LayoutTests/http/tests/security/suborigins/suborigin-invalid-names.html - Issue 27073003: CSP Suborigins

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: LayoutTests/http/tests/security/suborigins/suborigin-invalid-names.html

Issue 27073003: CSP Suborigins Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Test fixes Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/http/tests/security/suborigins/suborigin-in-meta-disallowed-expected.txt ('k') | LayoutTests/http/tests/security/suborigins/suborigin-invalid-names-expected.txt » ('j') | Source/core/dom/ExecutionContext.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE html>

	2 <html>

	3 <head>

	4 <title>Invalid suborigin names</title>

	5 <script src="/resources/testharness.js"></script>

	6 <script src="/resources/testharnessreport.js"></script>

	7 </head>

	8

	9 <script>

	10 var test_suborigin_names = [

	11 "",

	12 "'foobar'",

	13 "'foobar",

	14 "foobar'",

	15 "foo'bar",

	16 "foob@r",

	17 "foo bar",

	18 ];

	19

	20 var iframe;

	21 var i = 0;

	22 function next() {

	23 name = test_suborigin_names[i];

	24 i++;

	25 iframe.src = "resources/childsuborigin.php?suborigin=" + name;

	26 }

	27

	28 window.onmessage = function() {

	29 if (i > test_suborigin_names.length)

	30 done();

	31

	32 var secret = '';

	33 try {

	34 secret = iframe.contentWindow.secret;

	35 assert_equals(secret, "I am a secret", "The parent frame should always b e able to get the secret value from the child iframe.");
	Mike West 2015/03/23 07:32:55 Why is this the correct behavior? Why not lock dow Why is this the correct behavior? Why not lock down the frame (e.g. unique origin) if an invalid suborigin is asserted? jww 2015/04/11 02:52:35 That's certainly up for debate. I think this is a Show quoted text On 2015/03/23 07:32:55, Mike West wrote: > Why is this the correct behavior? Why not lock down the frame (e.g. unique > origin) if an invalid suborigin is asserted? That's certainly up for debate. I think this is a fail open case, like with typing in a bad hash algorithm. In the future, if we change the format for suborigins, we probably will want to fail open.
	36 } catch(e) {

	37 assert_unreached();

	38 };

	39 next();

	40 };

	41

	42 window.onload = function() {;

	43 iframe = document.getElementById('iframe');

	44 next();

	45 };

	46 </script>

	47 <iframe id="iframe"></iframe>

OLD	NEW