diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:47:29 +0000 |
commit | 0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch) | |
tree | a31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /testing/web-platform/tests/content-security-policy/navigate-to | |
parent | Initial commit. (diff) | |
download | firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip |
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/navigate-to')
61 files changed, 977 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html new file mode 100644 index 0000000000..658897fb1b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> + +<a name="anchor"></a> + +<script> + var t = async_test("Test that anchor navigation is allowed regardless of the `navigate-to` directive"); + + window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered any violation")); + + try { + window.location.hash = "anchor"; + t.done(); + } catch(ex) {} +</script> + +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers new file mode 100644 index 0000000000..739a2ce175 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/anchor-navigation-always-allowed.html.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: navigate-to 'none' diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html new file mode 100644 index 0000000000..7b4b455d8d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> + +<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27self%27'>"> + +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers new file mode 100644 index 0000000000..aced1c6d05 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-allowed.html.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: navigate-to 'self' support/navigate_parent.sub.html diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html new file mode 100644 index 0000000000..4e50617e3c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> +<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}'>"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers new file mode 100644 index 0000000000..9cb770bcc1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: navigate-to 'self' diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html new file mode 100644 index 0000000000..f58407ac6d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that form-action overrides navigate-to when present."); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html new file mode 100644 index 0000000000..0ddc8820f9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that form-action overrides navigate-to when present."); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html new file mode 100644 index 0000000000..927ebb4d36 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that form-action overrides navigate-to when present."); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'form-action'); + }); +</script> +<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}""> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html new file mode 100644 index 0000000000..56688fa418 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that form-action overrides navigate-to when present."); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'form-action'); + }); +</script> +<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html&report_id={{uuid()}}"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html new file mode 100644 index 0000000000..aa38d898ab --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=post_message_to_frame_owner.html"></iframe> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html new file mode 100644 index 0000000000..72db7b8d1d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-blocked.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&action=post_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html new file mode 100644 index 0000000000..4d0ddc30f1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-allowed.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html new file mode 100644 index 0000000000..be5f70c8b1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html new file mode 100644 index 0000000000..129b719c22 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dpost_message_to_frame_owner.html"></iframe> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html new file mode 100644 index 0000000000..d60b8a7aa8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/form-redirected-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> + +<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&action=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html new file mode 100644 index 0000000000..16e11e0c65 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-allowed.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html", "_blank"); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html new file mode 100644 index 0000000000..721f055c71 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html", "_blank"); +</script> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html new file mode 100644 index 0000000000..a9396fc406 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html new file mode 100644 index 0000000000..cd0cd9106d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); +</script> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html new file mode 100644 index 0000000000..4dbfa7aef9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-allowed.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py", "_blank"); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html new file mode 100644 index 0000000000..5d8fafb313 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); + + window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank"); +</script> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html new file mode 100644 index 0000000000..977b85dfb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html new file mode 100644 index 0000000000..29686fcaef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-blocked.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html new file mode 100644 index 0000000000..4381bcb08d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html new file mode 100644 index 0000000000..f2b106c577 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> + +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html new file mode 100644 index 0000000000..87dea95b1d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html new file mode 100644 index 0000000000..9b9205a526 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> +<iframe src="support/link_click_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html new file mode 100644 index 0000000000..eeaefc496e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html new file mode 100644 index 0000000000..1292c9ba5f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> + +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27none%27&report_id={{$id:uuid()}}&target=post_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27none%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html new file mode 100644 index 0000000000..39e887eaad --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-allowed.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html new file mode 100644 index 0000000000..d7ccd33620 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> + +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html new file mode 100644 index 0000000000..de756bce8b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-allowed.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); +</script> +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py"> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html new file mode 100644 index 0000000000..0734473ee6 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is not allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); +</script> + +<iframe src="support/meta_refresh_navigation.sub.html?csp=navigate-to%20%27self%27&report_id={{$id:uuid()}}&target=redirect_to_post_message_to_frame_owner.py%3Flocation%3Dhttp%3A%2F%2F{{domains[www1]}}%3A{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html"></iframe> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20%27self%27&reportID={{$id}}'></script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html new file mode 100644 index 0000000000..47a661157c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the parent can navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to 'self'`)"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered a policy violation")); + + var i = document.createElement('iframe'); + var src_changed = false; + i.onload = function() { + if (src_changed) return; + src_changed = true; + i.src = "support/post_message_to_frame_owner.html"; + } + i.src = "support/wait_for_navigation.html?csp=navigate-to%20%none%27"; + document.body.appendChild(i); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers new file mode 100644 index 0000000000..9cb770bcc1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-allowed.html.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: navigate-to 'self' diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html new file mode 100644 index 0000000000..c662da95fa --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the parent can't navigate the child because the relevant policy belongs to the navigation initiator (in this case the parent, which has the policy `navigate-to support/wait_for_navigation.html;`)"); + window.onmessage = t.unreached_func("Should not have received a message as the navigation should not have been successful"); + window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { + assert_equals(e.violatedDirective, 'navigate-to'); + })); + + var i = document.createElement('iframe'); + var src_changed = false; + i.onload = function() { + if (src_changed) return; + src_changed = true; + i.src = "support/post_message_to_frame_owner.html"; + } + i.src = "support/wait_for_navigation.html?csp=navigate-to%20%27self%27"; + document.body.appendChild(i); +</script> + +<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=navigate-to%20support%2Fwait_for_navigation.html'></script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers new file mode 100644 index 0000000000..36238fa78a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/parent-navigates-child-blocked.html.sub.headers @@ -0,0 +1,5 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: parent-navigates-child-blocked={{$id:uuid()}}; Path=/content-security-policy/navigate-to/ +Content-Security-Policy: navigate-to support/wait_for_navigation.html; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html new file mode 100644 index 0000000000..a09057e715 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html @@ -0,0 +1,48 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> +<body> +<!-- This tests that a navigation initiator that has been replaced by the time + the navigation it initiates is blocked, will not receive the SPV event. + + An iframe will navigate another iframe and the navigate itself. + The second iframe's navigation response will be delayed by the server but will + eventually be blocked by the CSP of the first iframe. + By the time this happens the first iframe should be an entirely different + document and it should not receive a SPV event --> +<script> + var t = async_test("Test that no spv event is raised"); + window.onmessage = t.step_func(function(e) { + if (e.data == "end_test") t.done(); + else assert_unreached("Should not have raised a spv event"); + }); + + var frames_loaded_count = 0; + var frame_loaded = function() { + if (++frames_loaded_count == 2) { + // both child frame have loaded we can start the + // test now, send a message to iframe1 so it knows to start + document.getElementById('iframe1').contentWindow.postMessage('start_test', '*'); + } + } + var i1 = document.createElement('iframe'); + i1.src = "support/spv-test-iframe1.sub.html?report_id={{$id:uuid()}}"; + i1.id = "iframe1"; + i1.name = "iframe1"; + i1.onload = frame_loaded; + document.body.appendChild(i1); + + var i2 = document.createElement('iframe'); + i2.src = "support/spv-test-iframe2.sub.html"; + i2.id = "iframe2"; + i2.name = "iframe2"; + i2.onload = frame_loaded; + document.body.appendChild(i2); +</script> + +<script async defer src='../support/checkReport.sub.js?reportExists=false&reportID={{$id}}'></script> + +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py b/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py new file mode 100644 index 0000000000..06bcb9b680 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/delayed_frame.py @@ -0,0 +1,12 @@ +import time +def main(request, response): + time.sleep(1) + headers = [(b"Content-Type", b"text/html")] + return headers, u''' +<!DOCTYPE html> +<head> +</head> +<body> + DELAYED FRAME +</body +''' diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html new file mode 100644 index 0000000000..a4121944ea --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + </script> +</head> + +<body> +<form action='{{GET[action]}}' target='_self' id='form'> + <input type="text" name="dummy"> + <div id="form-div"></div> +</form> + +<script> + try { + url = new URL("{{GET[action]}}", location.href); + for (var p of url.searchParams) { + var elem = document.createElement('input'); + elem.type = 'text'; + elem.name = p[0]; + elem.value = p[1]; + document.getElementById('form-div').appendChild(elem); + } + } catch(ex) {} + + document.getElementById('form').submit(); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers new file mode 100644 index 0000000000..a42cfe2d95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/form_action_navigation.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html new file mode 100644 index 0000000000..15b1365cc2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + opener.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + + try { + location.href = "{{GET[target]}}"; + } catch(ex) {} +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers new file mode 100644 index 0000000000..a42cfe2d95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/href_location_navigation.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html new file mode 100644 index 0000000000..2434271211 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<a href="{{GET[target]}}" id="link">dummy link</a> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + + document.getElementById('link').click(); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers new file mode 100644 index 0000000000..a42cfe2d95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/link_click_navigation.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html new file mode 100644 index 0000000000..64bae27fed --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + </script> + + <meta http-equiv="refresh" content="0; url={{GET[target]}}"> +</head> + +<body> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers new file mode 100644 index 0000000000..a42cfe2d95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/meta_refresh_navigation.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html new file mode 100644 index 0000000000..a84c9c64ca --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html @@ -0,0 +1,18 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + </script> +</head> + +<body> +<a href="post_message_to_frame_owner.html" id="link" target="_parent">dummy link</a> +<script> + document.getElementById('link').click(); +</script> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers new file mode 100644 index 0000000000..a42cfe2d95 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/navigate_parent.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html new file mode 100644 index 0000000000..c25e49d146 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/post_message_to_frame_owner.html @@ -0,0 +1,6 @@ +<script> + if (window.opener) + window.opener.postMessage({result: 'success'}, '*'); + else + top.postMessage({result: 'success'}, '*'); +</script>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py b/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py new file mode 100644 index 0000000000..0f6f6eca7b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py @@ -0,0 +1,6 @@ +def main(request, response): + response.status = 302 + if b"location" in request.GET: + response.headers.set(b"Location", request.GET[b"location"]) + else: + response.headers.set(b"Location", b"post_message_to_frame_owner.html") diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html new file mode 100644 index 0000000000..9e26c02be3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> +<head> + <script> + window.onmessage = function(e) { + if (e.data == "start_test") { + document.getElementById('link').click(); + location.href = "{{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html"; + } + } + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*'); + }); + </script> +</head> + +<body> + <a href="{{location[server]}}/content-security-policy/navigate-to/support/delayed_frame.py" id="link" target="iframe2">dummy link</a> + IFRAME 1 +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers new file mode 100644 index 0000000000..9d83b92d96 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: navigate-to {{location[server]}}/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html 'unsafe-allow-redirects'; report-uri /reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html new file mode 100644 index 0000000000..1329683c88 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html @@ -0,0 +1,14 @@ +<!DOCTYPE html> +<head> +</head> +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({iframe: 'iframe1', violatedDirective: e.violatedDirective}, '*'); + }); + setTimeout(function() { + top.postMessage("end_test", "*"); + }, 4000); + </script> + IFRAME 2 +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html new file mode 100644 index 0000000000..09dbf6863d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html @@ -0,0 +1,12 @@ +<!DOCTYPE html> +<head> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({iframe: 'iframe3', violatedDirective: e.violatedDirective}, '*'); + }); + </script> +</head> + +<body> + IFRAME 3 +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html new file mode 100644 index 0000000000..2450ff1c0a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html @@ -0,0 +1,14 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + + <script> + window.addEventListener('securitypolicyviolation', function(e) { + top.postMessage({result: 'fail', violatedDirective: e.violatedDirective}, '*'); + }); + </script> +</head> + +<body> +</body>
\ No newline at end of file diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers new file mode 100644 index 0000000000..d3c635b9a0 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/support/wait_for_navigation.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}} diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html new file mode 100644 index 0000000000..192477296b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + + // the iframe will navigate to: + // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to + // [www1]/..../post_message_to_frame_owner.html which is not exactly in + // the list but the check should be reduced to an origin check since there has been a redirect. + // Because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect + + var i = document.createElement('iframe'); + i.src = "../support/link_click_navigation.sub.html" + + "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/some-path/ 'unsafe-allow-redirects'") + + "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + + encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); + document.body.appendChild(i); +</script> + +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html new file mode 100644 index 0000000000..74fe8f2e7a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is allowed"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'success'); + }); + + // the iframe will navigate to: + // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to + // [www1]/..../post_message_to_frame_owner.html which is in the list + // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect + + var i = document.createElement('iframe'); + i.src = "../support/link_click_navigation.sub.html" + + "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") + + "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + + encodeURIComponent("{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); + document.body.appendChild(i); +</script> + +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html new file mode 100644 index 0000000000..86e54b3d93 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html @@ -0,0 +1,29 @@ +<!DOCTYPE html> + +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> + +<body> +<script> + var t = async_test("Test that the child iframe navigation is blocked"); + window.onmessage = t.step_func_done(function(e) { + assert_equals(e.data.result, 'fail'); + assert_equals(e.data.violatedDirective, 'navigate-to'); + }); + + // the iframe will navigate to: + // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to + // [www2]/..../post_message_to_frame_owner.html which is also not in the list + // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect + + var i = document.createElement('iframe'); + i.src = "../support/link_click_navigation.sub.html" + + "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") + + "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); + document.body.appendChild(i); +</script> + +</body> |