Update web-platform-tests to revision a46616a5b18e83587ddbbed756c7b96cbb4b015d

2025-08-22 05:45:33 +01:00 · 2017-06-19 19:07:14 -04:00 · 2017-06-19 19:07:14 -04:00 · 578498ba24
commit 578498ba24
parent 3f07cfec7c
4001 changed files with 159517 additions and 30260 deletions
--- a/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html
@ -0,0 +1,35 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/testharness-helper.sub.js"></script>
+<body></body>
+<script>
+    function waitForViolation(el, policy, blocked_origin) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => {
+          if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin)
+            resolve(e);
+        });
+      });
+    }
+
+    async_test(t => {
+      var i = document.createElement("iframe");
+      var redirect = generateCrossOriginRedirectFrame();
+      i.src = redirect.url;
+
+      // Report-only policy should trigger a violation on the original request.
+      var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin)
+      // Report-only policy should trigger a violation on the redirected request.
+      var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin)
+      // Enforced policy should trigger a violation on the redirected request.
+      var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin)
+
+      Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => {
+        t.done();
+      }));
+
+      document.body.appendChild(i);
+    }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect");
+</script>
+</html>
--- a/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers
+++ b/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-redirect.html.headers
@ -0,0 +1,2 @@
+Content-Security-Policy: frame-src 'self'
+Content-Security-Policy-Report-Only: frame-src http://foo.test
--- a/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/frame-src/frame-src-self-unique-origin.html
@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>frame-src-self-unique-origin</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <p>
+        The origin of an URL is called "unique" when it is considered to be
+        different from every origin, including itself. The origin of a
+        data-url is unique. When the current origin is unique, the CSP source
+        'self' must not match any URL.
+    </p>
+    <script>
+        var iframe = document.createElement("iframe");
+        iframe.src = encodeURI(`data:text/html,
+          <script>
+              /* Add the CSP: frame-src: 'self'. */
+              var meta = document.createElement('meta');
+              meta.httpEquiv = 'Content-Security-Policy';
+              meta.content = "frame-src 'self'";
+              document.getElementsByTagName('head')[0].appendChild(meta);
+
+              /* Notify the parent the iframe has been blocked. */
+              window.addEventListener('securitypolicyviolation', e => {
+                  if (e.originalPolicy == "frame-src 'self'")
+                      window.parent.postMessage('Test PASS', '*');
+              });
+          </scr`+`ipt>
+
+          This iframe should be blocked by CSP:
+          <iframe src='data:text/html,blocked_iframe'></iframe>
+        `);
+        if (window.async_test) {
+            async_test(t => { 
+                window.addEventListener("message", e => {
+                    if (e.data == "Test PASS")
+                      t.done();
+                });
+            }, "Iframe's url must not match with 'self'. It must be blocked.");
+        }
+        document.body.appendChild(iframe);
+    </script>
+</body>
+
+</html>
--- a/tests/wpt/web-platform-tests/content-security-policy/frame-src/support/frame.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/frame-src/support/frame.html
@ -0,0 +1,2 @@
+<!doctype html>
+</html>
--- a/tests/wpt/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js
+++ b/tests/wpt/web-platform-tests/content-security-policy/frame-src/support/testharness-helper.sub.js
@ -0,0 +1,5 @@
+function generateCrossOriginRedirectFrame() {
+  var target = "http://{{domains[天気の良い日]}}:" + document.location.port + "/content-security-policy/frame-src/support/frame.html";
+  var url = "/common/redirect.py?location=" + encodeURIComponent(target);
+  return { url: url, target: target };
+}