Bug 1492547 [wpt PR 13080] - Inherit CSP when self-navigating to local-scheme URL, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Thu, 11 Oct 2018 09:32:23 +0000
changeset 499506 c0550acd58bdb9826bc26a58031d647094ba39e5
parent 499505 6de808fa765f420d6b82ba481f62d2926f36cc59
child 499507 b1fcd408f1bb3b99ef896e1cd47e847aba97eaf3
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1492547, 13080, 799747, 1234337, 597889
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1492547 [wpt PR 13080] - Inherit CSP when self-navigating to local-scheme URL, a=testonly Automatic update from web-platform-testsInherit CSP when self-navigating to local-scheme URL As the linked bug example shows, we should inherit CSP when we navigate to a local-scheme URL (even if we are in a main browsing context). Bug: 799747 Change-Id: I8413aa8e8049461ebcf0ffbf7b04c41d1340af02 Reviewed-on: https://chromium-review.googlesource.com/c/1234337 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#597889} -- wpt-commits: 25a1c15b42cad8f272bcbc88f4b24150d0089808 wpt-pr: 13080
testing/web-platform/tests/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html
testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <script nonce="abc" src="/resources/testharness.js"></script>
+    <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<!-- This tests that navigating a main window to a local scheme preserves the current CSP.
+     We need to test this in a main window with no parent/opener so we use
+     a link with target=_blank and rel=noopener. -->
+<body>
+    <script>
+      const a = document.createElement("a")
+      a.href = "support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}";
+      a.target = "_blank"
+      a.rel = "noopener"
+      a.click()
+    </script>
+    <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html
@@ -0,0 +1,6 @@
+<script nonce="abc">
+  var blob_string = "<script>alert(document.domain)<\/script>";
+  var blob = new Blob([blob_string], {type : 'text/html'});
+  var url = URL.createObjectURL(blob);
+  location.href=url;
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}}