[WPT] CSP: sandbox directive in <meta> should be ignored

Bug: 1073364 Change-Id: Ie90054f7805301ea1789c731d1e559094b5987cd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2143411 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#794481}
web-platform-tests · Aug 4, 2020 · a9506f1 · a9506f1
1 parent 983d351
commit a9506f1
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/content-security-policy/sandbox/meta-element.sub.html b/content-security-policy/sandbox/meta-element.sub.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta content="sandbox allow-scripts" http-equiv="Content-Security-Policy">
+<body>
+<iframe id="iframe"></iframe>
+<script>
+// According to
+// https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy
+// `sandbox` directives must be ignored when delivered via `<meta>`.
+test(() => {
+  assert_equals(location.origin, "{{location[scheme]}}://{{location[host]}}");
+}, "Document shouldn't be sandboxed by <meta>");
+
+// Note: sandbox directive for workers are not yet specified.
+// https://github.com/w3c/webappsec-csp/issues/279
+// Anyway workers shouldn't be affected by sandbox directives in `<meta>`.
+async_test(t => {
+  const worker = new Worker("support/post-origin-on-load-worker.js");
+  worker.onerror = t.unreached_func("Worker construction failed");
+  worker.onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
+  });
+}, "Worker shouldn't be sandboxed by inheriting <meta>");
+
+parent.async_test(t => {
+  // Although <iframe about:blank> should inherit parent's CSP,
+  // sandbox directives in <meta> should be ignored in the first place,
+  // so workers created from such <iframe>s shouldn't also be sandboxed.
+  const iframeDocument = document.querySelector("#iframe").contentDocument;
+  const script = iframeDocument.createElement("script");
+  script.innerText = `
+    const worker = new Worker("support/post-origin-on-load-worker.js");
+    worker.onerror = () => parent.postMessage("onerror", "*");
+    worker.onmessage = (e) => parent.postMessage(e.data, "*");
+  `;
+  iframeDocument.body.appendChild(script);
+
+  // Receive message from <iframe>.
+  onmessage = t.step_func_done(e => {
+    assert_equals(e.data, "{{location[scheme]}}://{{location[host]}}");
+  });
+}, "Worker shouldn't be sandboxed when created <iframe> inheriting parent's CSP with sandbox <meta>");
+</script>
+</body>
diff --git a/content-security-policy/sandbox/support/post-origin-on-load-worker.js b/content-security-policy/sandbox/support/post-origin-on-load-worker.js
@@ -0,0 +1 @@
+postMessage(self.origin);