-
Notifications
You must be signed in to change notification settings - Fork 54
/
required-csp-header-cascade.html
67 lines (66 loc) · 3.32 KB
/
required-csp-header-cascade.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Sec-Required-CSP header.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/testharness-helper.sub.js"></script>
</head>
<body>
<script>
var tests = [
{ "name": "Test same policy for both iframes",
"csp1": "script-src 'unsafe-inline';",
"csp2": "script-src 'unsafe-inline';",
"expected1": "script-src 'unsafe-inline';",
"expected2": "script-src 'unsafe-inline';"},
{ "name": "Test more restrictive policy on second iframe",
"csp1": "script-src 'unsafe-inline';",
"csp2": "script-src 'unsafe-inline'; style-src 'self';",
"expected1": "script-src 'unsafe-inline';",
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test less restrictive policy on second iframe",
"csp1": "script-src 'unsafe-inline'; style-src 'self';",
"csp2": "script-src 'unsafe-inline';",
"expected1": "script-src 'unsafe-inline'; style-src 'self';",
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test no policy on second iframe",
"csp1": "script-src 'unsafe-inline'; style-src 'self';",
"csp2": "",
"expected1": "script-src 'unsafe-inline'; style-src 'self';",
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test no policy on first iframe",
"csp1": "",
"csp2": "script-src 'unsafe-inline'; style-src 'self';",
"expected1": null,
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test invalid policy on first iframe (bad directive)",
"csp1": "default-src http://example.com; invalid-policy-name http://example.com",
"csp2": "script-src 'unsafe-inline'; style-src 'self';",
"expected1": null,
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test invalid policy on first iframe (report directive)",
"csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
"csp2": "script-src 'unsafe-inline'; style-src 'self';",
"expected1": null,
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test invalid policy on second iframe (bad directive)",
"csp1": "script-src 'unsafe-inline'; style-src 'self';",
"csp2": "default-src http://example.com; invalid-policy-name http://example.com",
"expected1": "script-src 'unsafe-inline'; style-src 'self';",
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
{ "name": "Test invalid policy on second iframe (report directive)",
"csp1": "script-src 'unsafe-inline'; style-src 'self';",
"csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
"expected1": "script-src 'unsafe-inline'; style-src 'self';",
"expected2": "script-src 'unsafe-inline'; style-src 'self';"},
];
tests.forEach(test => {
async_test(t => {
var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2);
assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]);
}, "Test same origin: " + test.name);
});
</script>
</body>
</html>