diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/frame-ancestors/support')
12 files changed, 211 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html new file mode 100644 index 0000000000..c8317b91cf --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<html> +<body> + <p>This is an IFrame sending a Content-Security-Policy-Report-Only header containing "{{GET[policy]}}".</p> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers new file mode 100644 index 0000000000..ccb142e569 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy-report-only.sub.html.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy-Report-Only: {{GET[policy]}} diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html new file mode 100644 index 0000000000..2182f4a3d2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<html> +<body> + <p>This is an IFrame sending a Content Security Policy header containing "{{GET[policy]}}".</p> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers new file mode 100644 index 0000000000..322c99d518 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/content-security-policy.sub.html.sub.headers @@ -0,0 +1 @@ +Content-Security-Policy: {{GET[policy]}} diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html new file mode 100644 index 0000000000..e22fea3ccd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html @@ -0,0 +1,9 @@ +<!DOCTYPE html> +<html> +<body> + <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}".</p> + <script> + // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" and "X-Frame-Options: {{GET[xfo]}}". + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers new file mode 100644 index 0000000000..636e0facde --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-and-x-frame-options.sub.html.sub.headers @@ -0,0 +1,3 @@ +Content-Type: text/html; charset=UTF-8 +Content-Security-Policy: frame-ancestors {{GET[policy]}} +X-Frame-Options: {{GET[xfo]}} diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js new file mode 100644 index 0000000000..6e816e89b3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js @@ -0,0 +1,147 @@ +var SAME_ORIGIN = true; +var CROSS_ORIGIN = false; + +var EXPECT_BLOCK = true; +var EXPECT_LOAD = false; + +var SAMEORIGIN_ORIGIN = "{{location[scheme]}}://{{location[host]}}"; +var CROSSORIGIN_ORIGIN = "http://{{domains[www1]}}:{{ports[http][1]}}"; + +var test; + +function endTest(failed, message) { + if (typeof test === 'undefined') return; + + if (failed) { + test.step(function() { + assert_unreached(message); + test.done(); + }); + } + else test.done({message: message}); +} + +window.addEventListener("message", function (e) { + if (window.parent != window) + window.parent.postMessage(e.data, "*"); + else + if (e.data.type === 'test_result') + endTest(e.data.failed, "Inner IFrame msg: " + e.data.message); +}); + +function injectNestedIframe(policy, parent, child, expectation, isSandboxed) { + var iframe = document.createElement("iframe"); + + var url = "/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html" + + "?policy=" + policy + + "&parent=" + parent + + "&child=" + child + + "&expectation=" + expectation; + url = (parent == "same" ? SAMEORIGIN_ORIGIN : CROSSORIGIN_ORIGIN) + url; + + iframe.src = url; + + if (isSandboxed) + iframe.sandbox = 'allow-scripts'; + + document.body.appendChild(iframe); +} + +let timer; +function pollForLoadCompletion({iframe, expectBlock}) { + let fn = iframeLoaded({expectBlock, isPoll: true}); + timer = test.step_timeout(() => fn({target: iframe}), 10); +} + +function injectIFrame(policy, sameOrigin, expectBlock) { + var iframe = document.createElement("iframe"); + iframe.addEventListener("load", iframeLoaded({expectBlock, isPoll: false})); + iframe.addEventListener("error", iframeLoaded({expectBlock, isPoll: false})); + + var url = "/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html?policy=" + policy; + if (sameOrigin) + url = SAMEORIGIN_ORIGIN + url; + else + url = CROSSORIGIN_ORIGIN + url; + + iframe.src = url; + document.body.appendChild(iframe); + pollForLoadCompletion({iframe, expectBlock}); +} + +function iframeLoaded({isPoll, expectBlock}) { + return function(ev) { + clearTimeout(timer); + var failed = true; + var message = ""; + try { + let url = ev.target.contentWindow.location.href; + if (isPoll && (url === "about:blank" || ev.target.contentDocument.readyState !== "complete")) { + pollForLoadCompletion({iframe: ev.target, expectBlock}); + return; + } + if (expectBlock) { + message = "The IFrame should have been blocked (or cross-origin). It wasn't."; + failed = true; + } else { + message = "The IFrame should not have been blocked. It wasn't."; + failed = false; + } + } catch (ex) { + if (expectBlock) { + message = "The IFrame should have been blocked (or cross-origin). It was."; + failed = false; + } else { + message = "The IFrame should not have been blocked. It was."; + failed = true; + } + } + if (window.parent != window) + window.parent.postMessage({type: 'test_result', failed: failed, message: message}, '*'); + else + endTest(failed, message); + }; +} + +function originFrameShouldBe(child, expectation, policy) { + if (child == "cross" && expectation == "blocked") crossOriginFrameShouldBeBlocked(policy); + if (child == "same" && expectation == "blocked") sameOriginFrameShouldBeBlocked(policy); + if (child == "cross" && expectation == "allowed") crossOriginFrameShouldBeAllowed(policy); + if (child == "same" && expectation == "allowed") sameOriginFrameShouldBeAllowed(policy); +} + +function crossOriginFrameShouldBeBlocked(policy) { + window.onload = function () { + injectIFrame(policy, CROSS_ORIGIN, EXPECT_BLOCK); + }; +} + +function crossOriginFrameShouldBeAllowed(policy) { + window.onload = function () { + injectIFrame(policy, CROSS_ORIGIN, EXPECT_LOAD); + }; +} + +function sameOriginFrameShouldBeBlocked(policy) { + window.onload = function () { + injectIFrame(policy, SAME_ORIGIN, EXPECT_BLOCK); + }; +} + +function sameOriginFrameShouldBeAllowed(policy) { + window.onload = function () { + injectIFrame(policy, SAME_ORIGIN, EXPECT_LOAD); + }; +} + +function testNestedIFrame(policy, parent, child, expectation) { + window.onload = function () { + injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", false /* isSandboxed */); + }; +} + +function testNestedSandboxedIFrame(policy, parent, child, expectation) { + window.onload = function () { + injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "allowed" : "blocked", true /* isSandboxed */); + }; +} diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html new file mode 100644 index 0000000000..de65277343 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html @@ -0,0 +1,9 @@ +<!DOCTYPE html> +<html> +<body> + <p>This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}".</p> + <script> + // This is an IFrame sending a Content Security Policy header containing "frame-ancestors {{GET[policy]}}" + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers new file mode 100644 index 0000000000..9369a4101f --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-ancestors.sub.html.sub.headers @@ -0,0 +1,2 @@ +Content-Type: text/html; charset=UTF-8 +Content-Security-Policy: frame-ancestors {{GET[policy]}} diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html new file mode 100644 index 0000000000..993b6bfd4b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html> +<body> + <script src='/resources/testharness.js'></script> + <script src='/resources/testharnessreport.js'></script> + <script src='/content-security-policy/frame-ancestors/support/frame-ancestors-test.sub.js'></script> + + <span id="escape">{{GET[policy]}}</span> + + <script> + test = async_test("Testing a {{GET[child]}}-origin child with a policy of {{GET[policy]}} nested in a {{GET[parent]}}-origin parent"); + const policy = document.getElementById("escape").textContent; + originFrameShouldBe("{{GET[child]}}", "{{GET[expectation]}}", policy); + </script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers new file mode 100644 index 0000000000..e853d6cee5 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/frame-in-frame.sub.html.sub.headers @@ -0,0 +1 @@ +Content-Type: text/html; charset=UTF-8 diff --git a/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js new file mode 100644 index 0000000000..ebced90f50 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/frame-ancestors/support/service-worker.js @@ -0,0 +1,10 @@ +self.onfetch = e => { + e.respondWith(function() { + return new Promise((resolve) => { + var headers = new Headers; + headers.append("Content-Security-Policy", "frame-ancestors 'none'"); + var response = new Response("", { "headers" : headers, "status": 200, "statusText" : "OK" }); + resolve(response); + }); + }()); +}; |