Bug 1509201 [wpt PR 14171] - Inherit the navigation initiator when navigating instead of the parent/opener, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Fri, 30 Nov 2018 18:03:04 +0000
changeset 449989 a8346d76301c428b9d0b671af6a014a2221e9ebb
parent 449988 65978e67a8e74c4d20f848005a034cac2edf81fd
child 449990 9c3669e31126ac5d3de457e70e1bd2de46d6f9c5
push id110435
push userjames@hoppipolla.co.uk
push dateTue, 11 Dec 2018 15:53:47 +0000
treeherdermozilla-inbound@add833a587f5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1509201, 14171, 905301, 894228, 836148, 1314633, 610850
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509201 [wpt PR 14171] - Inherit the navigation initiator when navigating instead of the parent/opener, a=testonly Automatic update from web-platform-tests Inherit the navigation initiator when navigating instead of the parent/opener Spec PR: https://github.com/w3c/webappsec-csp/pull/358 Bug: 905301, 894228, 836148 Change-Id: I43ada2266d42d1cd56dbe3c6dd89d115e878a83a Reviewed-on: https://chromium-review.googlesource.com/c/1314633 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#610850} -- wpt-commits: 75b92bf3d1791dc0e47cd8a716a135e98d2d2937 wpt-pr: 14171
testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html
testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html
testing/web-platform/tests/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html
testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers
testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html
testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers
testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html
testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers
testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html
testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-child-frame-self-navigate-inherits.sub.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<!-- This tests that navigating a main window to a local scheme preserves the current CSP.
+     We need to test this in a main window with no parent/opener so we use
+     a link with target=_blank and rel=noopener. -->
+<body>
+    <iframe src="support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}"></iframe>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script>
+</body>
+
+</html>
rename from testing/web-platform/tests/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
rename to testing/web-platform/tests/content-security-policy/inheritance/blob-url-in-main-window-self-navigate-inherits.sub.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>";
+      var blob = new Blob([blob_string], {type : 'text/html'});
+      var url = URL.createObjectURL(blob);
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      i.sandbox = "allow-scripts";
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-blob-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: sandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var url = "data:text/html,<script>alert(document.domain)<\/scr"+"ipt>";
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      i.sandbox = "allow-scripts";
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/sandboxed-data-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: sandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var blob_string = "<script>alert(document.domain)<\/scr"+"ipt>";
+      var blob = new Blob([blob_string], {type : 'text/html'});
+      var url = URL.createObjectURL(blob);
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-blob-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: unsandboxed-blob-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <script nonce='abc'>
+      var url = "data:text/html,<script>alert(document.domain)<\/scri"+"pt>";
+
+      var i = document.createElement('iframe');
+      i.src = url;
+      document.body.appendChild(i);
+    </script>
+    <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/unsandboxed-data-scheme.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: unsandboxed-data-scheme={{$id:uuid()}}; Path=/content-security-policy/inheritance/
+Content-Security-Policy: script-src 'nonce-abc'; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}