From 43a97878ce14b72f0981164f87f2e35e14151312 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 11:22:09 +0200
Subject: Adding upstream version 110.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../tests/x-frame-options/support/helper.sub.js    | 104 +++++++++++++++++++++
 .../tests/x-frame-options/support/nested.py        |  39 ++++++++
 .../tests/x-frame-options/support/redirect.py      |   4 +
 .../tests/x-frame-options/support/xfo.py           |  21 +++++
 4 files changed, 168 insertions(+)
 create mode 100644 testing/web-platform/tests/x-frame-options/support/helper.sub.js
 create mode 100644 testing/web-platform/tests/x-frame-options/support/nested.py
 create mode 100644 testing/web-platform/tests/x-frame-options/support/redirect.py
 create mode 100644 testing/web-platform/tests/x-frame-options/support/xfo.py

(limited to 'testing/web-platform/tests/x-frame-options/support')

diff --git a/testing/web-platform/tests/x-frame-options/support/helper.sub.js b/testing/web-platform/tests/x-frame-options/support/helper.sub.js
new file mode 100644
index 0000000000..23663dd2d0
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/helper.sub.js
@@ -0,0 +1,104 @@
+function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
+  simpleXFOTestsInner({
+    urlPrefix: "",
+    allowed: sameOriginAllowed,
+    headerValue,
+    headerValue2,
+    cspValue,
+    sameOrCross: "same-origin"
+  });
+
+  simpleXFOTestsInner({
+    urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}",
+    allowed: crossOriginAllowed,
+    headerValue,
+    headerValue2,
+    cspValue,
+    sameOrCross: "cross-origin"
+  });
+}
+
+function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) {
+  const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
+  const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
+
+  const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
+  const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2;
+  const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
+  const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
+
+  // This will test the multi-header variant, if headerValue2 is not undefined.
+  xfo_test({
+    url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+    check: allowed ? "loaded message" : "no message",
+    message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+  });
+
+  if (headerValue2 !== undefined && headerValue2 !== headerValue) {
+    // Reversed variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+
+    // Comma variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+
+    // Comma + reversed variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+  }
+}
+
+function xfo_test({ url, check, message }) {
+  async_test(t => {
+    const i = document.createElement("iframe");
+    i.src = url;
+
+    switch (check) {
+      case "loaded message": {
+        waitForMessageFrom(i, t).then(t.step_func_done(e => {
+          assert_equals(e.data, "Loaded");
+        }));
+        break;
+      }
+      case "failed message": {
+        waitForMessageFrom(i, t).then(t.step_func_done(e => {
+          assert_equals(e.data, "Failed");
+        }));
+        break;
+      }
+      case "no message": {
+        waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message."));
+        i.onload = t.step_func_done(() => {
+          assert_equals(i.contentDocument, null);
+        });
+        break;
+      }
+      default: {
+        throw new Error("Bad test");
+      }
+    }
+
+    document.body.append(i);
+    t.add_cleanup(() => i.remove());
+  }, message);
+}
+
+function waitForMessageFrom(frame, test) {
+  return new Promise(resolve => {
+    window.addEventListener("message", test.step_func(e => {
+      if (e.source == frame.contentWindow) {
+        resolve(e);
+      }
+    }));
+  });
+}
diff --git a/testing/web-platform/tests/x-frame-options/support/nested.py b/testing/web-platform/tests/x-frame-options/support/nested.py
new file mode 100644
index 0000000000..78c8c18466
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/nested.py
@@ -0,0 +1,39 @@
+def main(request, response):
+    origin = request.GET.first(b"origin");
+    value = request.GET.first(b"value");
+    # This is used to solve the race condition we have for postMessages
+    shouldSucceed = request.GET.first(b"loadShouldSucceed", b"false");
+    return ([(b"Content-Type", b"text/html")],
+            b"""<!DOCTYPE html>
+<title>XFO.</title>
+<body>
+<script>
+  var gotMessage = false;
+  window.addEventListener("message", e => {
+    gotMessage = true;
+    window.parent.postMessage(e.data, "*");
+  });
+
+  var i = document.createElement("iframe");
+  i.src = "%s/x-frame-options/support/xfo.py?value=%s";
+  i.onload = _ => {
+    // Why two rAFs? Because that seems to be enough to stop the
+    // load event from racing with the onmessage event.
+    requestAnimationFrame(_ => {
+      requestAnimationFrame(_ => {
+        // The race condition problem we have is it is possible
+        // that the sub iframe is loaded before the postMessage is
+        // dispatched, as a result, the "Failed" message is sent
+        // out. So the way we fixed is we simply let the timeout
+        // to happen if we expect the "Loaded" postMessage to be
+        // sent
+        if (!gotMessage && %s != true) {
+          window.parent.postMessage("Failed", "*");
+        }
+      });
+    });
+  };
+  document.body.appendChild(i);
+</script>
+            """ % (origin, value, shouldSucceed))
+
diff --git a/testing/web-platform/tests/x-frame-options/support/redirect.py b/testing/web-platform/tests/x-frame-options/support/redirect.py
new file mode 100644
index 0000000000..c6459eb871
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/redirect.py
@@ -0,0 +1,4 @@
+def main(request, response):
+    response.status = 302
+    response.headers.set(b"X-Frame-Options", request.GET.first(b"value"))
+    response.headers.set(b"Location", request.GET.first(b"url"))
diff --git a/testing/web-platform/tests/x-frame-options/support/xfo.py b/testing/web-platform/tests/x-frame-options/support/xfo.py
new file mode 100644
index 0000000000..a4762ee58a
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/xfo.py
@@ -0,0 +1,21 @@
+def main(request, response):
+    headers = [(b"Content-Type", b"text/html"), (b"X-Frame-Options", request.GET.first(b"value"))]
+
+    if b"value2" in request.GET:
+        headers.append((b"X-Frame-Options", request.GET.first(b"value2")))
+
+    if b"csp_value" in request.GET:
+        headers.append((b"Content-Security-Policy", request.GET.first(b"csp_value")))
+
+    body = u"""<!DOCTYPE html>
+        <html>
+        <head>
+          <title>XFO.</title>
+          <script>window.parent.postMessage('Loaded', '*');</script>
+        </head>
+        <body>
+          Loaded
+        </body>
+        </html>
+    """
+    return (headers, body)
-- 
cgit v1.2.3