Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implemented cascading of the RequiredCSP through nested contexts
An iframe that is inside another iframe that has as RequiredCSP should respect that RequiredCSP. Spec: https://w3c.github.io/webappsec-csp/embedded/#required-csp Bug: 779031 Change-Id: I9042d63a6d14f48fd3cf1caaccf22c5cd1aa6d7a Reviewed-on: https://chromium-review.googlesource.com/924064 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#538760}
- Loading branch information
1 parent
db1a703
commit 7b5ab0e
Showing
4 changed files
with
114 additions
and
9 deletions.
There are no files selected for viewing
67 changes: 67 additions & 0 deletions
67
content-security-policy/embedded-enforcement/required-csp-header-cascade.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<title>Embedded Enforcement: Sec-Required-CSP header.</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="support/testharness-helper.sub.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
var tests = [ | ||
{ "name": "Test same policy for both iframes", | ||
"csp1": "script-src 'unsafe-inline';", | ||
"csp2": "script-src 'unsafe-inline';", | ||
"expected1": "script-src 'unsafe-inline';", | ||
"expected2": "script-src 'unsafe-inline';"}, | ||
{ "name": "Test more restrictive policy on second iframe", | ||
"csp1": "script-src 'unsafe-inline';", | ||
"csp2": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected1": "script-src 'unsafe-inline';", | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test less restrictive policy on second iframe", | ||
"csp1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"csp2": "script-src 'unsafe-inline';", | ||
"expected1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test no policy on second iframe", | ||
"csp1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"csp2": "", | ||
"expected1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test no policy on first iframe", | ||
"csp1": "", | ||
"csp2": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected1": null, | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test invalid policy on first iframe (bad directive)", | ||
"csp1": "default-src http://example.com; invalid-policy-name http://example.com", | ||
"csp2": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected1": null, | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test invalid policy on first iframe (report directive)", | ||
"csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", | ||
"csp2": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected1": null, | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test invalid policy on second iframe (bad directive)", | ||
"csp1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"csp2": "default-src http://example.com; invalid-policy-name http://example.com", | ||
"expected1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
{ "name": "Test invalid policy on second iframe (report directive)", | ||
"csp1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php", | ||
"expected1": "script-src 'unsafe-inline'; style-src 'self';", | ||
"expected2": "script-src 'unsafe-inline'; style-src 'self';"}, | ||
]; | ||
|
||
tests.forEach(test => { | ||
async_test(t => { | ||
var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2); | ||
assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]); | ||
}, "Test same origin: " + test.name); | ||
}); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters