Import wpt@503f5b5f78ec4e87d144f78609f363f0ed0ea8db

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url.html

Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url.html
new file mode 100644
index 0000000000000000000000000000000000000000..6c120adac20297ef6b31d52ed9b05049db332473
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigation/to-javascript-url.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src");
+      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+      element.remove();
+      test.done();
+    }));
+  }
+
+  function navigate_to_javascript_onload(test, iframe) {
+    iframe.addEventListener("load", test.step_func(e => {
+      assert_equals(typeof SecurityPolicyViolationEvent, "function");
+      iframe.contentDocument.addEventListener(
+        "securitypolicyviolation",
+        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+      );
+
+      iframe.src = "javascript:'Fail.'";
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "javascript:'Fail.'";
+
+    assert_csp_event_for_element(t, i); 
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+ 
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
+
+    assert_csp_event_for_element(t, i); 
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>