1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Sequence of the checks performed against a navigation response</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
'use strict';
const collect = (win) => {
const report = new Promise((resolve) => {
if (!win.ReportingObserver) {
return;
}
const observer = new win.ReportingObserver(resolve);
observer.observe();
}).then((reports) => reports[0].type);
// Although CSP also makes use of ReportingObserver, monitoring this event
// allows the test to provide value to implementations that have not yet
// integrated CSP and Reporting (as of the time of this writing, Firefox and
// Safari).
const cspViolation = new Promise((resolve) => {
win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation'));
});
const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500));
return Promise.race([report, cspViolation, halfASecond]);
};
const createWindow = (t, url) => {
const win = open(url);
t.add_cleanup(() => win.close());
return new Promise((resolve) => win.onload = () => resolve(win));
};
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes X-Frame-Options check');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - CSP header first');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - COEP header first');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'coep');
}, 'COEP check precedes X-Frame-Options check');
</script>
</body>
</html>
|
