OLD | NEW |
| (Empty) |
1 <!DOCTYPE html> | |
2 <html> | |
3 <head> | |
4 <title>Embedded Enforcement: Embedding-CSP header.</title> | |
5 <script src="/resources/testharness.js"></script> | |
6 <script src="/resources/testharnessreport.js"></script> | |
7 <script src="support/testharness-helper.sub.js"></script> | |
8 </head> | |
9 <body> | |
10 <script> | |
11 var tests = [ | |
12 { "name": "Embedding-CSP is not sent if `csp` attribute is not set on <ifr
ame>.", | |
13 "csp": null, | |
14 "expected": null }, | |
15 { "name": "Send Embedding-CSP when `csp` attribute of <iframe> is not empt
y.", | |
16 "csp": "script-src 'unsafe-inline'", | |
17 "expected": "script-src 'unsafe-inline'" }, | |
18 { "name": "Send Embedding-CSP Header on change of `src` attribute on ifram
e.", | |
19 "csp": "script-src 'unsafe-inline'", | |
20 "expected": "script-src 'unsafe-inline'" }, | |
21 ]; | |
22 | |
23 tests.forEach(test => { | |
24 async_test(t => { | |
25 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | |
26 assert_embedding_csp(t, url, test.csp, test.expected); | |
27 }, "Test same origin: " + test.name); | |
28 | |
29 async_test(t => { | |
30 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | |
31 var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); | |
32 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | |
33 }, "Test same origin redirect: " + test.name); | |
34 | |
35 async_test(t => { | |
36 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | |
37 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); | |
38 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | |
39 }, "Test cross origin redirect: " + test.name); | |
40 | |
41 async_test(t => { | |
42 var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_CS
P); | |
43 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); | |
44 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | |
45 }, "Test cross origin redirect of cross origin iframe: " + test.name); | |
46 | |
47 async_test(t => { | |
48 var i = document.createElement('iframe'); | |
49 if (test.csp) | |
50 i.csp = test.csp; | |
51 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP); | |
52 var loaded = false; | |
53 | |
54 window.addEventListener('message', t.step_func(e => { | |
55 if (e.source != i.contentWindow || !('embedding_csp' in e.data)) | |
56 return; | |
57 if (!loaded) { | |
58 assert_equals(test.expected, e.data['embedding_csp']); | |
59 loaded = true; | |
60 i.csp = "default-src 'unsafe-inline'"; | |
61 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_
CSP); | |
62 } else { | |
63 // Once iframe has loaded, check that on change of `src` attribute | |
64 // Embedding-CSP value is based on latest `csp` attribute value. | |
65 assert_equals("default-src 'unsafe-inline'", e.data['embedding_csp']
); | |
66 t.done(); | |
67 } | |
68 })); | |
69 | |
70 document.body.appendChild(i); | |
71 }, "Test Embedding-CSP value on `csp` change: " + test.name); | |
72 }); | |
73 </script> | |
74 </body> | |
75 </html> | |
OLD | NEW |