1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
simpleXFOTestsInner({
urlPrefix: "",
allowed: sameOriginAllowed,
headerValue,
headerValue2,
cspValue,
sameOrCross: "same-origin"
});
simpleXFOTestsInner({
urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}",
allowed: crossOriginAllowed,
headerValue,
headerValue2,
cspValue,
sameOrCross: "cross-origin"
});
}
function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) {
const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2;
const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
// This will test the multi-header variant, if headerValue2 is not undefined.
xfo_test({
url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
check: allowed ? "loaded message" : "no message",
message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
});
if (headerValue2 !== undefined && headerValue2 !== headerValue) {
// Reversed variant
xfo_test({
url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
check: allowed ? "loaded message" : "no message",
message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
});
// Comma variant
xfo_test({
url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
check: allowed ? "loaded message" : "no message",
message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
});
// Comma + reversed variant
xfo_test({
url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
check: allowed ? "loaded message" : "no message",
message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
});
}
}
function xfo_test({ url, check, message }) {
async_test(t => {
const i = document.createElement("iframe");
i.src = url;
switch (check) {
case "loaded message": {
waitForMessageFrom(i, t).then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
}));
break;
}
case "failed message": {
waitForMessageFrom(i, t).then(t.step_func_done(e => {
assert_equals(e.data, "Failed");
}));
break;
}
case "no message": {
waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message."));
i.onload = t.step_func_done(() => {
assert_equals(i.contentDocument, null);
});
break;
}
default: {
throw new Error("Bad test");
}
}
document.body.append(i);
t.add_cleanup(() => i.remove());
}, message);
}
function waitForMessageFrom(frame, test) {
return new Promise(resolve => {
window.addEventListener("message", test.step_func(e => {
if (e.source == frame.contentWindow) {
resolve(e);
}
}));
});
}
|
