summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/portals/csp
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/portals/csp')
-rw-r--r--testing/web-platform/tests/portals/csp/frame-ancestors.sub.html13
-rw-r--r--testing/web-platform/tests/portals/csp/frame-src.sub.html49
-rw-r--r--testing/web-platform/tests/portals/csp/resources/frame-src.sub.html4
-rw-r--r--testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers2
4 files changed, 68 insertions, 0 deletions
diff --git a/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html b/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html
new file mode 100644
index 0000000000..096ed00c7a
--- /dev/null
+++ b/testing/web-platform/tests/portals/csp/frame-ancestors.sub.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<meta name="timeout" content="long">
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <title>Blocked portals are reported correctly</title>
+</head>
+<body>
+ <portal src="/content-security-policy/frame-ancestors/support/content-security-policy.sub.html?policy=report-uri%20/reporting/resources/report.py%3Fop=put%26reportID={{$id:uuid()}}%3B%20frame-ancestors%20'none'"></portal>
+ <script async defer src="/content-security-policy/support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20'none'&reportID={{$id}}"></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/portals/csp/frame-src.sub.html b/testing/web-platform/tests/portals/csp/frame-src.sub.html
new file mode 100644
index 0000000000..13d9e79667
--- /dev/null
+++ b/testing/web-platform/tests/portals/csp/frame-src.sub.html
@@ -0,0 +1,49 @@
+<!doctype html>
+<title>Tests that portals respect the frame-src</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+</body>
+<script>
+ async_test(function(t) {
+ assert_implements("HTMLPortalElement" in self);
+ var w = window.open("resources/frame-src.sub.html?frame_src_policy=%27none%27");
+ w.onload = function() {
+ w.document.addEventListener("securitypolicyviolation",
+ t.step_func_done(function(e) {
+ assert_equals("frame-src", e.violatedDirective);
+ }));
+ var portal = w.document.createElement("portal");
+ portal.src = new URL("/portals/resources/simple-portal.html", location.href);
+ portal.onmessage = t.unreached_func("Portal should not load.");
+ w.document.body.appendChild(portal);
+ }
+ }, "Tests that a portal can't be loaded when it violates frame-src");
+
+ async_test(function(t) {
+ assert_implements("HTMLPortalElement" in self);
+ var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`);
+ w.onload = function() {
+ w.document.onsecuritypolicyviolation = t.unreached_func("Portal should load.");
+ var portal = w.document.createElement("portal");
+ portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href);
+ portal.onmessage = t.step_func_done();
+ w.document.body.appendChild(portal);
+ }
+ }, "Tests that a portal can be loaded when the origin matches the frame-src CSP header.");
+ async_test(function(t) {
+ assert_implements("HTMLPortalElement" in self);
+ var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`);
+ w.onload = function() {
+ var portal = w.document.createElement("portal");
+ portal.src = new URL("http://{{hosts[alt][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href);
+ w.document.onsecuritypolicyviolation = t.step_func(function(e) {
+ w.document.onsecuritypolicyviolation = null;
+ assert_equals("frame-src", e.violatedDirective);
+ portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href);
+ portal.onmessage = t.step_func_done();
+ });
+ w.document.body.appendChild(portal);
+ }
+ }, "Tests that a portal will fail to load on an origin different than the one specified in the frame-src CSP, but that it can be loaded when the origin matches the frame-src CSP.");
+</script>
diff --git a/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html
new file mode 100644
index 0000000000..c4f742a643
--- /dev/null
+++ b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html
@@ -0,0 +1,4 @@
+<!doctype html>
+<body>
+ <h1>Content Security Policy header containing "frame-src {{GET[frame_src_policy]}}"</h1>
+</body>
diff --git a/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers
new file mode 100644
index 0000000000..d50520cd39
--- /dev/null
+++ b/testing/web-platform/tests/portals/csp/resources/frame-src.sub.html.sub.headers
@@ -0,0 +1,2 @@
+Content-Type: text/html; charset=UTF-8
+Content-Security-Policy: frame-src {{GET[frame_src_policy]}}