required_csp-header.html (6343B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Sec-Required-CSP header.</title> 5 <!-- 6 This test is creating and navigating >=70 iframes. This can exceed the 7 "short" timeout". See https://crbug.com/818324 8 --> 9 <meta name="timeout" content="long"> 10 11 <script src="/resources/testharness.js"></script> 12 <script src="/resources/testharnessreport.js"></script> 13 <script src="support/testharness-helper.sub.js"></script> 14 </head> 15 <body> 16 <script> 17 var tests = [ 18 { "name": "Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.", 19 "csp": null, 20 "expected": null }, 21 { "name": "Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.", 22 "csp": "script-src 'unsafe-inline'", 23 "expected": "script-src 'unsafe-inline'" }, 24 { "name": "Send Sec-Required-CSP Header on change of `src` attribute on iframe.", 25 "csp": "script-src 'unsafe-inline'", 26 "expected": "script-src 'unsafe-inline'" }, 27 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp", 28 "csp": "completely wrong csp", 29 "expected": "completely wrong csp" }, 30 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name", 31 "csp": "invalid-policy-name http://example.com", 32 "expected": "invalid-policy-name http://example.com" }, 33 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives", 34 "csp": "media-src http://example.com; invalid-policy-name http://example.com", 35 "expected": "media-src http://example.com; invalid-policy-name http://example.com" }, 36 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'", 37 "csp": "media-src 'non'", 38 "expected": "media-src 'non'" }, 39 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path", 40 "csp": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string", 41 "expected": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string" }, 42 { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon", 43 "csp": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *", 44 "expected": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *" }, 45 { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated", 46 "csp": "script-src 'unsafe-inline' 'self', object-src 'none'", 47 "expected": null }, 48 { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names", 49 // script-src 127.0.0.1:8000 50 "csp": "script-src 'unsafe-inline' 127.0.0.1:8000", 51 "expected": null }, 52 { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name", 53 // script-src 127.0.0.1:8000 54 "csp": "media-src%20127.0.0.1%3A8000", 55 "expected": null }, 56 { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present", 57 "csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", 58 "expected": null }, 59 { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present", 60 "csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php", 61 "expected": null }, 62 { "name": "Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes", 63 "csp": "style-src " + Array.from(Array(2044).keys()).map(i => 'a').join(' '), 64 "expected": null }, 65 ]; 66 67 tests.forEach(test => { 68 async_test(t => { 69 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 70 assert_required_csp(t, url, test.csp, [test.expected]); 71 }, "Test same origin: " + test.name); 72 73 async_test(t => { 74 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 75 var redirect_url = generateRedirect(Host.SAME_ORIGIN, url); 76 assert_required_csp(t, redirect_url, test.csp, [test.expected]); 77 }, "Test same origin redirect: " + test.name); 78 79 async_test(t => { 80 var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 81 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); 82 assert_required_csp(t, redirect_url, test.csp, [test.expected]); 83 }, "Test cross origin redirect: " + test.name); 84 85 async_test(t => { 86 var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP); 87 var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url); 88 assert_required_csp(t, redirect_url, test.csp, [test.expected]); 89 }, "Test cross origin redirect of cross origin iframe: " + test.name); 90 91 async_test(t => { 92 var i = document.createElement('iframe'); 93 if (test.csp) 94 i.csp = test.csp; 95 i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP); 96 var loaded = false; 97 98 window.addEventListener('message', t.step_func(e => { 99 if (e.source != i.contentWindow || !('required_csp' in e.data)) 100 return; 101 if (!loaded) { 102 assert_equals(e.data['required_csp'], test.expected); 103 loaded = true; 104 i.csp = "default-src 'unsafe-inline'"; 105 i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP); 106 } else { 107 // Once iframe has loaded, check that on change of `src` attribute 108 // Required-CSP value is based on latest `csp` attribute value. 109 assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'"); 110 t.done(); 111 } 112 })); 113 114 document.body.appendChild(i); 115 }, "Test Required-CSP value on `csp` change: " + test.name); 116 }); 117 </script> 118 </body> 119 </html>