diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/navigation')
9 files changed, 189 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html new file mode 100644 index 0000000000..21c4fb33ce --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<script> + var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'"); + var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp"); + window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name); + setTimeout(function() { + var s = document.createElement('script'); + s.async = true; + s.defer = true; + s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27"; + document.body.appendChild(s); + }, 2000); +</script> diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html new file mode 100644 index 0000000000..b4d5b82e46 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html @@ -0,0 +1,2 @@ +<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}"> +CHILD FRAME diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html new file mode 100644 index 0000000000..2f7b685a75 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html @@ -0,0 +1,10 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<span id="escape">{{GET[window_url]}}</span> + +<script> + var window_url = document.getElementById("escape").textContent; + window.open(window_url, "_self"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers new file mode 100644 index 0000000000..5024a99bc9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers @@ -0,0 +1,6 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0, false +Pragma: no-cache +Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/ +Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html new file mode 100644 index 0000000000..e95e71c59b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<head> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> +<body> +<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27unsafe-inline%27"></iframe> +<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div> +<script> + var t = async_test("Should have executed the javascript url"); + frames[0].addEventListener('load', () => { + window.onmessage = t.step_func(function(e) { + if (e.data == "executed") + t.done(); + }); + window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event")); + document.getElementById('special_div').click(); + }); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html new file mode 100644 index 0000000000..3a0641170e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<head> +<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> +<body> +<iframe src="support/frame-with-csp.sub.html?csp=script-src%20'self'%20'unsafe-inline'"></iframe> +<script nonce='abc'> + var t = async_test("Should not have executed the javascript url"); + const iframe = document.querySelector("iframe"); + iframe.addEventListener('load', () => { + window.onmessage = t.step_func(function(e) { + if (e.data == "executed") + assert_true(false, "Javascript url executed"); + }); + window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { + assert_equals(e.blockedURI, 'inline'); + })); + iframe.contentWindow.location.href = 'javascript:parent.postMessage(\'executed\', \'*\')' + }); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html new file mode 100644 index 0000000000..8aa8884914 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<head> +<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +</head> +<body> +<iframe src="support/frame-with-csp.sub.html"></iframe> +<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div> +<script nonce='abc'> + var t = async_test("Should not have executed the javascript url"); + frames[0].addEventListener('load', () => { + window.onmessage = t.step_func(function(e) { + if (e.data == "executed") + assert_true(false, "Javascript url executed"); + }); + window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { + assert_equals(e.blockedURI, 'inline'); + assert_equals(e.violatedDirective, 'script-src-attr'); + })); + document.getElementById('special_div').click(); + }); +</script> +</body> diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html new file mode 100644 index 0000000000..0475856f53 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<meta http-equiv="Content-Security-Policy" content="frame-src 'none'"> + +<body> + +<script> + var t = async_test("<iframe src='javascript:...'> not blocked by 'frame-src'"); + + var i = document.createElement('iframe'); + i.src = "javascript:window.top.t.done();"; + + document.body.appendChild(i); +</script> diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html new file mode 100644 index 0000000000..70dea1f985 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html @@ -0,0 +1,72 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> + +<body> + +<script nonce="abc"> + function assert_csp_event_for_element(test, element) { + assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'."); + document.addEventListener("securitypolicyviolation", test.step_func(e => { + if (e.target != element) + return; + assert_equals(e.blockedURI, "inline"); + assert_equals(e.effectiveDirective, "script-src-elem"); + assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document."); + element.remove(); + test.done(); + })); + } + + function navigate_to_javascript_onload(test, iframe) { + iframe.addEventListener("load", test.step_func(e => { + assert_equals(typeof SecurityPolicyViolationEvent, "function"); + iframe.contentDocument.addEventListener( + "securitypolicyviolation", + test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.") + ); + + iframe.src = "javascript:'Fail.'"; + })); + } + + async_test(t => { + var i = document.createElement("iframe"); + i.src = "javascript:'Fail.'"; + + assert_csp_event_for_element(t, i); + + document.body.appendChild(i); + }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); + + async_test(t => { + var i = document.createElement("iframe"); + + assert_csp_event_for_element(t, i); + navigate_to_javascript_onload(t, i); + + document.body.appendChild(i); + }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); + + async_test(t => { + var i = document.createElement("iframe"); + i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'"); + + assert_csp_event_for_element(t, i); + navigate_to_javascript_onload(t, i); + + document.body.appendChild(i); + }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); + + async_test(t => { + var i = document.createElement("iframe"); + i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'"); + + assert_csp_event_for_element(t, i); + navigate_to_javascript_onload(t, i); + + document.body.appendChild(i); + }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document."); +</script> |