csp-ancestors.https.sub.html (1741B)
1 <!DOCTYPE html> 2 <title>Test Content-Security-Policy frame-ancestors</title> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script src="/common/utils.js"></script> 6 <script src="/common/dispatcher/dispatcher.js"></script> 7 <script src="resources/utils.js"></script> 8 <script src="/common/get-host-info.sub.js"></script> 9 <body> 10 <script> 11 promise_test(async (t) => { 12 // The fenced frame loads with a frame-ancestors policy set. The only way for 13 // the fenced frame to know that it can't load is if it checks its parent's 14 // policy across the fenced frame boundary. 15 const frame = await attachFencedFrameContext({ 16 headers: [[ 17 'Content-Security-Policy', 18 'frame-ancestors {{hosts[alt][www1]}}:{{ports[https][0]}}' 19 ]] 20 }); 21 let timeout_promise = 22 new Promise(resolve => t.step_timeout(() => resolve('timeout'), 1000)); 23 let execute_promise = frame.execute(() => {}); 24 const result = await Promise.race([timeout_promise, execute_promise]); 25 assert_equals(result, 'timeout', 'The fenced frame should not load'); 26 }, 'Fenced frames check beyond fenced boundary for CSP frame-ancestors'); 27 28 promise_test(async () => { 29 // The Protected Audience fenced frame loads with a frame-ancestors policy 30 // set. It should be allowed to load even though the parent's origin isn't 31 // part of the policy. 32 const frame = await attachFencedFrameContext({ 33 generator_api: 'fledge', 34 headers: [[ 35 'Content-Security-Policy', 36 'frame-ancestors {{hosts[alt][www1]}}:{{ports[https][0]}}' 37 ]] 38 }); 39 await frame.execute(() => {}); 40 }, 'Protected Audience fenced frames do not check beyond fenced boundary for ' + 41 'CSP frame-ancestors'); 42 </script> 43 </body>