diff options
Diffstat (limited to '')
-rw-r--r-- | testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html | 169 |
1 files changed, 169 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html new file mode 100644 index 0000000000..b21273ca55 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/targeting.html @@ -0,0 +1,169 @@ +<!doctype html> +<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; style-src 'self'"> +<script nonce="abc" src="/resources/testharness.js"></script> +<script nonce="abc" src="/resources/testharnessreport.js"></script> +<script nonce="abc"> + var unexecuted_test = async_test("These tests should not fail."); + + async_test(t => { + var watcher = new EventWatcher(t, document, ['securitypolicyviolation']) + watcher.wait_for('securitypolicyviolation') + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, document.querySelector('#block1')); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, document.querySelector('#block2')); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, document.querySelector('#block3')); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, document.querySelector('#block4')); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, document.querySelector('#block5')); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.lineNumber, 118); + assert_in_array(e.columnNumber, [4, 6]); + assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.lineNumber, 131); + assert_in_array(e.columnNumber, [4, 59]); + assert_equals(e.target, document, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.lineNumber, 139); + assert_in_array(e.columnNumber, [4, 6]); + assert_equals(e.target, document, "Inline event handlers for disconnected elements target the document."); + return watcher.wait_for('securitypolicyviolation'); + })) + .then(t.step_func(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.lineNumber, 0); + assert_equals(e.columnNumber, 0); + assert_equals(e.target, document, "Inline event handlers for elements disconnected after triggering target the document."); + })) + .then(t.step_func_done(_ => { + unexecuted_test.done(); + })); + }, "Inline violations target the right element."); + +</script> +<!-- Inline block with no nonce. --> +<script id="block1"> + unexecuted_test.assert_unreached("This code block should not execute."); +</script> + +<!-- Inline event handler. --> +<a id="block2" onclick="void(0)">Click me!</a> +<script nonce='abc'>document.querySelector('#block2').click();</script> + +<!-- Style block. --> +<style id="block3"> + p { color: red !important; } +</style> + +<!-- Inline event handler inside Shadow DOM --> +<div id="block4"></div> +<script nonce='abc'> + async_test(t => { + var shadow = document.querySelector('#block4').attachShadow({"mode":"closed"}); + shadow.innerHTML = "<a id='block4a' onclick='void(0)'>Click!</a>"; + var a = shadow.querySelector('#block4a'); + a.addEventListener('securitypolicyviolation', t.step_func_done(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, a); + })); + a.click(); + }, "Correct targeting inside shadow tree (inline handler)."); +</script> + +<!-- Inline event handler inside Shadow DOM --> +<div id="block5"></div> +<script nonce='abc'> + async_test(t => { + var shadow = document.querySelector('#block5').attachShadow({"mode":"closed"}); + var style = document.createElement('style'); + style.innerText = 'p { color: red; }'; + style.addEventListener('securitypolicyviolation', t.step_func_done(e => { + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, style); + })); + shadow.appendChild(style); + }, "Correct targeting inside shadow tree (style)."); +</script> + +<!-- Pushed into a same-origin Document that isn't this Document --> +<iframe id="block6"></iframe> +<script nonce="abc"> + async_test(t => { + var d = document.createElement("div"); + d.setAttribute("onclick", "void(0);"); + var events = 0; + d.addEventListener('securitypolicyviolation', t.step_func(e => { + events++; + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, d); + })); + document.querySelector('#block6').contentDocument.addEventListener('securitypolicyviolation', t.step_func_done(e => { + events++; + assert_equals(e.blockedURI, "inline"); + assert_equals(e.target, d); + assert_equals(events, 2); + })); + document.querySelector('#block6').contentDocument.body.appendChild(d); + }, "Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document."); +</script> + +<!-- Disconnected inline event handler --> +<script nonce="abc"> + async_test(t => { + var d = document.createElement("div"); + d.setAttribute("onclick", "void(0);"); + d.addEventListener('securitypolicyviolation', t.unreached_func()); + d.click(); + t.done(); + }, "Inline event handlers for disconnected elements target the document."); +</script> + +<!-- Inline event handler, disconnected after click. --> +<a id="block8" onclick="void(0)">Click me also!</a> +<script nonce="abc"> + async_test(t => { + var a = document.querySelector('#block8'); + a.addEventListener('securitypolicyviolation', t.unreached_func()); + a.click(); + a.parentNode.removeChild(a); + t.done(); + }, "Inline event handlers for elements disconnected after triggering target the document."); +</script> + +<!-- Disconnected in a DocumentFragment --> +<script nonce="abc"> + async_test(t => { + var f = new DocumentFragment(); + var d = document.createElement('div'); + d.setAttribute('onclick', 'void(0)'); + d.addEventListener('securitypolicyviolation', t.unreached_func()); + f.appendChild(d); + d.click(); + t.done(); + }, "Inline event handlers for elements in a DocumentFragment target the document."); +</script> |