1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Allow-CSP-From header.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/testharness-helper.sub.js"></script>
</head>
<body>
<script>
var tests = [
{ "name": "Same origin iframes are always allowed.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": "¢¥§",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": "",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": null,
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": "http://example.com:888",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
"origin": Host.CROSS_ORIGIN,
"csp": "script-src 'unsafe-inline'",
"allow_csp_from": "",
"expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
{ "name": "Cross origin iframe without Allow-CSP-From header gets blocked.",
"origin": Host.CROSS_ORIGIN,
"csp": "script-src 'unsafe-inline'",
"allow_csp_from": null,
"expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
{ "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
"origin": Host.CROSS_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": getOrigin(),
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Iframe with improper Allow-CSP-From header gets blocked.",
"origin": Host.CROSS_ORIGIN,
"csp": "script-src 'unsafe-inline'",
"allow_csp_from": "* ¢¥§",
"expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
{ "name": "Allow-CSP-From header with a star value allows cross origin frame.",
"origin": Host.CROSS_ORIGIN,
"csp": "script-src 'unsafe-inline'",
"allow_csp_from": "*",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
{ "name": "Star Allow-CSP-From header enforces EmbeddingCSP.",
"origin": Host.CROSS_ORIGIN,
"csp": "script-src 'nonce-123'",
"allow_csp_from": "*",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": "inline"},
{ "name": "Allow-CSP-From header enforces EmbeddingCSP.",
"origin": Host.CROSS_ORIGIN,
"csp": "style-src 'none'; script-src 'nonce-123'",
"allow_csp_from": getOrigin(),
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": "inline"},
{ "name": "'self' in blanket enforced EmbeddingCSP matches the target response origin.",
"origin": Host.CROSS_ORIGIN,
"csp": "img-src 'self'",
"allow_csp_from": "*",
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
];
tests.forEach(test => {
async_test(t => {
const url = generateUrlWithAllowCSPFrom(
test.origin, test.allow_csp_from);
assert_iframe_with_csp(t, url, test.csp, test.expected, test.name,
test.blockedURI, /*checkImageLoaded=*/true);
}, test.name);
});
</script>
</body>
</html>
|
