Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6)

Unified Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/frame-src/frame-src-self-unique-origin.html

Issue 2937503002: CSP, PlzNavigate: make clear what happens with unique origins. (Closed)
Patch Set: Add web platform tests. Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/frame-src/frame-src-self-unique-origin.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/frame-src/frame-src-self-unique-origin.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/frame-src/frame-src-self-unique-origin.html
new file mode 100644
index 0000000000000000000000000000000000000000..947b11e063de776b4d9afffb91e1667460d9099f
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/frame-src/frame-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <title>frame-src-self-unique-origin</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+ <p>
+ The origin of an URL is called "unique" when it is considered to be
+ different from every origin, including itself. The origin of a
+ data-url is unique. When the current origin is unique, the CSP source
+ 'self' must not match any URL.
+ </p>
+ <script>
+ var iframe = document.createElement("iframe");
+ iframe.src = encodeURI(`data:text/html,
+ <script>
+ /* Add the CSP: frame-src: 'self'. */
+ var meta = document.createElement('meta');
+ meta.httpEquiv = 'Content-Security-Policy';
+ meta.content = "frame-src 'self'";
+ document.getElementsByTagName('head')[0].appendChild(meta);
+
+ /* Notify the parent the iframe has been blocked. */
+ window.addEventListener('securitypolicyviolation', e => {
+ if (e.originalPolicy == "frame-src 'self'")
+ window.parent.postMessage('Test PASS', '*');
+ });
+ </scr`+`ipt>
+
+ This iframe should be blocked by CSP:
+ <iframe src='data:text/html,blocked_iframe'></iframe>
+ `);
+ if (window.async_test) {
+ async_test(t => {
+ window.addEventListener("message", e => {
+ if (e.data == "Test PASS")
+ t.done();
+ });
+ }, "Iframe's url must not match with 'self'. It must be blocked.");
+ }
+ document.body.appendChild(iframe);
+ </script>
+</body>
+
+</html>

Powered by Google App Engine
This is Rietveld 408576698