diff options
Diffstat (limited to 'testing/web-platform/tests/x-frame-options')
12 files changed, 502 insertions, 0 deletions
diff --git a/testing/web-platform/tests/x-frame-options/META.yml b/testing/web-platform/tests/x-frame-options/META.yml new file mode 100644 index 0000000000..622213edad --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/META.yml @@ -0,0 +1,5 @@ +spec: https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-x-frame-options-header +suggested_reviewers: + - annevk + - mikewest + - domenic diff --git a/testing/web-platform/tests/x-frame-options/README.md b/testing/web-platform/tests/x-frame-options/README.md new file mode 100644 index 0000000000..2fad3599d5 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/README.md @@ -0,0 +1,3 @@ +This directory contains tests for [`X-Frame-Options`](https://html.spec.whatwg.org/#the-x-frame-options-header). + +Currently it only tests `<iframe>`. It would be nice to test `<embed>` and `<object>` as well. diff --git a/testing/web-platform/tests/x-frame-options/deny.html b/testing/web-platform/tests/x-frame-options/deny.html new file mode 100644 index 0000000000..90f65d3f43 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/deny.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options variations of DENY</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="./support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_simple_tests({ + headerValue: `DENY`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `denY`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: ` DENY `, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + cspValue: `default-src 'self'`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + cspValue: `frame-ancestors 'self'`, + sameOriginAllowed: true, + crossOriginAllowed: false +}); +</script> diff --git a/testing/web-platform/tests/x-frame-options/get-decode-split.html b/testing/web-platform/tests/x-frame-options/get-decode-split.html new file mode 100644 index 0000000000..9f5101d610 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/get-decode-split.html @@ -0,0 +1,23 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options headers use the get, decode, and split algorithm</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_simple_tests({ + headerValue: `,SAMEORIGIN,,DENY,`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: ` SAMEORIGIN, DENY`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); +</script> diff --git a/testing/web-platform/tests/x-frame-options/invalid.html b/testing/web-platform/tests/x-frame-options/invalid.html new file mode 100644 index 0000000000..26b2905e4d --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/invalid.html @@ -0,0 +1,59 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options invalid values</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="./support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_simple_tests({ + headerValue: `INVALID`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `ALLOW-FROM https://example.com/`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `ALLOW-FROM=https://example.com/`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `ALLOWALL`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `"DENY"`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `"SAMEORIGIN"`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `"SAMEORIGIN,DENY"`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: ``, + sameOriginAllowed: true, + crossOriginAllowed: true +}); +</script> diff --git a/testing/web-platform/tests/x-frame-options/multiple.html b/testing/web-platform/tests/x-frame-options/multiple.html new file mode 100644 index 0000000000..13c9cf3a37 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/multiple.html @@ -0,0 +1,131 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options headers sent multiple times</title> + +<!-- + This test is creating and navigating >90 iframes. This can exceed the + "short" timeout". +--> +<meta name="timeout" content="long"> + +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `SAMEORIGIN`, + sameOriginAllowed: true, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `sameOrigin`, + sameOriginAllowed: true, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `DENY`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `INVALID`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `ALLOWALL`, // same as INVALID + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: `"DENY"`, // same as INVALID + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + headerValue2: ``, // same as INVALID + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + headerValue2: `DENY`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + headerValue2: `INVALID`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + headerValue2: `ALLOWALL`, // same as INVALID + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `DENY`, + headerValue2: `"SAMEORIGIN"`, // same as INVALID + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `ALLOWALL`, + headerValue2: `INVALID`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `ALLOWALL`, + headerValue2: ``, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `allowAll`, + headerValue2: `INVALID`, + sameOriginAllowed: false, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `INVALID`, + headerValue2: `INVALID`, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +xfo_simple_tests({ + headerValue: `INVALID`, + headerValue2: ``, + sameOriginAllowed: true, + crossOriginAllowed: true +}); + +</script> diff --git a/testing/web-platform/tests/x-frame-options/redirect.html b/testing/web-platform/tests/x-frame-options/redirect.html new file mode 100644 index 0000000000..65fd0d5dd1 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/redirect.html @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options headers sent along with a redirect</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_test({ + url: `./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL`, + check: "loaded message", + message: `XFO on redirect responses is ignored` +}); +</script> diff --git a/testing/web-platform/tests/x-frame-options/sameorigin.sub.html b/testing/web-platform/tests/x-frame-options/sameorigin.sub.html new file mode 100644 index 0000000000..45f9b01bf1 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/sameorigin.sub.html @@ -0,0 +1,53 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>X-Frame-Options variations of SAMEORIGIN</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="./support/helper.sub.js"></script> + +<body> +<script> +"use strict"; + +xfo_simple_tests({ + headerValue: `SAMEORIGIN`, + sameOriginAllowed: true, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: `sameOriGin`, + sameOriginAllowed: true, + crossOriginAllowed: false +}); + +xfo_simple_tests({ + headerValue: ` SAMEORIGIN `, + sameOriginAllowed: true, + crossOriginAllowed: false +}); + +xfo_test({ + url: `./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true`, + check: "loaded message", + message: `SAMEORIGIN allows same-origin nested in same-origin framing` +}); + +xfo_test({ + url: `./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`, + check: "failed message", + message: `SAMEORIGIN blocks cross-origin nested in same-origin framing` +}); + +xfo_test({ + url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN`, + check: "failed message", + message: `SAMEORIGIN blocks same-origin nested in cross-origin framing` +}); + +xfo_test({ + url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`, + check: "failed message", + message: `SAMEORIGIN blocks cross-origin nested in cross-origin framing` +}); +</script> diff --git a/testing/web-platform/tests/x-frame-options/support/helper.sub.js b/testing/web-platform/tests/x-frame-options/support/helper.sub.js new file mode 100644 index 0000000000..23663dd2d0 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/support/helper.sub.js @@ -0,0 +1,104 @@ +function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) { + simpleXFOTestsInner({ + urlPrefix: "", + allowed: sameOriginAllowed, + headerValue, + headerValue2, + cspValue, + sameOrCross: "same-origin" + }); + + simpleXFOTestsInner({ + urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}", + allowed: crossOriginAllowed, + headerValue, + headerValue2, + cspValue, + sameOrCross: "cross-origin" + }); +} + +function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) { + const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``; + const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``; + + const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue; + const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2; + const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``; + const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``; + + // This will test the multi-header variant, if headerValue2 is not undefined. + xfo_test({ + url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`, + check: allowed ? "loaded message" : "no message", + message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` + }); + + if (headerValue2 !== undefined && headerValue2 !== headerValue) { + // Reversed variant + xfo_test({ + url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`, + check: allowed ? "loaded message" : "no message", + message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` + }); + + // Comma variant + xfo_test({ + url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`, + check: allowed ? "loaded message" : "no message", + message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` + }); + + // Comma + reversed variant + xfo_test({ + url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`, + check: allowed ? "loaded message" : "no message", + message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` + }); + } +} + +function xfo_test({ url, check, message }) { + async_test(t => { + const i = document.createElement("iframe"); + i.src = url; + + switch (check) { + case "loaded message": { + waitForMessageFrom(i, t).then(t.step_func_done(e => { + assert_equals(e.data, "Loaded"); + })); + break; + } + case "failed message": { + waitForMessageFrom(i, t).then(t.step_func_done(e => { + assert_equals(e.data, "Failed"); + })); + break; + } + case "no message": { + waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message.")); + i.onload = t.step_func_done(() => { + assert_equals(i.contentDocument, null); + }); + break; + } + default: { + throw new Error("Bad test"); + } + } + + document.body.append(i); + t.add_cleanup(() => i.remove()); + }, message); +} + +function waitForMessageFrom(frame, test) { + return new Promise(resolve => { + window.addEventListener("message", test.step_func(e => { + if (e.source == frame.contentWindow) { + resolve(e); + } + })); + }); +} diff --git a/testing/web-platform/tests/x-frame-options/support/nested.py b/testing/web-platform/tests/x-frame-options/support/nested.py new file mode 100644 index 0000000000..78c8c18466 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/support/nested.py @@ -0,0 +1,39 @@ +def main(request, response): + origin = request.GET.first(b"origin"); + value = request.GET.first(b"value"); + # This is used to solve the race condition we have for postMessages + shouldSucceed = request.GET.first(b"loadShouldSucceed", b"false"); + return ([(b"Content-Type", b"text/html")], + b"""<!DOCTYPE html> +<title>XFO.</title> +<body> +<script> + var gotMessage = false; + window.addEventListener("message", e => { + gotMessage = true; + window.parent.postMessage(e.data, "*"); + }); + + var i = document.createElement("iframe"); + i.src = "%s/x-frame-options/support/xfo.py?value=%s"; + i.onload = _ => { + // Why two rAFs? Because that seems to be enough to stop the + // load event from racing with the onmessage event. + requestAnimationFrame(_ => { + requestAnimationFrame(_ => { + // The race condition problem we have is it is possible + // that the sub iframe is loaded before the postMessage is + // dispatched, as a result, the "Failed" message is sent + // out. So the way we fixed is we simply let the timeout + // to happen if we expect the "Loaded" postMessage to be + // sent + if (!gotMessage && %s != true) { + window.parent.postMessage("Failed", "*"); + } + }); + }); + }; + document.body.appendChild(i); +</script> + """ % (origin, value, shouldSucceed)) + diff --git a/testing/web-platform/tests/x-frame-options/support/redirect.py b/testing/web-platform/tests/x-frame-options/support/redirect.py new file mode 100644 index 0000000000..c6459eb871 --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/support/redirect.py @@ -0,0 +1,4 @@ +def main(request, response): + response.status = 302 + response.headers.set(b"X-Frame-Options", request.GET.first(b"value")) + response.headers.set(b"Location", request.GET.first(b"url")) diff --git a/testing/web-platform/tests/x-frame-options/support/xfo.py b/testing/web-platform/tests/x-frame-options/support/xfo.py new file mode 100644 index 0000000000..a4762ee58a --- /dev/null +++ b/testing/web-platform/tests/x-frame-options/support/xfo.py @@ -0,0 +1,21 @@ +def main(request, response): + headers = [(b"Content-Type", b"text/html"), (b"X-Frame-Options", request.GET.first(b"value"))] + + if b"value2" in request.GET: + headers.append((b"X-Frame-Options", request.GET.first(b"value2"))) + + if b"csp_value" in request.GET: + headers.append((b"Content-Security-Policy", request.GET.first(b"csp_value"))) + + body = u"""<!DOCTYPE html> + <html> + <head> + <title>XFO.</title> + <script>window.parent.postMessage('Loaded', '*');</script> + </head> + <body> + Loaded + </body> + </html> + """ + return (headers, body) |