required_csp-header-crlf.html (3622B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Sec-Required-CSP header.</title> 5 <!-- 6 This test is creating and navigating several iframes. This can exceed the 7 "short" timeout". See https://crbug.com/1091896 8 --> 9 <meta name="timeout" content="long"> 10 <script src="/resources/testharness.js"></script> 11 <script src="/resources/testharnessreport.js"></script> 12 <script src="support/testharness-helper.sub.js"></script> 13 </head> 14 <body> 15 <script> 16 var tests = [ 17 // CRLF characters 18 { "name": "\\r\\n character after directive name", 19 "csp": "style-src\r\n'unsafe-inline'", 20 "expected": null }, 21 { "name": "\\r\\n character in directive value", 22 "csp": "style-src 'unsafe-inline'\r\n'unsafe-eval'", 23 "expected": null }, 24 { "name": "\\n character after directive name", 25 "csp": "style-src\n'unsafe-inline'", 26 "expected": null }, 27 { "name": "\\n character in directive value", 28 "csp": "style-src 'unsafe-inline'\n'unsafe-eval'", 29 "expected": null }, 30 { "name": "\\r character after directive name", 31 "csp": "style-src\r'unsafe-inline'", 32 "expected": null }, 33 { "name": "\\r character in directive value", 34 "csp": "style-src 'unsafe-inline'\r'unsafe-eval'", 35 "expected": null }, 36 37 // Attempt HTTP Header injection 38 { "name": "Attempt injecting after directive name using \\r\\n", 39 "csp": "style-src\r\nTest-Header-Injection: dummy", 40 "expected": null }, 41 { "name": "Attempt injecting after directive name using \\r", 42 "csp": "style-src\rTest-Header-Injection: dummy", 43 "expected": null }, 44 { "name": "Attempt injecting after directive name using \\n", 45 "csp": "style-src\nTest-Header-Injection: dummy", 46 "expected": null }, 47 48 { "name": "Attempt injecting after directive value using \\r\\n", 49 "csp": "style-src example.com\r\nTest-Header-Injection: dummy", 50 "expected": null }, 51 { "name": "Attempt injecting after directive value using \\r", 52 "csp": "style-src example.com\rTest-Header-Injection: dummy", 53 "expected": null }, 54 { "name": "Attempt injecting after directive value using \\n", 55 "csp": "style-src example.com\nTest-Header-Injection: dummy", 56 "expected": null }, 57 58 { "name": "Attempt injecting after semicolon using \\r\\n", 59 "csp": "style-src example.com;\r\nTest-Header-Injection: dummy", 60 "expected": null }, 61 { "name": "Attempt injecting after semicolon using \\r", 62 "csp": "style-src example.com;\rTest-Header-Injection: dummy", 63 "expected": null }, 64 { "name": "Attempt injecting after semicolon using \\n", 65 "csp": "style-src example.com;\nTest-Header-Injection: dummy", 66 "expected": null }, 67 68 { "name": "Attempt injecting after space between name and value using \\r\\n", 69 "csp": "style-src \r\nTest-Header-Injection: dummy", 70 "expected": null }, 71 { "name": "Attempt injecting after space between name and value using \\r", 72 "csp": "style-src \rTest-Header-Injection: dummy", 73 "expected": null }, 74 { "name": "Attempt injecting after space between name and value using \\n", 75 "csp": "style-src \nTest-Header-Injection: dummy", 76 "expected": null }, 77 ]; 78 79 tests.forEach(test => { 80 async_test(t => { 81 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 82 assert_required_csp(t, url, test.csp, [test.expected]); 83 }, "Test CRLF: " + test.name); 84 }); 85 </script> 86 </body> 87 </html>