diff options
Diffstat (limited to '')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html new file mode 100644 index 0000000000..b08d885c1e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/resource-hints/prefetch-generate-directives.html @@ -0,0 +1,90 @@ +<!DOCTYPE html> +<html> +<head> +<script src='/resources/testharness.js'></script> +<script src='/resources/testharnessreport.js'></script> +<script src='/common/utils.js'></script> +<script src='/content-security-policy/support/testharness-helper.js'></script> +<script> + +const directives = { + 'script-src': true, + 'img-src': true, + 'connect-src': true, + 'object-src': true, + 'font-src': true, + 'manifest-src': true, + 'media-src': true, + 'style-src': true, + 'child-src': true, + 'frame-src': true, + 'worker-src': true, + 'base-uri': false, +}; + +function prefetch_with_csp_in_a_popup(byDirective, t) { + // Allow inline scripts so that we can run the postMessage script... + if (byDirective["script-src"] === "*") + byDirective["script-src"] = "* 'unsafe-inline'"; + else + byDirective["script-src"] = "'unsafe-inline'"; + + const url = new URL('/content-security-policy/support/prefetch-with-csp.html', location.href); + const csp = Object.entries(byDirective).map(([key, value]) => `${key} ${value}`).join(";"); + url.searchParams.set("pipe", `header(Content-Security-Policy, ${csp})`); + const uid = token(); + url.searchParams.set("uid", uid); + const bc = new BroadcastChannel(uid); + const popup = window.open(url.href); + t.add_cleanup(() => popup.close()); + return new Promise(resolve => { + bc.addEventListener("message", ({data}) => { + resolve(data); + }); + }); +} + +for (const directive in directives) { + promise_test(async t => { + const byDirective = Object.fromEntries(Object.keys(directives).map(d => [d, "'none'"])); + byDirective[directive] = "*"; + byDirective["default-src"] = "'none'"; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_equals(prefetch_ok, directives[directive], directive); + }, `Test that ${directive} enabled with everything else disabled allows prefetching`); + + promise_test(async t => { + const byDirective = { + "default-src": "'none'", + [directive]: "*", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_equals(prefetch_ok, directives[directive], directive); + }, `Test that ${directive} enabled with default-src disabled allows prefetching`); +} + +promise_test(async t => { + const byDirective = { + "default-src": "'none'", + "script-src-elem": "* 'unsafe-inline'", + "script-src": "'none'", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_true(prefetch_ok); + }, `Test that permissive script-src-elem supersedes script-src`); + +promise_test(async t => { + const byDirective = { + "default-src": "'none'", + "script-src-elem": "'unsafe-inline'", + "script-src": "*", + }; + const prefetch_ok = await prefetch_with_csp_in_a_popup(byDirective, t); + assert_true(prefetch_ok); +}, `Test that permissive script-src supersedes script-src-elem`); + +</script> +</head> +<body> +</body> +</html> |