Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WPT] CSP: sandbox directive in <meta> should be ignored
Bug: 1073364 Change-Id: Ie90054f7805301ea1789c731d1e559094b5987cd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2143411 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#794481}
- Loading branch information
1 parent
983d351
commit a9506f1
Showing
2 changed files
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy"> | ||
<body> | ||
<iframe id="iframe"></iframe> | ||
<script> | ||
// According to | ||
// https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy | ||
// `sandbox` directives must be ignored when delivered via `<meta>`. | ||
test(() => { | ||
assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}"); | ||
}, "Document shouldn't be sandboxed by <meta>"); | ||
|
||
// Note: sandbox directive for workers are not yet specified. | ||
// https://github.com/w3c/webappsec-csp/issues/279 | ||
// Anyway workers shouldn't be affected by sandbox directives in `<meta>`. | ||
async_test(t => { | ||
const worker = new Worker("support/post-origin-on-load-worker.js"); | ||
worker.onerror = t.unreached_func("Worker construction failed"); | ||
worker.onmessage = t.step_func_done(e => { | ||
assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}"); | ||
}); | ||
}, "Worker shouldn't be sandboxed by inheriting <meta>"); | ||
|
||
parent.async_test(t => { | ||
// Although <iframe about:blank> should inherit parent's CSP, | ||
// sandbox directives in <meta> should be ignored in the first place, | ||
// so workers created from such <iframe>s shouldn't also be sandboxed. | ||
const iframeDocument = document.querySelector("#iframe").contentDocument; | ||
const script = iframeDocument.createElement("script"); | ||
script.innerText = ` | ||
const worker = new Worker("support/post-origin-on-load-worker.js"); | ||
worker.onerror = () => parent.postMessage("onerror", "*"); | ||
worker.onmessage = (e) => parent.postMessage(e.data, "*"); | ||
`; | ||
iframeDocument.body.appendChild(script); | ||
|
||
// Receive message from <iframe>. | ||
onmessage = t.step_func_done(e => { | ||
assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}"); | ||
}); | ||
}, "Worker shouldn't be sandboxed when created <iframe> inheriting parent's CSP with sandbox <meta>"); | ||
</script> | ||
</body> |
1 change: 1 addition & 0 deletions
1
content-security-policy/sandbox/support/post-origin-on-load-worker.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
postMessage(self.origin); |