summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/x-frame-options/support
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/x-frame-options/support')
-rw-r--r--testing/web-platform/tests/x-frame-options/support/helper.sub.js104
-rw-r--r--testing/web-platform/tests/x-frame-options/support/nested.py39
-rw-r--r--testing/web-platform/tests/x-frame-options/support/redirect.py4
-rw-r--r--testing/web-platform/tests/x-frame-options/support/xfo.py21
4 files changed, 168 insertions, 0 deletions
diff --git a/testing/web-platform/tests/x-frame-options/support/helper.sub.js b/testing/web-platform/tests/x-frame-options/support/helper.sub.js
new file mode 100644
index 0000000000..23663dd2d0
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/helper.sub.js
@@ -0,0 +1,104 @@
+function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
+ simpleXFOTestsInner({
+ urlPrefix: "",
+ allowed: sameOriginAllowed,
+ headerValue,
+ headerValue2,
+ cspValue,
+ sameOrCross: "same-origin"
+ });
+
+ simpleXFOTestsInner({
+ urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}",
+ allowed: crossOriginAllowed,
+ headerValue,
+ headerValue2,
+ cspValue,
+ sameOrCross: "cross-origin"
+ });
+}
+
+function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) {
+ const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
+ const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
+
+ const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
+ const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2;
+ const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
+ const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
+
+ // This will test the multi-header variant, if headerValue2 is not undefined.
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ if (headerValue2 !== undefined && headerValue2 !== headerValue) {
+ // Reversed variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ // Comma variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ // Comma + reversed variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+ }
+}
+
+function xfo_test({ url, check, message }) {
+ async_test(t => {
+ const i = document.createElement("iframe");
+ i.src = url;
+
+ switch (check) {
+ case "loaded message": {
+ waitForMessageFrom(i, t).then(t.step_func_done(e => {
+ assert_equals(e.data, "Loaded");
+ }));
+ break;
+ }
+ case "failed message": {
+ waitForMessageFrom(i, t).then(t.step_func_done(e => {
+ assert_equals(e.data, "Failed");
+ }));
+ break;
+ }
+ case "no message": {
+ waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message."));
+ i.onload = t.step_func_done(() => {
+ assert_equals(i.contentDocument, null);
+ });
+ break;
+ }
+ default: {
+ throw new Error("Bad test");
+ }
+ }
+
+ document.body.append(i);
+ t.add_cleanup(() => i.remove());
+ }, message);
+}
+
+function waitForMessageFrom(frame, test) {
+ return new Promise(resolve => {
+ window.addEventListener("message", test.step_func(e => {
+ if (e.source == frame.contentWindow) {
+ resolve(e);
+ }
+ }));
+ });
+}
diff --git a/testing/web-platform/tests/x-frame-options/support/nested.py b/testing/web-platform/tests/x-frame-options/support/nested.py
new file mode 100644
index 0000000000..78c8c18466
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/nested.py
@@ -0,0 +1,39 @@
+def main(request, response):
+ origin = request.GET.first(b"origin");
+ value = request.GET.first(b"value");
+ # This is used to solve the race condition we have for postMessages
+ shouldSucceed = request.GET.first(b"loadShouldSucceed", b"false");
+ return ([(b"Content-Type", b"text/html")],
+ b"""<!DOCTYPE html>
+<title>XFO.</title>
+<body>
+<script>
+ var gotMessage = false;
+ window.addEventListener("message", e => {
+ gotMessage = true;
+ window.parent.postMessage(e.data, "*");
+ });
+
+ var i = document.createElement("iframe");
+ i.src = "%s/x-frame-options/support/xfo.py?value=%s";
+ i.onload = _ => {
+ // Why two rAFs? Because that seems to be enough to stop the
+ // load event from racing with the onmessage event.
+ requestAnimationFrame(_ => {
+ requestAnimationFrame(_ => {
+ // The race condition problem we have is it is possible
+ // that the sub iframe is loaded before the postMessage is
+ // dispatched, as a result, the "Failed" message is sent
+ // out. So the way we fixed is we simply let the timeout
+ // to happen if we expect the "Loaded" postMessage to be
+ // sent
+ if (!gotMessage && %s != true) {
+ window.parent.postMessage("Failed", "*");
+ }
+ });
+ });
+ };
+ document.body.appendChild(i);
+</script>
+ """ % (origin, value, shouldSucceed))
+
diff --git a/testing/web-platform/tests/x-frame-options/support/redirect.py b/testing/web-platform/tests/x-frame-options/support/redirect.py
new file mode 100644
index 0000000000..c6459eb871
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/redirect.py
@@ -0,0 +1,4 @@
+def main(request, response):
+ response.status = 302
+ response.headers.set(b"X-Frame-Options", request.GET.first(b"value"))
+ response.headers.set(b"Location", request.GET.first(b"url"))
diff --git a/testing/web-platform/tests/x-frame-options/support/xfo.py b/testing/web-platform/tests/x-frame-options/support/xfo.py
new file mode 100644
index 0000000000..a4762ee58a
--- /dev/null
+++ b/testing/web-platform/tests/x-frame-options/support/xfo.py
@@ -0,0 +1,21 @@
+def main(request, response):
+ headers = [(b"Content-Type", b"text/html"), (b"X-Frame-Options", request.GET.first(b"value"))]
+
+ if b"value2" in request.GET:
+ headers.append((b"X-Frame-Options", request.GET.first(b"value2")))
+
+ if b"csp_value" in request.GET:
+ headers.append((b"Content-Security-Policy", request.GET.first(b"csp_value")))
+
+ body = u"""<!DOCTYPE html>
+ <html>
+ <head>
+ <title>XFO.</title>
+ <script>window.parent.postMessage('Loaded', '*');</script>
+ </head>
+ <body>
+ Loaded
+ </body>
+ </html>
+ """
+ return (headers, body)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-03 08:57:39 +0000