1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
<!DOCTYPE html>
<html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
let message_from = (w, starts_with) => {
return new Promise(resolve => {
window.addEventListener('message', msg => {
if (msg.source == w) {
if (!starts_with ||
(msg.data.startsWith && msg.data.startsWith(starts_with)))
resolve(msg.data);
}
});
});
};
const img_url = window.origin + "/content-security-policy/support/pass.png";
const function_addImage_string = `
function addImage() {
let img = document.createElement('img');
img.onload = () => top.postMessage('img loaded', '*');
img.onerror = () => top.postMessage('img blocked', '*');
img.src = '${img_url}';
document.body.appendChild(img);
}
`;
const html_test_payload = `
<!doctype html>
<script>${function_addImage_string}</scr`+`ipt>
<body onpageshow="addImage();"></body>
`;
let blob_url = URL.createObjectURL(
new Blob([html_test_payload], { type: 'text/html' }));
// A local-scheme document is loaded in an iframe with CSPEE. Then the csp
// attribute is changed and the iframe is navigated away and back. Since the
// policies are reloaded from history, the fact that the csp attribute changed
// is irrelevant.
promise_test(async t => {
// Create an iframe.
let iframe = document.createElement('iframe');
iframe.csp = "img-src 'none'; style-src 'none'";
document.body.appendChild(iframe);
let message_1 = message_from(iframe.contentWindow, "img");
iframe.src = blob_url;
assert_equals(await message_1, "img blocked",
"Img should be blocked by CSP enforced via CSPEE.");
iframe.csp = "style-src 'none'";
let message_2 = message_from(iframe.contentWindow, "img");
iframe.src = "../inheritance/support/message-top-and-navigate-back.html";
assert_equals(await message_2, "img blocked",
"Img should be blocked by CSP reloaded from history.");
let message_3 = message_from(iframe.contentWindow, "img");
iframe.src = "about:blank";
iframe.src = blob_url;
assert_equals(await message_3, "img loaded",
"Img should be allowed by CSP enforced by new csp attribute.");
}, "Iframe csp attribute changed before history navigation of local scheme.");
// A network-scheme document is loaded in an iframe with CSPEE. Then the csp
// attribute is changed and the iframe is navigated away and back. Since the
// policies are calculated again, the new csp attribute should be enforced
// after the history navigation.
promise_test(async t => {
// Create an iframe.
let iframe = document.createElement('iframe');
iframe.csp = "img-src 'none'; style-src 'none'";
document.body.appendChild(iframe);
let message_1 = message_from(iframe.contentWindow, "img");
iframe.src = "./support/embed-img-and-message-top.html";
assert_equals(await message_1, "img blocked",
"Img should be blocked by CSP enforced via CSPEE.");
iframe.csp = "style-src 'none'";
let message_2 = message_from(iframe.contentWindow, "img");
iframe.src = "../inheritance/support/message-top-and-navigate-back.html";
assert_equals(await message_2, "img loaded",
"Img should be allowed by CSP enforced by new csp attribute.");
}, "Iframe csp attribute changed before history navigation of network scheme.");
</script>
</body>
</html>
|