third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html - Issue 2747823002: CSP: New test with form-action and a redirect into a new window.

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html

Issue 2747823002: CSP: New test with form-action and a redirect into a new window. (Closed)

Patch Set: CSP: New test with form-action and a redirect into a new window. Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html

new file mode 100644

index 0000000000000000000000000000000000000000..be343afafdad45b74e46d946a79956c33a516331

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html

@@ -0,0 +1,60 @@

+<!DOCTYPE html>

+<!--

+ TODO(mkwst, arthursonzogni). This test fails. See https://crbug.com/700964

+-->

+<html>

+<head>

+ <script src="/resources/testharness.js"></script>

+ <script src="/resources/testharnessreport.js"></script>

+ <meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">

+</head>

+<body>

+ <form

+ action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html"

+ target="namedWindow"

+ method="post">

+ <input type='submit' id='submit'>

+ </form>

+ <script>

+ async_test(t => {

+ // #1 Open a new window with the name matching the form.target attribute

+ // above.

+ var namedWindow = window.open('http://localhost:8080/security/resources/empty.html', 'namedWindow')

+ // #2 Wait the window to be loaded. It prevents the document url to still

+ // be about:blank and to have inherited from its opener's CSP.

+ setTimeout(function() {

+ window.addEventListener('message', t.step_func(e => {

+ if (e.source == namedWindow && e.data == "done")

+ assert_unreached("The form submission wasn't blocked.");

+ }));

+ // The navigation should be blocked, either in the current window 1) or

+ // in the new window 2).

+ // 1) The navigation is blocked in the current window.

+ window.addEventListener('securitypolicyviolation', t.step_func(e => {

+ assert_equals(e.effectiveDirective, "form-action");

+ assert_equals(e.blockedURI, "localhost:8000/resources/post-done-to-opener.html");

+ namedWindow.close();

+ t.done();

+ }));

+ // 2) The navigation is blocked in the new window.

+ setTimeout(t.step_func(() => {

+ assert_equals(namedWindow.location.href, "localhost:8000/security/resources/empty.html");

+ namedWindow.close();

+ t.done();

+ }), 500);

+ // #3 Make a form submission with a redirect. It should be blocked by

+ // the form-action directive after the redirect.

+ document.getElementById('submit').click();

+ }, 500);

+ }, "The form resubmission should be blocked after the redirect");

+ </script>

+</body>

+</html>