1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
<!DOCTYPE html>
<html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
'use strict';
function createIframe(t, values) {
const parent = document.createElement('iframe');
const child = document.createElement('iframe');
const params = values.map((value) => {
const percentEncodedValue = typeof value === "object" ? value.percentEncoded : encodeURIComponent(value);
return `value=${percentEncodedValue}`;
});
parent.setAttribute('src', `resources/empty-coep.py?${params.join("&")}`);
document.body.appendChild(parent);
t.add_cleanup(() => parent.remove());
return new Promise((resolve, reject) => {
parent.onload = resolve;
parent.onerror = () =>
reject(new Error(`failed to load from ${parent.src}`));
})
.then(() => {
child.setAttribute('src', '/common/blank.html');
parent.contentDocument.body.appendChild(child);
return new Promise((resolve) => {
child.onload = resolve;
child.onerror = () =>
reject(new Error(`failed to load from ${child.src}`));
});
})
.then(() => child);
}
[
[],
[''],
['jibberish'],
[{ percentEncoded: 'require%FFcorp' }], // non-ASCII byte
['require-corp;'],
['\u000brequire-corp\u000b'], // vertical tab
['\u000crequire-corp\u000c'], // form feed
['\u000drequire-corp\u000d'], // carriage return
['Require-corp'],
['"require-corp"'], // HTTP structured header "string" item
[':cmVxdWlyZS1jb3Jw:'], // HTTP structured header "byte sequence" item
['require-corp;\tfoo=bar'],
['require-corp require-corp'],
['require-corp,require-corp'],
['require-corp', 'require-corp'],
['', 'require-corp'],
['require-corp', ''],
].forEach((values) => {
promise_test((t) => {
return createIframe(t, values)
.then((child) => {
assert_not_equals(child.contentDocument, null);
});
}, 'navigation allowed for ' + JSON.stringify(values));
});
[
['require-corp'],
[' require-corp '],
['\trequire-corp\t'], // leading and trailing OWS is not part of the field-value per HTTP
[' \trequire-corp'],
['require-corp\t '],
['require-corp; foo=bar'],
['require-corp;require-corp'],
['require-corp; report-to="data:', '"'], // `require-corp; report-to="data:, "`
].forEach((values) => {
promise_test((t) => {
return createIframe(t, values)
.then((child) => {
assert_equals(child.contentDocument, null);
});
}, 'navigation blocked for ' + JSON.stringify(values));
});
</script>
</body>
</html>
|