to-javascript-parent-initiated-child-csp.html (5230B)
1 <!DOCTYPE html> 2 <head> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script src="support/utils.js"></script> 6 </head> 7 <body> 8 <iframe id="iframeWithScriptSrcUnsafeInline" name="iframeWithScriptSrcUnsafeInline"></iframe> 9 <iframe id="iframeWithScriptSrcNone" name="iframeWithScriptSrcNone"></iframe> 10 <a target="iframeWithScriptSrcUnsafeInline" id="anchorWithTargetScriptSrcUnsafeInline">a</a> 11 <a target="iframeWithScriptSrcNone" id="anchorWithTargetScriptSrcNone">a2</a> 12 <map name="m"> 13 <area target="iframeWithScriptSrcNone" id="areaWithTargetIframeWithScriptSrcNone" shape="default"> 14 <area target="otherTabWithScriptSrcNone" id="areWithTargetOtherTabWithScriptSrcNone" shape="default"> 15 </map> 16 <img usemap="#m" alt="i"> 17 18 <script> 19 // Since another tab is opened, this test suite needs to explicitly signal 20 // when it's done. Otherwise, the tests which wait for the tab to finish 21 // loading aren't executed. See, 22 // https://web-platform-tests.org/writing-tests/testharness-api.html#determining-when-all-tests-are-complete. 23 setup({explicit_done: true}); 24 25 const kIframeURLPath = "support/frame-with-csp.sub.html"; 26 27 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#unsafe-inline 28 document.getElementById("iframeWithScriptSrcUnsafeInline").src = 29 encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'unsafe-inline'"); 30 document.getElementById("iframeWithScriptSrcNone").src = 31 encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'none'"); 32 33 window.addEventListener('load', () => { 34 const kTestCasesWithoutCSPViolation = [ 35 { elementId: "iframeWithScriptSrcUnsafeInline", 36 propertySequence: ["contentWindow", "location", "href"], 37 }, 38 { elementId: "iframeWithScriptSrcUnsafeInline", 39 propertySequence: ["src"], 40 }, 41 { elementId: "anchorWithTargetScriptSrcUnsafeInline", 42 propertySequence: ["href"], 43 navigationFunction: "click", 44 }, 45 ]; 46 47 for (const testCase of kTestCasesWithoutCSPViolation) { 48 const injectionSinkDescription = determineInjectionSinkDescription(testCase); 49 50 promise_test(t => { return new Promise(resolve => { 51 window.addEventListener("message", t.step_func(function(e) { 52 if (e.data == "executed") { 53 resolve(); 54 } 55 }), { once: true }); 56 57 window.addEventListener('securitypolicyviolation', 58 t.unreached_func("Should not have raised a violation event"), 59 { once: true } 60 ); 61 62 assignJavascriptURLToInjectionSink(testCase); 63 })}, `Should have executed the javascript url for 64 ${injectionSinkDescription} with child's CSP "script-src 'unsafe-inline'"`); 65 } 66 67 const otherTabWithScriptSrcNone = window.open( 68 encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'none'"), 69 "otherTabWithScriptSrcNone"); 70 71 const iframeWithScriptSrcNoneContentWindow = 72 document.getElementById("iframeWithScriptSrcNone").contentWindow; 73 74 otherTabWithScriptSrcNone.addEventListener("load", () => { 75 const kTestCasesWithCSPViolation = [ 76 { elementId: "iframeWithScriptSrcNone", 77 propertySequence: ["contentWindow", "location", "href"], 78 targetWindow: iframeWithScriptSrcNoneContentWindow, 79 }, 80 { elementId: "iframeWithScriptSrcNone", 81 propertySequence: ["src"], 82 targetWindow: iframeWithScriptSrcNoneContentWindow, 83 }, 84 { targetWindow: otherTabWithScriptSrcNone, 85 propertySequence: ["location", "href"], 86 }, 87 { elementId: "anchorWithTargetScriptSrcNone", 88 propertySequence: ["href"], 89 targetWindow: iframeWithScriptSrcNoneContentWindow, 90 navigationFunction: "click", 91 }, 92 { elementId: "areaWithTargetIframeWithScriptSrcNone", 93 propertySequence: ["href"], 94 targetWindow: iframeWithScriptSrcNoneContentWindow, 95 navigationFunction: "click", 96 }, 97 { elementId: "areWithTargetOtherTabWithScriptSrcNone", 98 propertySequence: ["href"], 99 targetWindow: otherTabWithScriptSrcNone, 100 navigationFunction: "click", 101 }, 102 ]; 103 104 for (const testCase of kTestCasesWithCSPViolation) { 105 const injectionSinkDescription = determineInjectionSinkDescription(testCase); 106 107 promise_test(t => { return new Promise(resolve => { 108 const targetWindow = ("targetWindow" in testCase) ? 109 testCase.targetWindow : window; 110 111 targetWindow.addEventListener("message", 112 t.unreached_func("Should not have received a message"), 113 { once: true } 114 ); 115 116 targetWindow.addEventListener("securitypolicyviolation", e => { 117 assert_equals(e.violatedDirective, "script-src-elem"); 118 assert_equals(e.blockedURI, "inline"); 119 resolve(); 120 }, { once : true }); 121 122 assignJavascriptURLToInjectionSink(testCase); 123 })}, `Should not have executed the javascript URL for 124 ${injectionSinkDescription} with child's CSP "script-src 'none'"`); 125 } 126 127 done(); 128 }); 129 }); 130 </script> 131 </body>