Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html |
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..a806caf456ff894ec14000ab7e0ae9c2a15e3382 |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html |
@@ -0,0 +1,88 @@ |
+<!DOCTYPE html> |
+<html> |
+<head> |
+<title>Embedded Enforcement: Allow-CSP-From header.</title> |
+ <script src="/resources/testharness.js"></script> |
+ <script src="/resources/testharnessreport.js"></script> |
+ <script src="support/testharness-helper.sub.js"></script> |
+</head> |
+<body> |
+ <script> |
+ var tests = [ |
+ { "name": "Same origin iframes are always allowed.", |
+ "origin": Host.SAME_ORIGIN, |
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
+ "allow_csp_from": "¢¥§", |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.", |
+ "origin": Host.SAME_ORIGIN, |
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
+ "allow_csp_from": "", |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.", |
+ "origin": Host.SAME_ORIGIN, |
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
+ "allow_csp_from": null, |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.", |
+ "origin": Host.SAME_ORIGIN, |
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
+ "allow_csp_from": "http://example.com:888", |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "script-src 'unsafe-inline'", |
+ "allow_csp_from": "", |
+ "expected": IframeLoad.EXPECT_BLOCK, |
+ "blockedURI": null}, |
+ { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "script-src 'unsafe-inline'", |
+ "allow_csp_from": null, |
+ "expected": IframeLoad.EXPECT_BLOCK, |
+ "blockedURI": null}, |
+ { "name": "iframe from cross origin does not load without Allow-CSP-From header.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", |
+ "allow_csp_from": getOrigin(), |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Iframe with improper Allow-CSP-From header gets blocked.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "script-src 'unsafe-inline'", |
+ "allow_csp_from": "* ¢¥§", |
+ "expected": IframeLoad.EXPECT_BLOCK, |
+ "blockedURI": null}, |
+ { "name": "Allow-CSP-From header with a star value can be returned.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "script-src 'unsafe-inline'", |
+ "allow_csp_from": "*", |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": null}, |
+ { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "script-src 'nonce-123'", |
+ "allow_csp_from": "*", |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": "inline"}, |
+ { "name": "Allow-CSP-From header enforces EmbeddingCSP.", |
+ "origin": Host.CROSS_ORIGIN, |
+ "csp": "style-src 'none'; script-src 'nonce-123'", |
+ "allow_csp_from": getOrigin(), |
+ "expected": IframeLoad.EXPECT_LOAD, |
+ "blockedURI": "inline"}, |
+ ]; |
+ |
+ tests.forEach(test => { |
+ async_test(t => { |
+ var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from); |
+ assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI); |
+ }, test.name); |
+ }); |
+ </script> |
+</body> |
+</html> |