Bug 1509401 [wpt PR 14192] - Add javascript navigations interop tests, a=testonly
☠☠ backed out by fb94ec981a7d ☠ ☠
authorAndy Paicu <andypaicu@chromium.org>
Fri, 30 Nov 2018 18:05:18 +0000
changeset 449857 53bd5ece31e678e386c8faa4e99923054f4f163b
parent 449856 dabb54327a11900584db7ae93805b694f01813a9
child 449858 82a89d8cec980c0adf4c6f6a08b992fba1382d9e
push id110426
push userwptsync@mozilla.com
push dateTue, 11 Dec 2018 03:07:11 +0000
treeherdermozilla-inbound@fcd0236d7afa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1509401, 14192, 694525, 1348054, 611643
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509401 [wpt PR 14192] - Add javascript navigations interop tests, a=testonly Automatic update from web-platform-tests Add javascript navigations interop tests https://github.com/w3c/webappsec-csp/issues/322 raises an interop issue It appears the issue itself has been fixed since but I've added these tests regardless to ensure there is no regression. Bug: 694525 Change-Id: Icb5502e228b3a96c176cbe23d5b4ce9c5c8640ab Reviewed-on: https://chromium-review.googlesource.com/c/1348054 Reviewed-by: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#611643} -- wpt-commits: a82d43808d79ecd0074a4623fd69e3a7bb16c188 wpt-pr: 14192
testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/support/frame-with-csp.sub.html
@@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27self%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+  var t = async_test("Should have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      t.done();
+  });
+  window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+  document.getElementById('special_div').click();
+</script>
+</body>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      assert_true(false, "Javascript url executed");
+  });
+  window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+    assert_equals(e.blockedURI, 'inline');
+    assert_equals(e.violatedDirective, 'script-src-attr');
+  }));
+  document.getElementById('special_div').click();
+</script>
+</body>