OLD | NEW |
(Empty) | |
| 1 const Host = { |
| 2 SAME_ORIGIN: "same-origin", |
| 3 CROSS_ORIGIN: "cross-origin", |
| 4 }; |
| 5 |
| 6 const PolicyHeader = { |
| 7 CSP: "echo-policy.py?policy=", |
| 8 CSP_MULTIPLE: "echo-policy-multiple.py", |
| 9 EMBEDDING_CSP: "echo-embedding-csp.py", |
| 10 ALLOW_CSP_FROM: "echo-allow-csp-from.py", |
| 11 }; |
| 12 |
| 13 const IframeLoad = { |
| 14 EXPECT_BLOCK: true, |
| 15 EXPECT_LOAD: false, |
| 16 }; |
| 17 |
| 18 function getOrigin() { |
| 19 var url = new URL("http://{{host}}:{{ports[http][0]}}/"); |
| 20 return url.toString(); |
| 21 } |
| 22 |
| 23 function getCrossOrigin() { |
| 24 var url = new URL("http://{{domains[天気の良い日]}}:{{ports[http][0]}}/"); |
| 25 return url.toString(); |
| 26 } |
| 27 |
| 28 function getSecureCrossOrigin() { |
| 29 // Since wptserve spins up servers on non-default port, 'self' matches |
| 30 // http://[host]:[specified-port] and https://[host]:[specified-port], but not |
| 31 // https://[host]:[https-port]. So, we use the http port for this https origin |
| 32 // in order to verify that a secure variant of a non-secure URL matches 'self'
. |
| 33 var url = new URL("https://{{domains[天気の良い日]}}:{{ports[http][0]}}"); |
| 34 return url.toString(); |
| 35 } |
| 36 |
| 37 function generateURL(host, path) { |
| 38 var url = new URL("http://{{host}}:{{ports[http][0]}}/content-security-policy/
embedded-enforcement/support/"); |
| 39 url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天気の良い日]}}"; |
| 40 url.pathname += path; |
| 41 |
| 42 return url; |
| 43 } |
| 44 |
| 45 function generateURLString(host, path) { |
| 46 return generateURL(host, path).toString(); |
| 47 } |
| 48 |
| 49 function generateRedirect(host, target) { |
| 50 var url = new URL("http://{{host}}:{{ports[http][0]}}/common/redirect.py?locat
ion=" + |
| 51 encodeURIComponent(target)); |
| 52 url.hostname = host == Host.SAME_ORIGIN ? "{{host}}" : "{{domains[天気の良い日]}}"; |
| 53 |
| 54 return url.toString(); |
| 55 } |
| 56 |
| 57 function generateUrlWithPolicies(host, policy) { |
| 58 var url = generateURL(host, PolicyHeader.CSP_MULTIPLE); |
| 59 if (policy != null) |
| 60 url.searchParams.append("policy", policy); |
| 61 return url; |
| 62 } |
| 63 |
| 64 function generateUrlWithAllowCSPFrom(host, allowCspFrom) { |
| 65 var url = generateURL(host, PolicyHeader.ALLOW_CSP_FROM); |
| 66 if (allowCspFrom != null) |
| 67 url.searchParams.append("allow_csp_from", allowCspFrom); |
| 68 return url; |
| 69 } |
| 70 |
| 71 function assert_embedding_csp(t, url, csp, expected) { |
| 72 var i = document.createElement('iframe'); |
| 73 if(csp) |
| 74 i.csp = csp; |
| 75 i.src = url; |
| 76 |
| 77 window.addEventListener('message', t.step_func(e => { |
| 78 if (e.source != i.contentWindow || !('embedding_csp' in e.data)) |
| 79 return; |
| 80 assert_equals(expected, e.data['embedding_csp']); |
| 81 t.done(); |
| 82 })); |
| 83 |
| 84 document.body.appendChild(i); |
| 85 } |
| 86 |
| 87 function assert_iframe_with_csp(t, url, csp, shouldBlock, urlId, blockedURI) { |
| 88 var i = document.createElement('iframe'); |
| 89 url.searchParams.append("id", urlId); |
| 90 i.src = url.toString(); |
| 91 if (csp != null) |
| 92 i.csp = csp; |
| 93 |
| 94 var loaded = {}; |
| 95 window.addEventListener("message", function (e) { |
| 96 if (e.source != i.contentWindow) |
| 97 return; |
| 98 if (e.data["loaded"]) |
| 99 loaded[e.data["id"]] = true; |
| 100 }); |
| 101 |
| 102 if (shouldBlock) { |
| 103 // Assert iframe does not load and is inaccessible. |
| 104 window.onmessage = function (e) { |
| 105 if (e.source != i.contentWindow) |
| 106 return; |
| 107 t.unreached_func('No message should be sent from the frame.'); |
| 108 } |
| 109 i.onload = t.step_func(function () { |
| 110 // Delay the check until after the postMessage has a chance to execute. |
| 111 setTimeout(t.step_func_done(function () { |
| 112 assert_equals(loaded[urlId], undefined); |
| 113 }), 1); |
| 114 assert_throws("SecurityError", () => { |
| 115 var x = i.contentWindow.location.href; |
| 116 }); |
| 117 }); |
| 118 } else if (blockedURI) { |
| 119 // Assert iframe loads with an expected violation. |
| 120 window.addEventListener('message', t.step_func(e => { |
| 121 if (e.source != i.contentWindow) |
| 122 return; |
| 123 assert_equals(e.data["blockedURI"], blockedURI); |
| 124 t.done(); |
| 125 })); |
| 126 } else { |
| 127 // Assert iframe loads. |
| 128 i.onload = t.step_func(function () { |
| 129 // Delay the check until after the postMessage has a chance to execute. |
| 130 setTimeout(t.step_func_done(function () { |
| 131 assert_true(loaded[urlId]); |
| 132 }), 1); |
| 133 }); |
| 134 } |
| 135 document.body.appendChild(i); |
| 136 } |
OLD | NEW |