Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(94)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html

Issue 2704543002: Import wpt@3bd204d7e86fd81e98e63f4ce59b95d98bad1c54 (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/embedding_csp-header.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html
new file mode 100644
index 0000000000000000000000000000000000000000..a806caf456ff894ec14000ab7e0ae9c2a15e3382
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Embedded Enforcement: Allow-CSP-From header.</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="support/testharness-helper.sub.js"></script>
+</head>
+<body>
+ <script>
+ var tests = [
+ { "name": "Same origin iframes are always allowed.",
+ "origin": Host.SAME_ORIGIN,
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+ "allow_csp_from": "¢¥§",
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
+ "origin": Host.SAME_ORIGIN,
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+ "allow_csp_from": "",
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
+ "origin": Host.SAME_ORIGIN,
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+ "allow_csp_from": null,
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
+ "origin": Host.SAME_ORIGIN,
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+ "allow_csp_from": "http://example.com:888",
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "script-src 'unsafe-inline'",
+ "allow_csp_from": "",
+ "expected": IframeLoad.EXPECT_BLOCK,
+ "blockedURI": null},
+ { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "script-src 'unsafe-inline'",
+ "allow_csp_from": null,
+ "expected": IframeLoad.EXPECT_BLOCK,
+ "blockedURI": null},
+ { "name": "iframe from cross origin does not load without Allow-CSP-From header.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
+ "allow_csp_from": getOrigin(),
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Iframe with improper Allow-CSP-From header gets blocked.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "script-src 'unsafe-inline'",
+ "allow_csp_from": "* ¢¥§",
+ "expected": IframeLoad.EXPECT_BLOCK,
+ "blockedURI": null},
+ { "name": "Allow-CSP-From header with a star value can be returned.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "script-src 'unsafe-inline'",
+ "allow_csp_from": "*",
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": null},
+ { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "script-src 'nonce-123'",
+ "allow_csp_from": "*",
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": "inline"},
+ { "name": "Allow-CSP-From header enforces EmbeddingCSP.",
+ "origin": Host.CROSS_ORIGIN,
+ "csp": "style-src 'none'; script-src 'nonce-123'",
+ "allow_csp_from": getOrigin(),
+ "expected": IframeLoad.EXPECT_LOAD,
+ "blockedURI": "inline"},
+ ];
+
+ tests.forEach(test => {
+ async_test(t => {
+ var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from);
+ assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI);
+ }, test.name);
+ });
+ </script>
+</body>
+</html>
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/child-src/child-src-worker-blocked.sub.html.sub.headers ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/embedding_csp-header.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698