Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test has a WPT meta file that expects 1 subtest issues.
- This WPT test may be referenced by the following Test IDs:
- /html/browsers/browsing-the-web/navigating-across-documents/failure-check-sequence.https.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Sequence of the checks performed against a navigation response</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
'use strict';
const collect = (win) => {
const report = new Promise((resolve) => {
if (!win.ReportingObserver) {
return;
}
const observer = new win.ReportingObserver(resolve);
observer.observe();
}).then((reports) => reports[0].type);
// Although CSP also makes use of ReportingObserver, monitoring this event
// allows the test to provide value to implementations that have not yet
// integrated CSP and Reporting (as of the time of this writing, Firefox and
// Safari).
const cspViolation = new Promise((resolve) => {
win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation'));
});
const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500));
return Promise.race([report, cspViolation, halfASecond]);
};
const createWindow = (t, url) => {
const win = open(url);
t.add_cleanup(() => win.close());
return new Promise((resolve) => win.onload = () => resolve(win));
};
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes X-Frame-Options check');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - CSP header first');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - COEP header first');
promise_test(async (t) => {
const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)');
const iframe = win.document.createElement('iframe');
iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
win.document.body.appendChild(iframe);
assert_equals(await collect(win), 'coep');
}, 'COEP check precedes X-Frame-Options check');
</script>
</body>
</html>