Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/utils.js"></script>
</head>
<body>
<iframe id="iframeWithScriptSrcUnsafeInline" name="iframeWithScriptSrcUnsafeInline"></iframe>
<iframe id="iframeWithScriptSrcNone" name="iframeWithScriptSrcNone"></iframe>
<a target="iframeWithScriptSrcUnsafeInline" id="anchorWithTargetScriptSrcUnsafeInline">a</a>
<a target="iframeWithScriptSrcNone" id="anchorWithTargetScriptSrcNone">a2</a>
<map name="m">
<area target="iframeWithScriptSrcNone" id="areaWithTargetIframeWithScriptSrcNone" shape="default">
<area target="otherTabWithScriptSrcNone" id="areWithTargetOtherTabWithScriptSrcNone" shape="default">
</map>
<img usemap="#m" alt="i">
<script>
// Since another tab is opened, this test suite needs to explicitly signal
// when it's done. Otherwise, the tests which wait for the tab to finish
// loading aren't executed. See,
setup({explicit_done: true});
const kIframeURLPath = "support/frame-with-csp.sub.html";
document.getElementById("iframeWithScriptSrcUnsafeInline").src =
encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'unsafe-inline'");
document.getElementById("iframeWithScriptSrcNone").src =
encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'none'");
window.addEventListener('load', () => {
const kTestCasesWithoutCSPViolation = [
{ elementId: "iframeWithScriptSrcUnsafeInline",
propertySequence: ["contentWindow", "location", "href"],
},
{ elementId: "iframeWithScriptSrcUnsafeInline",
propertySequence: ["src"],
},
{ elementId: "anchorWithTargetScriptSrcUnsafeInline",
propertySequence: ["href"],
navigationFunction: "click",
},
];
for (const testCase of kTestCasesWithoutCSPViolation) {
const injectionSinkDescription = determineInjectionSinkDescription(testCase);
promise_test(t => { return new Promise(resolve => {
window.addEventListener("message", t.step_func(function(e) {
if (e.data == "executed") {
resolve();
}
}), { once: true });
window.addEventListener('securitypolicyviolation',
t.unreached_func("Should not have raised a violation event"),
{ once: true }
);
assignJavascriptURLToInjectionSink(testCase);
})}, `Should have executed the javascript url for
${injectionSinkDescription} with child's CSP "script-src 'unsafe-inline'"`);
}
const otherTabWithScriptSrcNone = window.open(
encodeURIWithApostrophes(kIframeURLPath + "?csp=script-src 'none'"),
"otherTabWithScriptSrcNone");
const iframeWithScriptSrcNoneContentWindow =
document.getElementById("iframeWithScriptSrcNone").contentWindow;
otherTabWithScriptSrcNone.addEventListener("load", () => {
const kTestCasesWithCSPViolation = [
{ elementId: "iframeWithScriptSrcNone",
propertySequence: ["contentWindow", "location", "href"],
targetWindow: iframeWithScriptSrcNoneContentWindow,
},
{ elementId: "iframeWithScriptSrcNone",
propertySequence: ["src"],
targetWindow: iframeWithScriptSrcNoneContentWindow,
},
{ targetWindow: otherTabWithScriptSrcNone,
propertySequence: ["location", "href"],
},
{ elementId: "anchorWithTargetScriptSrcNone",
propertySequence: ["href"],
targetWindow: iframeWithScriptSrcNoneContentWindow,
navigationFunction: "click",
},
{ elementId: "areaWithTargetIframeWithScriptSrcNone",
propertySequence: ["href"],
targetWindow: iframeWithScriptSrcNoneContentWindow,
navigationFunction: "click",
},
{ elementId: "areWithTargetOtherTabWithScriptSrcNone",
propertySequence: ["href"],
targetWindow: otherTabWithScriptSrcNone,
navigationFunction: "click",
},
];
for (const testCase of kTestCasesWithCSPViolation) {
const injectionSinkDescription = determineInjectionSinkDescription(testCase);
promise_test(t => { return new Promise(resolve => {
const targetWindow = ("targetWindow" in testCase) ?
testCase.targetWindow : window;
targetWindow.addEventListener("message",
t.unreached_func("Should not have received a message"),
{ once: true }
);
targetWindow.addEventListener("securitypolicyviolation", e => {
assert_equals(e.violatedDirective, "script-src-elem");
assert_equals(e.blockedURI, "inline");
resolve();
}, { once : true });
assignJavascriptURLToInjectionSink(testCase);
})}, `Should not have executed the javascript URL for
${injectionSinkDescription} with child's CSP "script-src 'none'"`);
}
done();
});
});
</script>
</body>