summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/navigation
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/navigation')
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html16
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html2
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html10
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html24
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html16
-rw-r--r--testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html72
9 files changed, 189 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
new file mode 100644
index 0000000000..21c4fb33ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<script>
+ var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'");
+ var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp");
+ window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name);
+ setTimeout(function() {
+ var s = document.createElement('script');
+ s.async = true;
+ s.defer = true;
+ s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27";
+ document.body.appendChild(s);
+ }, 2000);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
new file mode 100644
index 0000000000..b4d5b82e46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
@@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
new file mode 100644
index 0000000000..2f7b685a75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<span id="escape">{{GET[window_url]}}</span>
+
+<script>
+ var window_url = document.getElementById("escape").textContent;
+ window.open(window_url, "_self");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
new file mode 100644
index 0000000000..5024a99bc9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
new file mode 100644
index 0000000000..e95e71c59b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27unsafe-inline%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+ var t = async_test("Should have executed the javascript url");
+ frames[0].addEventListener('load', () => {
+ window.onmessage = t.step_func(function(e) {
+ if (e.data == "executed")
+ t.done();
+ });
+ window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+ document.getElementById('special_div').click();
+ });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
new file mode 100644
index 0000000000..3a0641170e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20'self'%20'unsafe-inline'"></iframe>
+<script nonce='abc'>
+ var t = async_test("Should not have executed the javascript url");
+ const iframe = document.querySelector("iframe");
+ iframe.addEventListener('load', () => {
+ window.onmessage = t.step_func(function(e) {
+ if (e.data == "executed")
+ assert_true(false, "Javascript url executed");
+ });
+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+ assert_equals(e.blockedURI, 'inline');
+ }));
+ iframe.contentWindow.location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'
+ });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
new file mode 100644
index 0000000000..8aa8884914
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+ var t = async_test("Should not have executed the javascript url");
+ frames[0].addEventListener('load', () => {
+ window.onmessage = t.step_func(function(e) {
+ if (e.data == "executed")
+ assert_true(false, "Javascript url executed");
+ });
+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+ assert_equals(e.blockedURI, 'inline');
+ assert_equals(e.violatedDirective, 'script-src-attr');
+ }));
+ document.getElementById('special_div').click();
+ });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
new file mode 100644
index 0000000000..0475856f53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<body>
+
+<script>
+ var t = async_test("<iframe src='javascript:...'> not blocked by 'frame-src'");
+
+ var i = document.createElement('iframe');
+ i.src = "javascript:window.top.t.done();";
+
+ document.body.appendChild(i);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
new file mode 100644
index 0000000000..70dea1f985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+
+<script nonce="abc">
+ function assert_csp_event_for_element(test, element) {
+ assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+ document.addEventListener("securitypolicyviolation", test.step_func(e => {
+ if (e.target != element)
+ return;
+ assert_equals(e.blockedURI, "inline");
+ assert_equals(e.effectiveDirective, "script-src-elem");
+ assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+ element.remove();
+ test.done();
+ }));
+ }
+
+ function navigate_to_javascript_onload(test, iframe) {
+ iframe.addEventListener("load", test.step_func(e => {
+ assert_equals(typeof SecurityPolicyViolationEvent, "function");
+ iframe.contentDocument.addEventListener(
+ "securitypolicyviolation",
+ test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+ );
+
+ iframe.src = "javascript:'Fail.'";
+ }));
+ }
+
+ async_test(t => {
+ var i = document.createElement("iframe");
+ i.src = "javascript:'Fail.'";
+
+ assert_csp_event_for_element(t, i);
+
+ document.body.appendChild(i);
+ }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+ async_test(t => {
+ var i = document.createElement("iframe");
+
+ assert_csp_event_for_element(t, i);
+ navigate_to_javascript_onload(t, i);
+
+ document.body.appendChild(i);
+ }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+ async_test(t => {
+ var i = document.createElement("iframe");
+ i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
+
+ assert_csp_event_for_element(t, i);
+ navigate_to_javascript_onload(t, i);
+
+ document.body.appendChild(i);
+ }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+
+ async_test(t => {
+ var i = document.createElement("iframe");
+ i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
+
+ assert_csp_event_for_element(t, i);
+ navigate_to_javascript_onload(t, i);
+
+ document.body.appendChild(i);
+ }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>