allow_csp_from-header.html (4094B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Allow-CSP-From header.</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="support/testharness-helper.sub.js"></script> 8 </head> 9 <body> 10 <script> 11 var tests = [ 12 { "name": "Same origin iframes with correct Allow-CSP-From header are allowed.", 13 "origin": Host.SAME_ORIGIN, 14 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 15 "allow_csp_from": getOrigin(), 16 "expected": IframeLoad.EXPECT_LOAD, 17 "blockedURI": null}, 18 { "name": "Same origin iframes with an empty Allow-CSP-From header get blocked.", 19 "origin": Host.SAME_ORIGIN, 20 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 21 "allow_csp_from": "", 22 "expected": IframeLoad.EXPECT_BLOCK, 23 "blockedURI": null}, 24 { "name": "Same origin iframes without Allow-CSP-From header gets blocked.", 25 "origin": Host.SAME_ORIGIN, 26 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 27 "allow_csp_from": null, 28 "expected": IframeLoad.EXPECT_BLOCK, 29 "blockedURI": null}, 30 { "name": "Same origin iframes are blocked if Allow-CSP-From does not match origin.", 31 "origin": Host.SAME_ORIGIN, 32 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 33 "allow_csp_from": "http://example.com:888", 34 "expected": IframeLoad.EXPECT_BLOCK, 35 "blockedURI": null}, 36 { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.", 37 "origin": Host.CROSS_ORIGIN, 38 "csp": "script-src 'unsafe-inline'", 39 "allow_csp_from": "", 40 "expected": IframeLoad.EXPECT_BLOCK, 41 "blockedURI": null}, 42 { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.", 43 "origin": Host.CROSS_ORIGIN, 44 "csp": "script-src 'unsafe-inline'", 45 "allow_csp_from": null, 46 "expected": IframeLoad.EXPECT_BLOCK, 47 "blockedURI": null}, 48 { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.", 49 "origin": Host.CROSS_ORIGIN, 50 "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 51 "allow_csp_from": getOrigin(), 52 "expected": IframeLoad.EXPECT_LOAD, 53 "blockedURI": null}, 54 { "name": "Iframe with improper Allow-CSP-From header gets blocked.", 55 "origin": Host.CROSS_ORIGIN, 56 "csp": "script-src 'unsafe-inline'", 57 "allow_csp_from": "* ¢¥§", 58 "expected": IframeLoad.EXPECT_BLOCK, 59 "blockedURI": null}, 60 { "name": "Allow-CSP-From header with a star value allows cross origin frame.", 61 "origin": Host.CROSS_ORIGIN, 62 "csp": "script-src 'unsafe-inline'", 63 "allow_csp_from": "*", 64 "expected": IframeLoad.EXPECT_LOAD, 65 "blockedURI": null}, 66 { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.", 67 "origin": Host.CROSS_ORIGIN, 68 "csp": "script-src 'nonce-123'", 69 "allow_csp_from": "*", 70 "expected": IframeLoad.EXPECT_LOAD, 71 "blockedURI": "inline"}, 72 { "name": "Allow-CSP-From header enforces EmbeddingCSP.", 73 "origin": Host.CROSS_ORIGIN, 74 "csp": "style-src 'none'; script-src 'nonce-123'", 75 "allow_csp_from": getOrigin(), 76 "expected": IframeLoad.EXPECT_LOAD, 77 "blockedURI": "inline"}, 78 { "name": "'self' in blanket enforced EmbeddingCSP matches the target response origin.", 79 "origin": Host.CROSS_ORIGIN, 80 "csp": "img-src 'self'", 81 "allow_csp_from": "*", 82 "expected": IframeLoad.EXPECT_LOAD, 83 "blockedURI": null}, 84 ]; 85 86 tests.forEach(test => { 87 async_test(t => { 88 const url = generateUrlWithAllowCSPFrom( 89 test.origin, test.allow_csp_from); 90 assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, 91 test.blockedURI, /*checkImageLoaded=*/true); 92 }, test.name); 93 }); 94 </script> 95 </body> 96 </html>