Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 189 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
new file mode 100644
index 0000000000..21c4fb33ce
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<script>
+  var window_url = encodeURIComponent("javascript:'<iframe src=/content-security-policy/support/fail.js />'");
+  var report_cookie_name = encodeURIComponent("javascript-url-navigation-inherits-csp");
+  window.open("support/test_csp_self_window.sub.html?window_url=" + window_url + "&report_cookie_name=" + report_cookie_name);
+  setTimeout(function() {
+    var s = document.createElement('script');
+    s.async = true;
+    s.defer = true;
+    s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27";
+    document.body.appendChild(s);
+  }, 2000);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
new file mode 100644
index 0000000000..b4d5b82e46
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
@@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
new file mode 100644
index 0000000000..2f7b685a75
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<span id="escape">{{GET[window_url]}}</span>
+
+<script>
+  var window_url = document.getElementById("escape").textContent;
+  window.open(window_url, "_self");
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
new file mode 100644
index 0000000000..5024a99bc9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/test_csp_self_window.sub.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: {{GET[report_cookie_name]}}={{$id:uuid()}}; Path=/content-security-policy/navigation/
+Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; report-uri  /reporting/resources/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
new file mode 100644
index 0000000000..e95e71c59b
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27unsafe-inline%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+  var t = async_test("Should have executed the javascript url");
+  frames[0].addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        t.done();
+    });
+    window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+    document.getElementById('special_div').click();
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
new file mode 100644
index 0000000000..3a0641170e
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-disallow.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20'self'%20'unsafe-inline'"></iframe>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  const iframe = document.querySelector("iframe");
+  iframe.addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        assert_true(false, "Javascript url executed");
+    });
+    window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+      assert_equals(e.blockedURI, 'inline');
+    }));
+    iframe.contentWindow.location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
new file mode 100644
index 0000000000..8aa8884914
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  frames[0].addEventListener('load', () => {
+    window.onmessage = t.step_func(function(e) {
+      if (e.data == "executed")
+        assert_true(false, "Javascript url executed");
+    });
+    window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+      assert_equals(e.blockedURI, 'inline');
+      assert_equals(e.violatedDirective, 'script-src-attr');
+    }));
+    document.getElementById('special_div').click();
+  });
+</script>
+</body>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
new file mode 100644
index 0000000000..0475856f53
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-frame-src.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<body>
+
+<script>
+  var t = async_test("<iframe src='javascript:...'> not blocked by 'frame-src'");
+
+  var i = document.createElement('iframe');
+  i.src = "javascript:window.top.t.done();";
+
+  document.body.appendChild(i);
+</script>
diff --git a/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
new file mode 100644
index 0000000000..70dea1f985
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
+
+<body>
+
+<script nonce="abc">
+  function assert_csp_event_for_element(test, element) {
+    assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
+    document.addEventListener("securitypolicyviolation", test.step_func(e => {
+      if (e.target != element)
+        return;
+      assert_equals(e.blockedURI, "inline");
+      assert_equals(e.effectiveDirective, "script-src-elem");
+      assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
+      element.remove();
+      test.done();
+    }));
+  }
+
+  function navigate_to_javascript_onload(test, iframe) {
+    iframe.addEventListener("load", test.step_func(e => {
+      assert_equals(typeof SecurityPolicyViolationEvent, "function");
+      iframe.contentDocument.addEventListener(
+        "securitypolicyviolation",
+        test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
+      );
+
+      iframe.src = "javascript:'Fail.'";
+    }));
+  }
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "javascript:'Fail.'";
+
+    assert_csp_event_for_element(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");
+
+  async_test(t => {
+    var i = document.createElement("iframe");
+    i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");
+
+    assert_csp_event_for_element(t, i);
+    navigate_to_javascript_onload(t, i);
+
+    document.body.appendChild(i);
+  }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
+</script>