to-javascript-parent-initiated-check-csp-order.html (3891B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'"> 5 <meta charset="utf-8"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <script src="support/utils.js"></script> 9 </head> 10 <body> 11 <iframe id="iframeWithScriptSrcNone"></iframe> 12 <a id="anchorWithTargetScriptSrcNone" target="iframeWithScriptSrcNone">a</a> 13 <a id="anchorWithTargetOtherTabWithScriptSrcNone" target="otherTabWithScriptSrcNone">a2</a> 14 <map name="m"> 15 <area target="iframeWithScriptScrcNone" id="areaWithTargetIframeWithScriptSrcNone" shape="default"> 16 <area target="otherTabWithScriptSrcNone" id="areaWithTargetOtherTabWithScriptSrcNone" shape="default"> 17 </map> 18 <img usemap="#m" alt="i"> 19 20 <script nonce="abc"> 21 // Since another tab is opened, this test suite needs to explicitly signal 22 // when it's done. Otherwise, the tests which wait for the tab to finish 23 // loading aren't executed. See, 24 // https://web-platform-tests.org/writing-tests/testharness-api.html#determining-when-all-tests-are-complete. 25 setup({explicit_done: true}); 26 27 const kEncodedURLOfPageWithScriptSrcNone = encodeURIWithApostrophes( 28 "support/frame-with-csp.sub.html" + "?csp=script-src 'none'"); 29 30 document.getElementById("iframeWithScriptSrcNone").src = 31 kEncodedURLOfPageWithScriptSrcNone; 32 33 window.addEventListener("load", () => { 34 const otherTabWithScriptSrcNone = window.open( 35 kEncodedURLOfPageWithScriptSrcNone, "otherTabWithScriptSrcNone"); 36 37 otherTabWithScriptSrcNone.addEventListener("load", () => { 38 const kTestCases = [ 39 { elementId: "iframeWithScriptSrcNone", 40 propertySequence: ["contentWindow", "location", "href"], 41 }, 42 { elementId: "iframeWithScriptSrcNone", 43 propertySequence: ["src"], 44 }, 45 { elementId: "anchorWithTargetScriptSrcNone", 46 propertySequence: ["href"], 47 navigationFunction: "click", 48 }, 49 { elementId: "anchorWithTargetOtherTabWithScriptSrcNone", 50 propertySequence: ["href"], 51 navigationFunction: "click", 52 }, 53 { elementId: "areaWithTargetIframeWithScriptSrcNone", 54 propertySequence: ["href"], 55 navigationFunction: "click", 56 }, 57 { elementId: "areaWithTargetOtherTabWithScriptSrcNone", 58 propertySequence: ["href"], 59 navigationFunction: "click", 60 }, 61 { targetWindow: otherTabWithScriptSrcNone, 62 propertySequence: ["location", "href"], 63 }, 64 ]; 65 66 for (testCase of kTestCases) { 67 const injectionSinkDescription = determineInjectionSinkDescription(testCase); 68 69 promise_test(t => new Promise(resolve => { 70 window.addEventListener("securitypolicyviolation", resolve, 71 { once: true }); 72 73 window.addEventListener("message", 74 t.unreached_func("Should not have received a message"), 75 { once: true } 76 ); 77 assignJavascriptURLToInjectionSink(testCase); 78 }).then(e => { 79 assert_equals(e.blockedURI, "inline"); 80 assert_equals(e.effectiveDirective, "script-src-elem"); 81 82 // Chrome and Firefox currently check the parent's CSP first, hence 83 // asserting it below. A comparison with WebKit was impossible due to 84 // https://github.com/web-platform-tests/wpt/issues/49262. 85 // The behavior should be specified; see 86 // https://github.com/whatwg/html/issues/4651#issuecomment-495060149 and 87 // the encompassing ticket. 88 assert_equals(e.originalPolicy, "script-src 'self' 'nonce-abc'", 89 "Parent's policy is checked first"); 90 }), `Executing the javascript URL should violate the parent's CSP for 91 ${injectionSinkDescription}`); 92 } 93 94 done(); 95 }); 96 }); 97 </script> 98 </body> 99 </html>