT_LOAD }, |
| 67 { "name": "Source list with exprssions other than `none` make `none` ineff
ective.", |
| 68 "required_csp": "img-src http://example.com 'none'", |
| 69 "returned_csp_1": "img-src http://example.com", |
| 70 "returned_csp_2": null, |
| 71 "expected": IframeLoad.EXPECT_LOAD }, |
| 72 { "name": "Returned csp with `none` is subsumed by any required csp.", |
| 73 "required_csp": "img-src http://example.com", |
| 74 "returned_csp_1": "img-src 'none'", |
| 75 "returned_csp_2": null, |
| 76 "expected": IframeLoad.EXPECT_LOAD }, |
| 77 { "name": "Returned csp with effective `none` is subsumed by any required
csp.", |
| 78 "required_csp": "img-src http://example.com", |
| 79 "returned_csp_1": "img-src http://example.com", |
| 80 "returned_csp_2": "img-src http://non-example.com", |
| 81 "expected": IframeLoad.EXPECT_LOAD }, |
| 82 { "name": "Both required and returned csp are `none`.", |
| 83 "required_csp": "img-src 'none'", |
| 84 "returned_csp_1": "img-src 'none'", |
| 85 "returned_csp_2": "img-src http://non-example.com", |
| 86 "expected": IframeLoad.EXPECT_LOAD }, |
| 87 { "name": "Both required and returned csp are `none` for only one directiv
e.", |
| 88 "required_csp": "default-src 'none'", |
| 89 "returned_csp_1": "img-src 'none'", |
| 90 "returned_csp_2": "script-src 'unsafe-inline'", |
| 91 "expected": IframeLoad.EXPECT_BLOCK }, |
| 92 { "name": "Both required and returned csp are empty.", |
| 93 "required_csp": "img-src ", |
| 94 "returned_csp_1": "img-src ", |
| 95 "returned_csp_2": null, |
| 96 "expected": IframeLoad.EXPECT_LOAD }, |
| 97 { "name": "Both required and returned csp are effectively 'none'.", |
| 98 "required_csp": "img-src ", |
| 99 "returned_csp_1": "img-src http://a.com", |
| 100 "returned_csp_2": "img-src http://b.com", |
| 101 "expected": IframeLoad.EXPECT_LOAD }, |
| 102 ]; |
| 103 tests.forEach(test => { |
| 104 async_test(t => { |
| 105 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1
); |
| 106 if (test.returned_csp_2) |
| 107 url.searchParams.append("policy2", test.returned_csp_2); |
| 108 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.na
me, null); |
| 109 }, test.name); |
| 110 }); |
| 111 </script> |
| 112 </body> |
| 113 </html> |
OLD | NEW |