diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/support')
12 files changed, 115 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html b/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html new file mode 100644 index 0000000000..effc1adcdd --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/iframe-do.sub.html @@ -0,0 +1,8 @@ +<!DOCTYPE html> +<meta http-equiv="Content-Security-Policy" content="img-src {{GET[img-src]}}"> +<script> + window.addEventListener('message', function(e) { + eval(e.data); + }); + top.postMessage('ready', '*'); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html new file mode 100644 index 0000000000..afe4753cf9 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<head> + <meta charset="utf-8"> + <meta http-equiv="Content-Security-Policy" content="frame-src 'self'"> + <script> + // The following is the content of a srcdoc iframe. It contains: + // - a script that catches the frame-src securitypolicyviolation event and + // forwards the information to the parent, + // - a cross-origin iframe. + let doc = ` + <script> + window.addEventListener("securitypolicyviolation", e => { + if (e.violatedDirective === "frame-src") { + window.top.postMessage("frame blocked", "*"); + } + }); + </scr` + `ipt> + <iframe src="http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/inheritance/support/postmessage-top.html"></iframe>`; + doc = doc.replaceAll('"', "\\\'"); + + const js_url = "javascript:'<iframe srcdoc=\""+ doc +"\">'"; + window.open(js_url, "_self"); + </script> +</head> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html b/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html new file mode 100644 index 0000000000..75ee5bee7c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/message-opener-and-navigate-back.html @@ -0,0 +1,5 @@ +<script> + const params = new URLSearchParams(window.location.search); + opener.postMessage({msg: "ready", token: params.get("token")}, "*"); + window.history.back(); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html b/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html new file mode 100644 index 0000000000..53d5a18cb3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/message-top-and-navigate-back.html @@ -0,0 +1,5 @@ +<script> + const params = new URLSearchParams(window.location.search); + top.postMessage({msg: "ready", token: params.get("token")}, "*"); + window.history.back(); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html new file mode 100644 index 0000000000..df4a443893 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-parent-to-blob.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<html> + <head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"> + </head> + <body> + <script> + const blob_payload = ` + <!doctype html> + <script> + var i = false; + try { + eval('i = true'); + } catch {} + opener.postMessage(i ? "eval allowed" : "eval blocked", '*'); + </scr` + `ipt> + `; + var blob_url = URL.createObjectURL( + new Blob([blob_payload], { type: 'text/html' })); + parent.location = blob_url; + </script> + </body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html new file mode 100644 index 0000000000..9ea069969c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html @@ -0,0 +1,6 @@ +<script nonce="abc"> + var blob_string = "<script>alert(document.domain)<\/script>"; + var blob = new Blob([blob_string], {type : 'text/html'}); + var url = URL.createObjectURL(blob); + location.href=url; +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers new file mode 100644 index 0000000000..2642b0fa06 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers @@ -0,0 +1,4 @@ +Expires: Mon, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: {{GET[csp]}}; report-uri http://{{host}}:{{ports[http][0]}}/reporting/resources/report.py?op=put&reportID={{GET[report_id]}} diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html new file mode 100644 index 0000000000..86ea60c283 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-javascript.html @@ -0,0 +1,12 @@ +<meta http-equiv="Content-Security-Policy" content="img-src 'none'"/> +<script> + const js_payload = ` + <div> + <img src="${window.origin}/content-security-policy/support/fail.png" + onload="opener.postMessage(\\\'img loaded\\\', \\\'*\\\');" + onerror="opener.postMessage(\\\'img blocked\\\', \\\'*\\\');" + > + </div> + `; + open(`javascript:'${js_payload}'`,"_self"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html new file mode 100644 index 0000000000..7ee11bc78d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-opener.html @@ -0,0 +1,4 @@ +<script> + const params = new URLSearchParams(window.location.search); + opener.postMessage({msg: "ready", token: params.get("token")}, "*"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html new file mode 100644 index 0000000000..242063a80e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/postmessage-top.html @@ -0,0 +1,5 @@ +<!DOCTYPE html> +<script> + const params = new URLSearchParams(window.location.search); + top.postMessage({msg: "ready", token: params.get("token")}, "*"); +</script> diff --git a/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html b/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html new file mode 100644 index 0000000000..9148be203d --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/support/srcdoc-child-frame.html @@ -0,0 +1,19 @@ +<head> + <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> +</head> +<body> + <script> + var i = document.createElement('iframe'); + i.srcdoc=`<script> + window.addEventListener('securitypolicyviolation', function(e) { + if (e.violatedDirective == 'img-src') { + top.postMessage('img blocked', '*'); + } + }) + </scr` + `ipt> + <img src='/content-security-policy/support/fail.png' + onload='top.postMessage("img loaded", "*")'/>`; + i.id = "srcdoc-frame"; + document.body.appendChild(i); + </script> +</body> |