Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(134)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html

Issue 2896833002: Added validation of the policy specified in the 'csp' attribute (Closed)
Patch Set: Fixed issue with the renaming of the embedding-csp header Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/TestExpectations ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header-invalid-format.html » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <!DOCTYPE html> 1 <!DOCTYPE html>
2 <html> 2 <html>
3 <head> 3 <head>
4 <title>Embedded Enforcement: Required-CSP header.</title> 4 <title>Embedded Enforcement: Required-CSP header.</title>
5 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharness.js"></script>
6 <script src="/resources/testharnessreport.js"></script> 6 <script src="/resources/testharnessreport.js"></script>
7 <script src="support/testharness-helper.sub.js"></script> 7 <script src="support/testharness-helper.sub.js"></script>
8 </head> 8 </head>
9 <body> 9 <body>
10 <script> 10 <script>
11 var tests = [ 11 var tests = [
12 { "name": "Required-CSP is not sent if `csp` attribute is not set on <ifra me>.", 12 { "name": "Required-CSP is not sent if `csp` attribute is not set on <ifra me>.",
13 "csp": null, 13 "csp": null,
14 "expected": null }, 14 "expected": null },
15 { "name": "Send Required-CSP when `csp` attribute of <iframe> is not empty .", 15 { "name": "Send Required-CSP when `csp` attribute of <iframe> is not empty .",
16 "csp": "script-src 'unsafe-inline'", 16 "csp": "script-src 'unsafe-inline'",
17 "expected": "script-src 'unsafe-inline'" }, 17 "expected": "script-src 'unsafe-inline'" },
18 { "name": "Send Required-CSP Header on change of `src` attribute on iframe .", 18 { "name": "Send Required-CSP Header on change of `src` attribute on iframe .",
19 "csp": "script-src 'unsafe-inline'", 19 "csp": "script-src 'unsafe-inline'",
20 "expected": "script-src 'unsafe-inline'" }, 20 "expected": "script-src 'unsafe-inline'" },
21 { "name": "Wrong value of `csp` should not trigger sending Required-CSP He ader.",
22 "csp": "completely wrong csp",
23 "expected": null },
21 ]; 24 ];
22 25
23 tests.forEach(test => { 26 tests.forEach(test => {
24 async_test(t => { 27 async_test(t => {
25 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP) ; 28 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP) ;
26 assert_required_csp(t, url, test.csp, test.expected); 29 assert_required_csp(t, url, test.csp, test.expected);
27 }, "Test same origin: " + test.name); 30 }, "Test same origin: " + test.name);
28 31
29 async_test(t => { 32 async_test(t => {
30 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP) ; 33 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP) ;
(...skipping 17 matching lines...) Expand all
48 var i = document.createElement('iframe'); 51 var i = document.createElement('iframe');
49 if (test.csp) 52 if (test.csp)
50 i.csp = test.csp; 53 i.csp = test.csp;
51 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 54 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
52 var loaded = false; 55 var loaded = false;
53 56
54 window.addEventListener('message', t.step_func(e => { 57 window.addEventListener('message', t.step_func(e => {
55 if (e.source != i.contentWindow || !('required_csp' in e.data)) 58 if (e.source != i.contentWindow || !('required_csp' in e.data))
56 return; 59 return;
57 if (!loaded) { 60 if (!loaded) {
58 assert_equals(test.expected, e.data['required_csp']); 61 assert_equals(e.data['required_csp'], test.expected);
59 loaded = true; 62 loaded = true;
60 i.csp = "default-src 'unsafe-inline'"; 63 i.csp = "default-src 'unsafe-inline'";
61 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_C SP); 64 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_C SP);
62 } else { 65 } else {
63 // Once iframe has loaded, check that on change of `src` attribute 66 // Once iframe has loaded, check that on change of `src` attribute
64 // Required-CSP value is based on latest `csp` attribute value. 67 // Required-CSP value is based on latest `csp` attribute value.
65 assert_equals("default-src 'unsafe-inline'", e.data['required_csp']) ; 68 assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'") ;
66 t.done(); 69 t.done();
67 } 70 }
68 })); 71 }));
69 72
70 document.body.appendChild(i); 73 document.body.appendChild(i);
71 }, "Test Required-CSP value on `csp` change: " + test.name); 74 }, "Test Required-CSP value on `csp` change: " + test.name);
72 }); 75 });
73 </script> 76 </script>
74 </body> 77 </body>
75 </html> 78 </html>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/TestExpectations ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header-invalid-format.html » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698