OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <html> | 2 <html> |
3 <head> | 3 <head> |
4 <title>Embedded Enforcement: Embedding-CSP header.</title> | 4 <title>Embedded Enforcement: Required-CSP header.</title> |
5 <script src="/resources/testharness.js"></script> | 5 <script src="/resources/testharness.js"></script> |
6 <script src="/resources/testharnessreport.js"></script> | 6 <script src="/resources/testharnessreport.js"></script> |
7 <script src="support/testharness-helper.sub.js"></script> | 7 <script src="support/testharness-helper.sub.js"></script> |
8 </head> | 8 </head> |
9 <body> | 9 <body> |
10 <script> | 10 <script> |
11 var tests = [ | 11 var tests = [ |
12 { "name": "Embedding-CSP is not sent if `csp` attribute is not set on <ifr
ame>.", | 12 { "name": "Required-CSP is not sent if `csp` attribute is not set on <ifra
me>.", |
13 "csp": null, | 13 "csp": null, |
14 "expected": null }, | 14 "expected": null }, |
15 { "name": "Send Embedding-CSP when `csp` attribute of <iframe> is not empt
y.", | 15 { "name": "Send Required-CSP when `csp` attribute of <iframe> is not empty
.", |
16 "csp": "script-src 'unsafe-inline'", | 16 "csp": "script-src 'unsafe-inline'", |
17 "expected": "script-src 'unsafe-inline'" }, | 17 "expected": "script-src 'unsafe-inline'" }, |
18 { "name": "Send Embedding-CSP Header on change of `src` attribute on ifram
e.", | 18 { "name": "Send Required-CSP Header on change of `src` attribute on iframe
.", |
19 "csp": "script-src 'unsafe-inline'", | 19 "csp": "script-src 'unsafe-inline'", |
20 "expected": "script-src 'unsafe-inline'" }, | 20 "expected": "script-src 'unsafe-inline'" }, |
21 ]; | 21 ]; |
22 | 22 |
23 tests.forEach(test => { | 23 tests.forEach(test => { |
24 async_test(t => { | 24 async_test(t => { |
25 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | 25 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; |
26 assert_embedding_csp(t, url, test.csp, test.expected); | 26 assert_required_csp(t, url, test.csp, test.expected); |
27 }, "Test same origin: " + test.name); | 27 }, "Test same origin: " + test.name); |
28 | 28 |
29 async_test(t => { | 29 async_test(t => { |
30 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | 30 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; |
31 var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); | 31 var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); |
32 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | 32 assert_required_csp(t, redirect_url, test.csp, test.expected); |
33 }, "Test same origin redirect: " + test.name); | 33 }, "Test same origin redirect: " + test.name); |
34 | 34 |
35 async_test(t => { | 35 async_test(t => { |
36 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP
); | 36 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; |
37 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); | 37 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); |
38 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | 38 assert_required_csp(t, redirect_url, test.csp, test.expected); |
39 }, "Test cross origin redirect: " + test.name); | 39 }, "Test cross origin redirect: " + test.name); |
40 | 40 |
41 async_test(t => { | 41 async_test(t => { |
42 var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_CS
P); | 42 var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP
); |
43 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); | 43 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); |
44 assert_embedding_csp(t, redirect_url, test.csp, test.expected); | 44 assert_required_csp(t, redirect_url, test.csp, test.expected); |
45 }, "Test cross origin redirect of cross origin iframe: " + test.name); | 45 }, "Test cross origin redirect of cross origin iframe: " + test.name); |
46 | 46 |
47 async_test(t => { | 47 async_test(t => { |
48 var i = document.createElement('iframe'); | 48 var i = document.createElement('iframe'); |
49 if (test.csp) | 49 if (test.csp) |
50 i.csp = test.csp; | 50 i.csp = test.csp; |
51 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.EMBEDDING_CSP); | 51 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); |
52 var loaded = false; | 52 var loaded = false; |
53 | 53 |
54 window.addEventListener('message', t.step_func(e => { | 54 window.addEventListener('message', t.step_func(e => { |
55 if (e.source != i.contentWindow || !('embedding_csp' in e.data)) | 55 if (e.source != i.contentWindow || !('required_csp' in e.data)) |
56 return; | 56 return; |
57 if (!loaded) { | 57 if (!loaded) { |
58 assert_equals(test.expected, e.data['embedding_csp']); | 58 assert_equals(test.expected, e.data['required_csp']); |
59 loaded = true; | 59 loaded = true; |
60 i.csp = "default-src 'unsafe-inline'"; | 60 i.csp = "default-src 'unsafe-inline'"; |
61 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.EMBEDDING_
CSP); | 61 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_C
SP); |
62 } else { | 62 } else { |
63 // Once iframe has loaded, check that on change of `src` attribute | 63 // Once iframe has loaded, check that on change of `src` attribute |
64 // Embedding-CSP value is based on latest `csp` attribute value. | 64 // Required-CSP value is based on latest `csp` attribute value. |
65 assert_equals("default-src 'unsafe-inline'", e.data['embedding_csp']
); | 65 assert_equals("default-src 'unsafe-inline'", e.data['required_csp'])
; |
66 t.done(); | 66 t.done(); |
67 } | 67 } |
68 })); | 68 })); |
69 | 69 |
70 document.body.appendChild(i); | 70 document.body.appendChild(i); |
71 }, "Test Embedding-CSP value on `csp` change: " + test.name); | 71 }, "Test Required-CSP value on `csp` change: " + test.name); |
72 }); | 72 }); |
73 </script> | 73 </script> |
74 </body> | 74 </body> |
75 </html> | 75 </html> |
OLD | NEW |