diff options
Diffstat (limited to 'testing/web-platform/tests/html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html')
| -rw-r--r-- | testing/web-platform/tests/html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html b/testing/web-platform/tests/html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html new file mode 100644 index 0000000000..5d7aa2b9cb --- /dev/null +++ b/testing/web-platform/tests/html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html @@ -0,0 +1,76 @@ +<!DOCTYPE html> +<html> +<head> +<meta charset="utf-8"> +<title>Sequence of the checks performed against a navigation response</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> +<body> +<script> +'use strict'; +const collect = (win) => { + const report = new Promise((resolve) => { + if (!win.ReportingObserver) { + return; + } + + const observer = new win.ReportingObserver(resolve); + observer.observe(); + }).then((reports) => reports[0].type); + // Although CSP also makes use of ReportingObserver, monitoring this event + // allows the test to provide value to implementations that have not yet + // integrated CSP and Reporting (as of the time of this writing, Firefox and + // Safari). + const cspViolation = new Promise((resolve) => { + win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation')); + }); + const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500)); + + return Promise.race([report, cspViolation, halfASecond]); +}; + +const createWindow = (t, url) => { + const win = open(url); + t.add_cleanup(() => win.close()); + return new Promise((resolve) => win.onload = () => resolve(win)); +}; + +promise_test(async (t) => { + const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)'); + const iframe = win.document.createElement('iframe'); + iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)'; + win.document.body.appendChild(iframe); + + assert_equals(await collect(win), 'csp-violation'); +}, 'CSP check precedes X-Frame-Options check'); + +promise_test(async (t) => { + const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)'); + const iframe = win.document.createElement('iframe'); + iframe.src = '/common/blank.html'; + win.document.body.appendChild(iframe); + + assert_equals(await collect(win), 'csp-violation'); +}, 'CSP check precedes COEP check - CSP header first'); + +promise_test(async (t) => { + const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)'); + const iframe = win.document.createElement('iframe'); + iframe.src = '/common/blank.html'; + win.document.body.appendChild(iframe); + + assert_equals(await collect(win), 'csp-violation'); +}, 'CSP check precedes COEP check - COEP header first'); + +promise_test(async (t) => { + const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)'); + const iframe = win.document.createElement('iframe'); + iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)'; + win.document.body.appendChild(iframe); + + assert_equals(await collect(win), 'coep'); +}, 'COEP check precedes X-Frame-Options check'); +</script> +</body> +</html> |