diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/location-reload.html')
-rw-r--r-- | testing/web-platform/tests/content-security-policy/inheritance/location-reload.html | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html new file mode 100644 index 0000000000..5d68e381bc --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html @@ -0,0 +1,120 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> +<body> +<script> + let message_from = (w, starts_with) => { + return new Promise(resolve => { + window.addEventListener('message', msg => { + if (msg.source == w) { + if (!starts_with || msg.data.startsWith(starts_with)) + resolve(msg.data); + } + }); + }); + }; + + const img_url = window.origin + "/content-security-policy/support/fail.png"; + const img_tag_string = ` + <img src="${img_url}" + onload="top.postMessage('img loaded', '*');" + onerror="top.postMessage('img blocked', '*');" + > + `; + + const html_test_payload = ` + <!doctype html> + <div>${img_tag_string}</div> + `; + let blob_url = URL.createObjectURL( + new Blob([html_test_payload], { type: 'text/html' })); + + let write_img_to_iframe = (iframe) => { + let div = iframe.contentDocument.createElement('div'); + div.innerHTML = img_tag_string; + iframe.contentDocument.body.appendChild(div); + }; + + + // Test location.reload() for "about:blank". + promise_test(async t => { + // Create an empty iframe. + window.iframe = document.createElement('iframe'); + document.body.appendChild(iframe); + + // Add an img. + let message = message_from(iframe.contentWindow); + write_img_to_iframe(iframe); + + // Check that the empty document inherits CSP from the initiator. + assert_equals(await message, "img blocked", + "Image should be blocked by CSP inherited from the parent."); + + // Now perform a reload. + let message_2 = message_from(iframe.contentWindow); + let loaded = new Promise(resolve => iframe.onload = resolve); + iframe.contentWindow.location.reload(); + await loaded; + + // Add an img. + write_img_to_iframe(iframe); + + // Check that the empty document still has the right CSP after reload. + assert_equals(await message_2, "img blocked", + "Image should be blocked by CSP after reload."); + }, "location.reload() of empty iframe."); + + + // Test location.reload() for a blob URL. + promise_test(async t => { + // Create an iframe. + window.iframe = document.createElement('iframe'); + document.body.appendChild(iframe); + + // Navigate to the blob URL. + let message = message_from(iframe.contentWindow); + iframe.contentWindow.location = blob_url; + + // Check that the blob URL inherits CSP from the initiator. + assert_equals(await message, "img blocked", + "Image should be blocked by CSP inherited from navigation initiator."); + + // Now perform a reload. + let message_2 = message_from(iframe.contentWindow); + let loaded = new Promise(resolve => iframe.onload = resolve); + iframe.contentWindow.location.reload(); + await loaded; + + // Check that the blob URL document still has the right CSP after reload. + assert_equals(await message_2, "img blocked", + "Image should be blocked by CSP after reload."); + }, "location.reload() of blob URL iframe."); + + + // Test location.reload() for a srcdoc iframe. + promise_test(async t => { + // Create a srcdoc iframe. + window.iframe = document.createElement('iframe'); + document.body.appendChild(iframe); + + let message = message_from(iframe.contentWindow); + iframe.srcdoc = `${html_test_payload}`; + + // Check that the srcdoc iframe inherits from the parent. + assert_equals(await message, "img blocked", + "Image should be blocked by CSP inherited from navigation initiator."); + + // Now perform a reload. + let message_2 = message_from(iframe.contentWindow); + let loaded = new Promise(resolve => iframe.onload = resolve); + iframe.contentWindow.location.reload(); + await loaded; + + // Check that the srcdoc iframe still has the right CSP after reload. + assert_equals(await message_2, "img blocked", + "Image should be blocked by CSP after reload."); + }, "location.reload() of srcdoc iframe."); +</script> +</body> |