Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
'navigate-to' directive tests
PR: w3c/webappsec-csp#290

Bug: 805886
Change-Id: I5bdda65c7e70e729b33a3647135fee6453e97e66
Reviewed-on: https://chromium-review.googlesource.com/934181
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#541769}
  • Loading branch information
andypaicu authored and chromium-wpt-export-bot committed Mar 8, 2018
1 parent 38aab7a commit c36f238
Show file tree
Hide file tree
Showing 52 changed files with 745 additions and 0 deletions.
@@ -0,0 +1,23 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>

<a name="anchor"></a>

<script>
var t = async_test("Test that anchor navigation is allowed regardless of the `navigate-to` directive");

window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have triggered any violation"));

try {
window.location.hash = "anchor";
t.done();
} catch(ex) {}
</script>

</body>
@@ -0,0 +1,4 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: navigate-to 'none'
@@ -0,0 +1,18 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child)");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>

<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27self%27'>">

</body>
@@ -0,0 +1,4 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: navigate-to support/navigate_parent.sub.html
@@ -0,0 +1,19 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child)");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});
</script>

<iframe srcdoc="<iframe src='support/navigate_parent.sub.html?csp=navigate-to%20%27none%27'>">

</body>
@@ -0,0 +1,4 @@
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: navigate-to 'self'
@@ -0,0 +1,16 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that form-action overrides navigate-to when present.");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>
<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html">
</body>
@@ -0,0 +1,16 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that form-action overrides navigate-to when present.");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>
<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27self%27%3B&action=post_message_to_frame_owner.html">
</body>
@@ -0,0 +1,17 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that form-action overrides navigate-to when present.");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'form-action');
});
</script>
<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html">
</body>
@@ -0,0 +1,17 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that form-action overrides navigate-to when present.");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'form-action');
});
</script>
<iframe src="../support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27%3B%20form-action%20%27none%27%3B&action=post_message_to_frame_owner.html">
</body>
16 changes: 16 additions & 0 deletions content-security-policy/navigate-to/form-allowed.html
@@ -0,0 +1,16 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=post_message_to_frame_owner.html">
</body>
17 changes: 17 additions & 0 deletions content-security-policy/navigate-to/form-blocked.html
@@ -0,0 +1,17 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27none%27&action=post_message_to_frame_owner.html">
</body>
@@ -0,0 +1,16 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html">
</body>
@@ -0,0 +1,17 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html">
</body>
16 changes: 16 additions & 0 deletions content-security-policy/navigate-to/form-redirected-allowed.html
@@ -0,0 +1,16 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20%27self%27&action=redirect_to_post_message_to_frame_owner.py">
</body>
@@ -0,0 +1,17 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});
</script>
<iframe src="support/form_action_navigation.sub.html?csp=navigate-to%20{{location[server]}}/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py&action=redirect_to_post_message_to_frame_owner.py">
</body>
18 changes: 18 additions & 0 deletions content-security-policy/navigate-to/href-location-allowed.html
@@ -0,0 +1,18 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=post_message_to_frame_owner.html", "_blank");
</script>

</body>
19 changes: 19 additions & 0 deletions content-security-policy/navigate-to/href-location-blocked.html
@@ -0,0 +1,19 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27none%27&target=post_message_to_frame_owner.html", "_blank");
</script>

</body>
@@ -0,0 +1,18 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
</script>

</body>
@@ -0,0 +1,19 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=http%3A%2F%2F{{domains[www1]}}:{{ports[http][0]}}%2Fcontent-security-policy%2Fnavigate-to%2Fsupport%2Fpost_message_to_frame_owner.html", "_blank");
</script>

</body>
@@ -0,0 +1,18 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is allowed");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'success');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20%27self%27&target=redirect_to_post_message_to_frame_owner.py", "_blank");
</script>

</body>
@@ -0,0 +1,19 @@
<!DOCTYPE html>

<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>

<body>
<script>
var t = async_test("Test that the child iframe navigation is blocked");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data.result, 'fail');
assert_equals(e.data.violatedDirective, 'navigate-to');
});

window.open("support/href_location_navigation.sub.html?csp=navigate-to%20{{location[server]}}/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py&target=redirect_to_post_message_to_frame_owner.py", "_blank");
</script>

</body>

0 comments on commit c36f238

Please sign in to comment.