summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html')
-rw-r--r--testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html180
1 files changed, 180 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
new file mode 100644
index 0000000000..4b787e0c18
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes.sub.html
@@ -0,0 +1,180 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+
+<body>
+
+<script>
+ function wait_for_error_from_frame(frame, test) {
+ window.addEventListener('message', test.step_func(e => {
+ if (e.source != frame.contentWindow)
+ return;
+ assert_equals(e.data, "error");
+ frame.remove();
+ test.done();
+ }));
+ }
+
+ function wait_for_error_from_window(opened_window, test) {
+ window.addEventListener('message', test.step_func(e => {
+ if (e.source != opened_window)
+ return;
+ assert_equals(e.data, "error");
+ opened_window.close();
+ test.done();
+ }));
+ }
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ document.body.appendChild(i);
+
+ var img = document.createElement('img');
+ img.onerror = t.step_func_done(_ => i.remove());
+ img.onload = t.unreached_func();
+ i.contentDocument.body.appendChild(img);
+ img.src = "{{location[server]}}/images/red-16x16.png";
+ }, "<iframe>'s about:blank inherits policy.");
+
+ async_test(t => {
+ var w = window.open("about:blank");
+
+ let then = t.step_func(() => {
+ then = () => {};
+ var img = w.document.createElement('img');
+ img.onerror = t.step_func_done(_ => w.close());
+ img.onload = t.unreached_func();
+ w.document.body.appendChild(img);
+ img.src = "{{location[server]}}/images/red-16x16.png";
+ });
+
+ // There are now interoperable way to wait for the initial about:blank
+ // document to load. Chrome loads it synchronously, hence we can't wait for
+ // w.onload. On the other side Firefox loads the initial empty document
+ // later and we can wait for the onload event.
+ w.onload = then;
+ setTimeout(then, 200);
+
+ // Navigations to about:blank happens synchronously. There is no need to
+ // wait for the document to load.
+ }, "window about:blank inherits policy.");
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ i.srcdoc = `
+ <img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.top.postMessage("load", "*");'
+ onerror='window.top.postMessage("error", "*");'
+ >
+ `;
+
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe srcdoc>'s inherits policy.");
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ var b = new Blob(
+ [`
+ <img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.top.postMessage("load", "*");'
+ onerror='window.top.postMessage("error", "*");'
+ >
+ `], {type:"text/html"});
+ i.src = URL.createObjectURL(b);
+
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe src='blob:...'>'s inherits policy.");
+
+ async_test(t => {
+ var b = new Blob(
+ [`
+ <img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.opener.postMessage("load", "*");'
+ onerror='window.opener.postMessage("error", "*");'
+ >
+ `], {type:"text/html"});
+ let url = URL.createObjectURL(b);
+ var w = window.open(url);
+ wait_for_error_from_window(w, t);
+ }, "window url='blob:...' inherits policy.");
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ i.src = `data:text/html,<img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.top.postMessage("load", "*");'
+ onerror='window.top.postMessage("error", "*");'
+ >`;
+
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe src='data:...'>'s inherits policy.");
+
+ // Opening a window toward a data-url isn't allowed anymore. Hence, it can't
+ // be tested.
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ i.src = `javascript:"<img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.top.postMessage(\\"load\\", \\"*\\");'
+ onerror='window.top.postMessage(\\"error\\", \\"*\\");'
+ >"`;
+
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe src='javascript:...'>'s inherits policy (static <img> is blocked)");
+
+ async_test(t => {
+ let url = `javascript:"<img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.opener.postMessage(\\"load\\", \\"*\\");'
+ onerror='window.opener.postMessage(\\"error\\", \\"*\\");'
+ >"`;
+
+ let w = window.open(url);
+ wait_for_error_from_window(w, t);
+ }, "window url='javascript:...'>'s inherits policy (static <img> is blocked)");
+
+ // Same as the previous javascript-URL test, but instead of loading the <img>
+ // from the new document, this one is created from the initial empty document,
+ // while evaluating the javascript-url.
+ // See https://crbug.com/1064676
+ async_test(t => {
+ let url = `javascript:
+ let img = document.createElement('img');
+ img.onload = () => window.top.postMessage('load', '*');
+ img.onerror = () => window.top.postMessage('error', '*');
+ img.src = '{{location[server]}}/images/red-16x16.png';
+ document.body.appendChild(img);
+ `;
+ var i = document.createElement('iframe');
+ i.src = encodeURI(url.replace(/\n/g, ""));
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked)");
+
+ async_test(t => {
+ var i = document.createElement('iframe');
+ var b = new Blob(
+ [`
+ <img src='{{location[server]}}/images/red-16x16.png'
+ onload='window.top.postMessage("load", "*");'
+ onerror='window.top.postMessage("error", "*");'
+ >
+ `], {type:"text/html"});
+ i.src = URL.createObjectURL(b);
+ i.sandbox = 'allow-scripts';
+
+ wait_for_error_from_frame(i, t);
+
+ document.body.appendChild(i);
+ }, "<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)");
+
+</script>