OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <html> | 2 <html> |
3 <head> | 3 <head> |
4 <title>Embedded Enforcement: Required-CSP header.</title> | 4 <title>Embedded Enforcement: Required-CSP header.</title> |
5 <script src="/resources/testharness.js"></script> | 5 <script src="/resources/testharness.js"></script> |
6 <script src="/resources/testharnessreport.js"></script> | 6 <script src="/resources/testharnessreport.js"></script> |
7 <script src="support/testharness-helper.sub.js"></script> | 7 <script src="support/testharness-helper.sub.js"></script> |
8 </head> | 8 </head> |
9 <body> | 9 <body> |
10 <script> | 10 <script> |
11 var tests = [ | 11 var tests = [ |
12 { "name": "Required-CSP is not sent if `csp` attribute is not set on <ifra
me>.", | 12 { "name": "Required-CSP is not sent if `csp` attribute is not set on <ifra
me>.", |
13 "csp": null, | 13 "csp": null, |
14 "expected": null }, | 14 "expected": null }, |
15 { "name": "Send Required-CSP when `csp` attribute of <iframe> is not empty
.", | 15 { "name": "Send Required-CSP when `csp` attribute of <iframe> is not empty
.", |
16 "csp": "script-src 'unsafe-inline'", | 16 "csp": "script-src 'unsafe-inline'", |
17 "expected": "script-src 'unsafe-inline'" }, | 17 "expected": "script-src 'unsafe-inline'" }, |
18 { "name": "Send Required-CSP Header on change of `src` attribute on iframe
.", | 18 { "name": "Send Required-CSP Header on change of `src` attribute on iframe
.", |
19 "csp": "script-src 'unsafe-inline'", | 19 "csp": "script-src 'unsafe-inline'", |
20 "expected": "script-src 'unsafe-inline'" }, | 20 "expected": "script-src 'unsafe-inline'" }, |
| 21 { "name": "Wrong value of `csp` should not trigger sending Required-CSP He
ader.", |
| 22 "csp": "completely wrong csp", |
| 23 "expected": null }, |
21 ]; | 24 ]; |
22 | 25 |
23 tests.forEach(test => { | 26 tests.forEach(test => { |
24 async_test(t => { | 27 async_test(t => { |
25 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; | 28 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; |
26 assert_required_csp(t, url, test.csp, test.expected); | 29 assert_required_csp(t, url, test.csp, test.expected); |
27 }, "Test same origin: " + test.name); | 30 }, "Test same origin: " + test.name); |
28 | 31 |
29 async_test(t => { | 32 async_test(t => { |
30 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; | 33 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP)
; |
(...skipping 17 matching lines...) Expand all Loading... |
48 var i = document.createElement('iframe'); | 51 var i = document.createElement('iframe'); |
49 if (test.csp) | 52 if (test.csp) |
50 i.csp = test.csp; | 53 i.csp = test.csp; |
51 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); | 54 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); |
52 var loaded = false; | 55 var loaded = false; |
53 | 56 |
54 window.addEventListener('message', t.step_func(e => { | 57 window.addEventListener('message', t.step_func(e => { |
55 if (e.source != i.contentWindow || !('required_csp' in e.data)) | 58 if (e.source != i.contentWindow || !('required_csp' in e.data)) |
56 return; | 59 return; |
57 if (!loaded) { | 60 if (!loaded) { |
58 assert_equals(test.expected, e.data['required_csp']); | 61 assert_equals(e.data['required_csp'], test.expected); |
59 loaded = true; | 62 loaded = true; |
60 i.csp = "default-src 'unsafe-inline'"; | 63 i.csp = "default-src 'unsafe-inline'"; |
61 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_C
SP); | 64 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_C
SP); |
62 } else { | 65 } else { |
63 // Once iframe has loaded, check that on change of `src` attribute | 66 // Once iframe has loaded, check that on change of `src` attribute |
64 // Required-CSP value is based on latest `csp` attribute value. | 67 // Required-CSP value is based on latest `csp` attribute value. |
65 assert_equals("default-src 'unsafe-inline'", e.data['required_csp'])
; | 68 assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'")
; |
66 t.done(); | 69 t.done(); |
67 } | 70 } |
68 })); | 71 })); |
69 | 72 |
70 document.body.appendChild(i); | 73 document.body.appendChild(i); |
71 }, "Test Required-CSP value on `csp` change: " + test.name); | 74 }, "Test Required-CSP value on `csp` change: " + test.name); |
72 }); | 75 }); |
73 </script> | 76 </script> |
74 </body> | 77 </body> |
75 </html> | 78 </html> |
OLD | NEW |