1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Sec-Required-CSP header.</title>
<!--
This test is creating and navigating >=70 iframes. This can exceed the
"short" timeout". See https://crbug.com/818324
-->
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/testharness-helper.sub.js"></script>
</head>
<body>
<script>
var tests = [
{ "name": "Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.",
"csp": null,
"expected": null },
{ "name": "Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.",
"csp": "script-src 'unsafe-inline'",
"expected": "script-src 'unsafe-inline'" },
{ "name": "Send Sec-Required-CSP Header on change of `src` attribute on iframe.",
"csp": "script-src 'unsafe-inline'",
"expected": "script-src 'unsafe-inline'" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp",
"csp": "completely wrong csp",
"expected": "completely wrong csp" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name",
"csp": "invalid-policy-name http://example.com",
"expected": "invalid-policy-name http://example.com" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives",
"csp": "media-src http://example.com; invalid-policy-name http://example.com",
"expected": "media-src http://example.com; invalid-policy-name http://example.com" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'",
"csp": "media-src 'non'",
"expected": "media-src 'non'" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path",
"csp": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string",
"expected": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string" },
{ "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon",
"csp": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *",
"expected": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *" },
{ "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated",
"csp": "script-src 'unsafe-inline' 'self', object-src 'none'",
"expected": null },
{ "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names",
// script-src 127.0.0.1:8000
"csp": "script-src 'unsafe-inline' 127.0.0.1:8000",
"expected": null },
{ "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name",
// script-src 127.0.0.1:8000
"csp": "media-src%20127.0.0.1%3A8000",
"expected": null },
{ "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present",
"csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
"expected": null },
{ "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present",
"csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php",
"expected": null },
{ "name": "Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes",
"csp": "style-src " + Array.from(Array(2044).keys()).map(i => 'a').join(' '),
"expected": null },
];
tests.forEach(test => {
async_test(t => {
var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
assert_required_csp(t, url, test.csp, [test.expected]);
}, "Test same origin: " + test.name);
async_test(t => {
var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
var redirect_url = generateRedirect(Host.SAME_ORIGIN, url);
assert_required_csp(t, redirect_url, test.csp, [test.expected]);
}, "Test same origin redirect: " + test.name);
async_test(t => {
var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
assert_required_csp(t, redirect_url, test.csp, [test.expected]);
}, "Test cross origin redirect: " + test.name);
async_test(t => {
var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
assert_required_csp(t, redirect_url, test.csp, [test.expected]);
}, "Test cross origin redirect of cross origin iframe: " + test.name);
async_test(t => {
var i = document.createElement('iframe');
if (test.csp)
i.csp = test.csp;
i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
var loaded = false;
window.addEventListener('message', t.step_func(e => {
if (e.source != i.contentWindow || !('required_csp' in e.data))
return;
if (!loaded) {
assert_equals(e.data['required_csp'], test.expected);
loaded = true;
i.csp = "default-src 'unsafe-inline'";
i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
} else {
// Once iframe has loaded, check that on change of `src` attribute
// Required-CSP value is based on latest `csp` attribute value.
assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'");
t.done();
}
}));
document.body.appendChild(i);
}, "Test Required-CSP value on `csp` change: " + test.name);
});
</script>
</body>
</html>
|
