diff options
Diffstat (limited to 'testing/web-platform/tests/portals/csp')
4 files changed, 68 insertions, 0 deletions
diff --git a/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html b/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html new file mode 100644 index 0000000000..096ed00c7a --- /dev/null +++ b/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html @@ -0,0 +1,13 @@ +<!DOCTYPE html> +<html> +<meta name="timeout" content="long"> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <title>Blocked portals are reported correctly</title> +</head> +<body> + <portal src="/content-security-policy/frame-ancestors/support/content-security-policy.sub.html?policy=report-uri%20/reporting/resources/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></portal> + <script async defer src="/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script> +</body> +</html> diff --git a/testing/web-platform/tests/portals/csp/frame-src.sub.html b/testing/web-platform/tests/portals/csp/frame-src.sub.html new file mode 100644 index 0000000000..13d9e79667 --- /dev/null +++ b/testing/web-platform/tests/portals/csp/frame-src.sub.html @@ -0,0 +1,49 @@ +<!doctype html> +<title>Tests that portals respect the frame-src</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<body> +</body> +<script> + async_test(function(t) { + assert_implements("HTMLPortalElement" in self); + var w = window.open("resources/frame-src.sub.html?frame_src_policy=%27none%27"); + w.onload = function() { + w.document.addEventListener("securitypolicyviolation", + t.step_func_done(function(e) { + assert_equals("frame-src", e.violatedDirective); + })); + var portal = w.document.createElement("portal"); + portal.src = new URL("/portals/resources/simple-portal.html", location.href); + portal.onmessage = t.unreached_func("Portal should not load."); + w.document.body.appendChild(portal); + } + }, "Tests that a portal can't be loaded when it violates frame-src"); + + async_test(function(t) { + assert_implements("HTMLPortalElement" in self); + var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`); + w.onload = function() { + w.document.onsecuritypolicyviolation = t.unreached_func("Portal should load."); + var portal = w.document.createElement("portal"); + portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); + portal.onmessage = t.step_func_done(); + w.document.body.appendChild(portal); + } + }, "Tests that a portal can be loaded when the origin matches the frame-src CSP header."); + async_test(function(t) { + assert_implements("HTMLPortalElement" in self); + var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`); + w.onload = function() { + var portal = w.document.createElement("portal"); + portal.src = new URL("http://{{hosts[alt][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); + w.document.onsecuritypolicyviolation = t.step_func(function(e) { + w.document.onsecuritypolicyviolation = null; + assert_equals("frame-src", e.violatedDirective); + portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); + portal.onmessage = t.step_func_done(); + }); + w.document.body.appendChild(portal); + } + }, "Tests that a portal will fail to load on an origin different than the one specified in the frame-src CSP, but that it can be loaded when the origin matches the frame-src CSP."); +</script> diff --git a/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html new file mode 100644 index 0000000000..c4f742a643 --- /dev/null +++ b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html @@ -0,0 +1,4 @@ +<!doctype html> +<body> + <h1>Content Security Policy header containing "frame-src {{GET[frame_src_policy]}}"</h1> +</body> diff --git a/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers new file mode 100644 index 0000000000..d50520cd39 --- /dev/null +++ b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers @@ -0,0 +1,2 @@ +Content-Type: text/html; charset=UTF-8 +Content-Security-Policy: frame-src {{GET[frame_src_policy]}} |