subsumption_algorithm-none.html (5350B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Subsumption Algorithm - 'none' keyword.</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="support/testharness-helper.sub.js"></script> 8 </head> 9 <body> 10 <script> 11 var tests = [ 12 { "name": "Empty required csp subsumes empty list of returned policies.", 13 "required_csp": "", 14 "returned_csp_1": "", 15 "returned_csp_2": null, 16 "expected": IframeLoad.EXPECT_LOAD }, 17 { "name": "Empty required csp subsumes any list of policies.", 18 "required_csp": "", 19 "returned_csp_1": "img-src http://example.com", 20 "returned_csp_2": null, 21 "expected": IframeLoad.EXPECT_LOAD }, 22 { "name": "Empty required csp subsumes a policy with `none`.", 23 "required_csp": "", 24 "returned_csp_1": "img-src 'none'", 25 "returned_csp_2": null, 26 "expected": IframeLoad.EXPECT_LOAD }, 27 { "name": "Required policy that allows `none` does not subsume empty list of policies.", 28 "required_csp": "img-src ", 29 "returned_csp_1": "", 30 "returned_csp_2": null, 31 "expected": IframeLoad.EXPECT_BLOCK }, 32 { "name": "Required csp with effective `none` does not subsume a host source expression.", 33 "required_csp": "img-src ", 34 "returned_csp_1": "img-src http://example.com", 35 "returned_csp_2": null, 36 "expected": IframeLoad.EXPECT_BLOCK }, 37 { "name": "Required csp with `none` does not subsume a host source expression.", 38 "required_csp": "img-src 'none'", 39 "returned_csp_1": "img-src http://example.com", 40 "returned_csp_2": null, 41 "expected": IframeLoad.EXPECT_BLOCK }, 42 { "name": "Required csp with effective `none` does not subsume `none` of another directive.", 43 "required_csp": "img-src ", 44 "returned_csp_1": "frame-src 'none'", 45 "returned_csp_2": null, 46 "expected": IframeLoad.EXPECT_BLOCK }, 47 { "name": "Required csp with `none` does not subsume `none` of another directive.", 48 "required_csp": "img-src 'none'", 49 "returned_csp_1": "frame-src 'none'", 50 "returned_csp_2": null, 51 "expected": IframeLoad.EXPECT_BLOCK }, 52 { "name": "Required csp with `none` does not subsume `none` of different directives.", 53 "required_csp": "img-src ", 54 "returned_csp_1": "img-src http://*.one.com", 55 "returned_csp_2": "frame-src https://two.com", 56 "expected": IframeLoad.EXPECT_BLOCK }, 57 { "name": "Required csp with `none` subsumes effective list of `none`.", 58 "required_csp": "img-src ", 59 "returned_csp_1": "img-src http://*.one.com", 60 "returned_csp_2": "img-src https://two.com", 61 "expected": IframeLoad.EXPECT_LOAD }, 62 { "name": "Required csp with `none` subsumes effective list of `none` despite other keywords.", 63 "required_csp": "img-src 'none'", 64 "returned_csp_1": "img-src http://*.one.com", 65 "returned_csp_2": "img-src 'self'", 66 "expected": IframeLoad.EXPECT_LOAD }, 67 { "name": "Source list with exprssions other than `none` make `none` ineffective.", 68 "required_csp": "img-src http://example.com 'none'", 69 "returned_csp_1": "img-src http://example.com", 70 "returned_csp_2": null, 71 "expected": IframeLoad.EXPECT_LOAD }, 72 { "name": "Returned csp with `none` is subsumed by any required csp.", 73 "required_csp": "img-src http://example.com", 74 "returned_csp_1": "img-src 'none'", 75 "returned_csp_2": null, 76 "expected": IframeLoad.EXPECT_LOAD }, 77 { "name": "Returned csp with effective `none` is subsumed by any required csp.", 78 "required_csp": "img-src http://example.com", 79 "returned_csp_1": "img-src http://example.com", 80 "returned_csp_2": "img-src http://non-example.com", 81 "expected": IframeLoad.EXPECT_LOAD }, 82 { "name": "Both required and returned csp are `none`.", 83 "required_csp": "img-src 'none'", 84 "returned_csp_1": "img-src 'none'", 85 "returned_csp_2": "img-src http://non-example.com", 86 "expected": IframeLoad.EXPECT_LOAD }, 87 { "name": "Both required and returned csp are `none` for only one directive.", 88 "required_csp": "default-src 'none'", 89 "returned_csp_1": "img-src 'none'", 90 "returned_csp_2": "script-src 'unsafe-inline'", 91 "expected": IframeLoad.EXPECT_BLOCK }, 92 { "name": "Both required and returned csp are empty.", 93 "required_csp": "img-src ", 94 "returned_csp_1": "img-src ", 95 "returned_csp_2": null, 96 "expected": IframeLoad.EXPECT_LOAD }, 97 { "name": "Both required and returned csp are effectively 'none'.", 98 "required_csp": "img-src ", 99 "returned_csp_1": "img-src http://a.com", 100 "returned_csp_2": "img-src http://b.com", 101 "expected": IframeLoad.EXPECT_LOAD }, 102 ]; 103 tests.forEach(test => { 104 async_test(t => { 105 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); 106 if (test.returned_csp_2) 107 url.searchParams.append("policy2", test.returned_csp_2); 108 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); 109 }, test.name); 110 }); 111 </script> 112 </body> 113 </html>