change-csp-attribute-and-history-navigation.html (3557B)
1 <!DOCTYPE html> 2 <html> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <body> 6 <script> 7 let message_from = (w, starts_with) => { 8 return new Promise(resolve => { 9 window.addEventListener('message', msg => { 10 if (msg.source == w) { 11 if (!starts_with || 12 (msg.data.startsWith && msg.data.startsWith(starts_with))) 13 resolve(msg.data); 14 } 15 }); 16 }); 17 }; 18 19 const img_url = window.origin + "/content-security-policy/support/pass.png"; 20 21 const function_addImage_string = ` 22 function addImage() { 23 let img = document.createElement('img'); 24 img.onload = () => top.postMessage('img loaded', '*'); 25 img.onerror = () => top.postMessage('img blocked', '*'); 26 img.src = '${img_url}'; 27 document.body.appendChild(img); 28 } 29 `; 30 31 const html_test_payload = ` 32 <!doctype html> 33 <script>${function_addImage_string}</scr`+`ipt> 34 <body onpageshow="addImage();"></body> 35 `; 36 let blob_url = URL.createObjectURL( 37 new Blob([html_test_payload], { type: 'text/html' })); 38 39 // A local-scheme document is loaded in an iframe with CSPEE. Then the csp 40 // attribute is changed and the iframe is navigated away and back. Since the 41 // policies are reloaded from history, the fact that the csp attribute changed 42 // is irrelevant. 43 promise_test(async t => { 44 // Create an iframe. 45 let iframe = document.createElement('iframe'); 46 iframe.csp = "img-src 'none'; style-src 'none'"; 47 document.body.appendChild(iframe); 48 49 let message_1 = message_from(iframe.contentWindow, "img"); 50 iframe.src = blob_url; 51 assert_equals(await message_1, "img blocked", 52 "Img should be blocked by CSP enforced via CSPEE."); 53 54 iframe.csp = "style-src 'none'"; 55 let message_2 = message_from(iframe.contentWindow, "img"); 56 iframe.src = "../inheritance/support/message-top-and-navigate-back.html"; 57 assert_equals(await message_2, "img blocked", 58 "Img should be blocked by CSP reloaded from history."); 59 60 let message_3 = message_from(iframe.contentWindow, "img"); 61 iframe.src = "about:blank"; 62 iframe.src = blob_url; 63 assert_equals(await message_3, "img loaded", 64 "Img should be allowed by CSP enforced by new csp attribute."); 65 66 }, "Iframe csp attribute changed before history navigation of local scheme."); 67 68 // A network-scheme document is loaded in an iframe with CSPEE. Then the csp 69 // attribute is changed and the iframe is navigated away and back. Since the 70 // policies are calculated again, the new csp attribute should be enforced 71 // after the history navigation. 72 promise_test(async t => { 73 // Create an iframe. 74 let iframe = document.createElement('iframe'); 75 iframe.csp = "img-src 'none'; style-src 'none'"; 76 document.body.appendChild(iframe); 77 78 let message_1 = message_from(iframe.contentWindow, "img"); 79 iframe.src = "./support/embed-img-and-message-top.html"; 80 assert_equals(await message_1, "img blocked", 81 "Img should be blocked by CSP enforced via CSPEE."); 82 83 iframe.csp = "style-src 'none'"; 84 let message_2 = message_from(iframe.contentWindow, "img"); 85 iframe.src = "../inheritance/support/message-top-and-navigate-back.html"; 86 assert_equals(await message_2, "img loaded", 87 "Img should be allowed by CSP enforced by new csp attribute."); 88 89 }, "Iframe csp attribute changed before history navigation of network scheme."); 90 91 </script> 92 </body> 93 </html>