diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
commit | 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch) | |
tree | a68f146d7fa01f0134297619fbe7e33db084e0aa /testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html | |
parent | Initial commit. (diff) | |
download | thunderbird-upstream.tar.xz thunderbird-upstream.zip |
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
2 files changed, 37 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html new file mode 100644 index 0000000000..f5ac88b052 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html @@ -0,0 +1,35 @@ +<!doctype html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="./support/testharness-helper.sub.js"></script> +<body></body> +<script> + function waitForViolation(el, policy, blocked_origin) { + return new Promise(resolve => { + el.addEventListener('securitypolicyviolation', e => { + if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin) + resolve(e); + }); + }); + } + + async_test(t => { + var i = document.createElement("iframe"); + var redirect = generateCrossOriginRedirectFrame(); + i.src = redirect.url; + + // Report-only policy should trigger a violation on the original request. + var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin) + // Report-only policy should trigger a violation on the redirected request. + var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin) + // Enforced policy should trigger a violation on the redirected request. + var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin) + + Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => { + t.done(); + })); + + document.body.appendChild(i); + }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect"); +</script> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers new file mode 100644 index 0000000000..338bea13b8 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers @@ -0,0 +1,2 @@ +Content-Security-Policy: frame-src 'self' +Content-Security-Policy-Report-Only: frame-src http://foo.test |