subsumption_algorithm-strict_dynamic.html (4037B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: Subsumption Algorithm - 'strict-dynamic' keyword.</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="support/testharness-helper.sub.js"></script> 8 </head> 9 <body> 10 <script> 11 var tests = [ 12 // Note that the returned csp should always allow execution of an 13 // inline script with nonce "abc" (as returned by 14 // support/echo-policy-multiple.py), otherwise the test might 15 // return false negatives. 16 { "name": "'strict-dynamic' is ineffective for `style-src`.", 17 "required_csp": "style-src http://example1.com/foo/ 'self'", 18 "returned_csp_1": "style-src 'strict-dynamic' http://example1.com/foo/bar.html", 19 "expected": IframeLoad.EXPECT_LOAD }, 20 { "name": "'strict-dynamic' is ineffective for `img-src`.", 21 "required_csp": "img-src http://example1.com/foo/ 'self'", 22 "returned_csp_1": "img-src 'strict-dynamic' http://example1.com/foo/bar.html", 23 "expected": IframeLoad.EXPECT_LOAD }, 24 { "name": "'strict-dynamic' is ineffective for `frame-src`.", 25 "required_csp": "frame-src http://example1.com/foo/ 'self'", 26 "returned_csp_1": "frame-src 'strict-dynamic' http://example1.com/foo/bar.html", 27 "expected": IframeLoad.EXPECT_LOAD }, 28 { "name": "'strict-dynamic' is ineffective for `child-src`.", 29 "required_csp": "child-src http://example1.com/foo/ 'self'", 30 "returned_csp_1": "child-src 'strict-dynamic' http://example1.com/foo/bar.html", 31 "expected": IframeLoad.EXPECT_LOAD }, 32 { "name": "'strict-dynamic' is effective only for `script-src`.", 33 "required_csp": "script-src http://example1.com/foo/ 'self'", 34 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'", 35 "expected": IframeLoad.EXPECT_BLOCK }, 36 { "name": "'strict-dynamic' is properly handled for finding effective policy.", 37 "required_csp": "script-src http://example1.com/foo/ 'self'", 38 "returned_csp_1": "script-src 'strict-dynamic' http://example1.com/foo/bar.html 'nonce-abc'", 39 "returned_csp_2": "script-src 'strict-dynamic' 'nonce-abc'", 40 "expected": IframeLoad.EXPECT_BLOCK }, 41 { "name": "'strict-dynamic' makes host source expressions ineffective.", 42 "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", 43 "returned_csp_1": "script-src http://example.com 'strict-dynamic' 'nonce-abc'", 44 "expected": IframeLoad.EXPECT_LOAD }, 45 { "name": "'strict-dynamic' makes scheme source expressions ineffective.", 46 "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", 47 "returned_csp_1": "script-src http: 'strict-dynamic' 'nonce-abc'", 48 "expected": IframeLoad.EXPECT_LOAD }, 49 { "name": "'strict-dynamic' makes 'self' ineffective.", 50 "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", 51 "returned_csp_1": "script-src 'self' 'strict-dynamic' 'nonce-abc'", 52 "expected": IframeLoad.EXPECT_LOAD }, 53 { "name": "'strict-dynamic' makes 'unsafe-inline' ineffective.", 54 "required_csp": "script-src 'strict-dynamic' 'nonce-abc'", 55 "returned_csp_1": "script-src 'unsafe-inline' 'strict-dynamic' 'nonce-abc'", 56 "expected": IframeLoad.EXPECT_LOAD }, 57 { "name": "'strict-dynamic' has to be allowed by required csp if it is present in returned csp.", 58 "required_csp": "script-src 'nonce-abc'", 59 "returned_csp_1": "script-src 'strict-dynamic' 'nonce-abc'", 60 "expected": IframeLoad.EXPECT_BLOCK }, 61 ]; 62 tests.forEach(test => { 63 async_test(t => { 64 var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1); 65 if (test.returned_csp_2) 66 url.searchParams.append("policy2", test.returned_csp_2); 67 assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null); 68 }, test.name); 69 }); 70 </script> 71 </body> 72 </html>