summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/unsafe-hashes/support
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/unsafe-hashes/support')
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html21
-rw-r--r--testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js40
2 files changed, 61 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
new file mode 100644
index 0000000000..3068822f37
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+ <meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+</head>
+
+<body>
+
+ <span id="escape">{{GET[url]}}</span>
+
+ <script nonce='abc'>
+ window.addEventListener('securitypolicyviolation', function(e) {
+ opener.postMessage('fail', '*');
+ });
+
+ window.location.href = document.getElementById("escape").textContent;
+ </script>
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
new file mode 100644
index 0000000000..26db3289ea
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/unsafe-hashes/support/helper.js
@@ -0,0 +1,40 @@
+// Typical CSP hashes are:
+// 'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=' ==> javascript:opener.navigated();
+// 'sha256-l0Wxf12cHMZT6UQ2zsQ7AcFSb6Y198d37Ki8zWITecM=' ==> javascript:navigated();
+
+function runTest(navigationShouldAllowed, navigationMethod, description) {
+ const t1 = async_test(
+ 'javascript: navigation using ' + navigationMethod + ' should be ' +
+ (navigationShouldAllowed ? 'allowed' : 'refused') + description);
+
+ if (navigationShouldAllowed) {
+ window.navigated = () => t1.done();
+ window.addEventListener('securitypolicyviolation',
+ t1.unreached_func('Should have not raised any event'));
+ } else {
+ window.navigated =
+ t1.unreached_func('Should not have run javascript: URL');
+ window.addEventListener('securitypolicyviolation',
+ t1.step_func_done(function(e) {
+ assert_equals(e.violatedDirective, 'script-src-elem');
+ assert_equals(e.blockedURI, 'inline');
+ }));
+ }
+
+ if (navigationMethod === '<a href target=_blank>') {
+ const a = document.createElement('a');
+ a.setAttribute('target', '_blank');
+ a.setAttribute('rel', 'opener');
+ a.setAttribute('href', 'javascript:opener.navigated();');
+ document.body.appendChild(a);
+ a.click();
+ }
+ else if (navigationMethod === '<a href>') {
+ const a = document.createElement('a');
+ a.setAttribute('href', 'javascript:navigated();');
+ document.body.appendChild(a);
+ a.click();
+ } else {
+ t1.unreached_func('Invalid navigationMethod: ' + navigationMethod)();
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-20 22:59:05 +0000