Add javascript navigations interop tests

w3c/webappsec-csp#322 raises an interop issue It appears the issue itself has been fixed since but I've added these tests regardless to ensure there is no regression. Bug: 694525 Change-Id: Icb5502e228b3a96c176cbe23d5b4ce9c5c8640ab Reviewed-on: https://chromium-review.googlesource.com/c/1348054 Reviewed-by: Andy Paicu <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Andy Paicu <[email protected]> Cr-Commit-Position: refs/heads/master@{#611643}
web-platform-tests · Nov 28, 2018 · a82d438 · a82d438
1 parent ea03863
commit a82d438
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/content-security-policy/navigation/support/frame-with-csp.sub.html b/content-security-policy/navigation/support/frame-with-csp.sub.html
@@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
diff --git a/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html b/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27self%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+  var t = async_test("Should have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      t.done();
+  });
+  window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+  document.getElementById('special_div').click();
+</script>
+</body>
diff --git a/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html b/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      assert_true(false, "Javascript url executed");
+  });
+  window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+    assert_equals(e.blockedURI, 'inline');
+    assert_equals(e.violatedDirective, 'script-src-attr');
+  }));
+  document.getElementById('special_div').click();
+</script>
+</body>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
		CHILD FRAME