summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html35
-rw-r--r--testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers2
2 files changed, 37 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html
new file mode 100644
index 0000000000..f5ac88b052
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html
@@ -0,0 +1,35 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/testharness-helper.sub.js"></script>
+<body></body>
+<script>
+ function waitForViolation(el, policy, blocked_origin) {
+ return new Promise(resolve => {
+ el.addEventListener('securitypolicyviolation', e => {
+ if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin)
+ resolve(e);
+ });
+ });
+ }
+
+ async_test(t => {
+ var i = document.createElement("iframe");
+ var redirect = generateCrossOriginRedirectFrame();
+ i.src = redirect.url;
+
+ // Report-only policy should trigger a violation on the original request.
+ var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin)
+ // Report-only policy should trigger a violation on the redirected request.
+ var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin)
+ // Enforced policy should trigger a violation on the redirected request.
+ var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin)
+
+ Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => {
+ t.done();
+ }));
+
+ document.body.appendChild(i);
+ }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect");
+</script>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers
new file mode 100644
index 0000000000..338bea13b8
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/frame-src/frame-src-redirect.html.headers
@@ -0,0 +1,2 @@
+Content-Security-Policy: frame-src 'self'
+Content-Security-Policy-Report-Only: frame-src http://foo.test
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-06 18:39:09 +0000