diff options
Diffstat (limited to '')
2 files changed, 102 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html new file mode 100644 index 0000000000..a6617a9590 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html @@ -0,0 +1,100 @@ +<!doctype html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/security-features/resources/common.sub.js"></script> +<body></body> +<script> + function waitForViolation(el, effective_directive) { + return new Promise(resolve => { + el.addEventListener('securitypolicyviolation', e => { + if (e.effectiveDirective == effective_directive) + resolve(e); + }); + }); + } + + async_test(t => { + var url = getRequestURLs("img-tag", + "same-http-downgrade", + "no-redirect").testUrl; + var i = document.createElement('img'); + var loaded = false; + var reported = false; + waitForViolation(window, "img-src") + .then(t.step_func(e => { + reported = true; + if (loaded) + t.done(); + })); + i.onload = t.step_func(_ => { + loaded = true; + if (reported) + t.done(); + }); + i.onerror = t.unreached_func(url + " should load successfully."); + i.src = url; + document.body.appendChild(i); + }, "Upgraded image is reported"); + + async_test(t => { + var url = getRequestURLs("iframe-tag", + "same-http-downgrade", + "no-redirect").testUrl; + var i = document.createElement('iframe'); + var loaded = false; + var reported = false; + waitForViolation(window, "frame-src") + .then(t.step_func(e => { + reported = true; + if (loaded) + t.done(); + })); + window.addEventListener("message", t.step_func(e => { + if (e.source == i.contentWindow) { + i.remove(); + loaded = true; + if (reported) + t.done(); + } + })); + i.src = url; + document.body.appendChild(i); + }, "Upgraded iframe is reported"); + + async_test(t => { + // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported. + var url = getRequestURLs("iframe-tag", + "same-https", + "no-redirect").testUrl; + var navigate_to = getRequestURLs("iframe-tag", + "cross-http-downgrade", + "no-redirect").testUrl; + var upgraded = new URL(navigate_to); + upgraded.protocol = "https"; + + var i = document.createElement('iframe'); + var loaded = false; + var reported = false; + + window.addEventListener("message", t.step_func(e => { + if (e.source == i.contentWindow) { + if (e.data.location == url) { + waitForViolation(window, "frame-src") + .then(t.step_func(e => { + reported = true; + if (loaded) + t.done(); + })); + i.contentWindow.location.href = navigate_to; + } else if (e.data.location == upgraded) { + loaded = true; + if (reported) + t.done(); + } + } + })); + i.src = url; + document.body.appendChild(i); + }, "Navigated iframe is upgraded and reported"); +</script> +</html> diff --git a/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers new file mode 100644 index 0000000000..b8bec0b95e --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.headers @@ -0,0 +1,2 @@ +Content-Security-Policy-Report-Only: frame-src https:; img-src https: +Content-Security-Policy: upgrade-insecure-requests |