diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/prefetch-src')
9 files changed, 183 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-allowed.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-allowed.html new file mode 100644 index 0000000000..b738823c4c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-allowed.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> +<head> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + var win = window.open('/content-security-policy/support/' + + 'file-prefetch-allowed.html'); + win.addEventListener('load', function () { + // Cache control headers are added,since they are needed + // to enable prefetching. + let url = '/content-security-policy/support/pass.png' + + '?pipe=header(Cache-Control, max-age=604800)'; + + // Link element is created on the new opened window. + let link = win.document.createElement('link'); + link.rel = 'prefetch'; + link.href = url; + assert_link_prefetches(t, link); + win.close(); + }, false); + }, 'Prefetch succeeds when allowed by prefetch-src'); + </script> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked-by-default.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked-by-default.html new file mode 100644 index 0000000000..0e54de66de --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked-by-default.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> +<head> + <!-- Block everything by default, but allow the page's scripts to execute. --> + <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' 'self'"> + + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + let url = window.origin + '/content-security-policy/support/fail.png'; + + let link = document.createElement('link'); + link.rel = 'prefetch'; + link.href = url; + + assert_link_does_not_prefetch(t, link); + }, "`default-src`-blocked prefetch generates report."); + </script> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked.html new file mode 100644 index 0000000000..890a65f82c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Security-Policy" content="prefetch-src 'none';"> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + let url = window.origin + '/content-security-policy/support/fail.png'; + + let link = document.createElement('link'); + link.rel = 'prefetch'; + link.href = url; + + assert_link_does_not_prefetch(t, link); + }, "Blocked prefetch generates report."); + </script> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html new file mode 100644 index 0000000000..45f6289e34 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html @@ -0,0 +1,25 @@ +<!DOCTYPE html> +<html> +<head> + <!-- Headers: + Content-Security-Policy: prefetch-src 'self' + Link: </content-security-policy/support/pass.png>;rel=prefetch + --> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + let url = window.origin + '/content-security-policy/support/pass.png'; + assert_no_csp_event_for_url(t, url); + + waitUntilResourceDownloaded(url) + .then(t.step_func_done()); + }, 'Prefetch via `Link` header succeeds when allowed by prefetch-src'); + </script> +</head> +<body> +</body> +</html> + diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers new file mode 100644 index 0000000000..2b1d42a8d1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers @@ -0,0 +1,2 @@ +Content-Security-Policy: prefetch-src 'self' +Link: </content-security-policy/support/pass.png>;rel=prefetch diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html new file mode 100644 index 0000000000..e43dca7659 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> +<head> + <!-- Headers: + Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'self'; img-src 'self'; style-src 'self' + Link: </content-security-policy/support/fail.png>;rel=prefetch + --> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + let url = window.origin + '/content-security-policy/support/fail.png'; + waitUntilCSPEventForURL(t, url) + .then(t.step_func_done(e => { + assert_equals(e.violatedDirective, 'prefetch-src'); + + // This assert verifies both that the resource wasn't downloaded + // when prefetched via `Link` on both this document itself, and + // on the stylesheet subresource below. + assert_resource_not_downloaded(t, url); + })); + + // Load a stylesheet that tries to trigger a prefetch: + let link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = '/content-security-policy/support/prefetch-subresource.css'; + document.head.appendChild(link); + }, 'Prefetch via `Link` header blocked when allowed by default-src'); + </script> +</head> +<body> +</body> +</html> + + diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html.headers b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html.headers new file mode 100644 index 0000000000..6d19ed181e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html.headers @@ -0,0 +1,2 @@ +Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'self'; img-src 'self'; style-src 'self' +Link: </content-security-policy/support/fail.png>;rel=prefetch diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html new file mode 100644 index 0000000000..a2abef3c17 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> +<head> + <!-- Headers: + Content-Security-Policy: prefetch-src 'none' + Link: </content-security-policy/support/fail.png>;rel=prefetch + --> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/support/testharness-helper.js'></script> + <script src='/content-security-policy/support/prefetch-helper.js'></script> + <script> + async_test(t => { + let url = window.origin + '/content-security-policy/support/fail.png'; + waitUntilCSPEventForURL(t, url) + .then(t.step_func_done(e => { + assert_equals(e.violatedDirective, 'prefetch-src'); + + // This assert verifies both that the resource wasn't downloaded + // when prefetched via `Link` on both this document itself, and + // on the stylesheet subresource below. + assert_resource_not_downloaded(t, url); + })); + + // Load a stylesheet that tries to trigger a prefetch: + let link = document.createElement('link'); + link.rel = 'stylesheet'; + link.href = '/content-security-policy/support/prefetch-subresource.css'; + document.head.appendChild(link); + }, 'Prefetch via `Link` header blocked when allowed by prefetch-src'); + </script> +</head> +<body> +</body> +</html> + + diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html.headers b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html.headers new file mode 100644 index 0000000000..732f62d58a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html.headers @@ -0,0 +1,2 @@ +Content-Security-Policy: prefetch-src 'none' +Link: </content-security-policy/support/fail.png>;rel=prefetch |