diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
| commit | 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch) | |
| tree | a68f146d7fa01f0134297619fbe7e33db084e0aa /testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html | |
| parent | Initial commit. (diff) | |
| download | thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.tar.xz thunderbird-6bf0a5cb5034a7e684dcc3500e841785237ce2dd.zip | |
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html new file mode 100644 index 0000000000..3d04a08ad7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-self-unique-origin.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<html> + +<head> + <title>frame-src-self-unique-origin</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> + <p> + The origin of an URL is called "unique" when it is considered to be + different from every origin, including itself. The origin of a + data-url is unique. When the current origin is unique, the CSP source + 'self' must not match any URL. + </p> + <script> + var iframe = document.createElement("iframe"); + iframe.src = encodeURI(`data:text/html, + <script> + /* Add the CSP: frame-src: 'self'. */ + var meta = document.createElement('meta'); + meta.httpEquiv = 'Content-Security-Policy'; + meta.content = "frame-src 'self'"; + document.getElementsByTagName('head')[0].appendChild(meta); + + /* Notify the parent the iframe has been blocked. */ + window.addEventListener('securitypolicyviolation', e => { + if (e.originalPolicy == "frame-src 'self'") + window.parent.postMessage('Test PASS', '*'); + }); + </scr`+`ipt> + + This iframe should be blocked by CSP: + <iframe src='data:text/html,blocked_iframe'></iframe> + `); + if (window.async_test) { + async_test(t => { + window.addEventListener("message", e => { + if (e.data == "Test PASS") + t.done(); + }); + }, "Iframe's url must not match with 'self'. It must be blocked."); + } + document.body.appendChild(iframe); + </script> +</body> + +</html> |