Update web-platform-tests to revision de9a09ab7f605aed6a4b53ed96427412bab76463

2025-10-04 02:29:12 +01:00 · 2018-12-01 20:48:01 -05:00 · 2018-12-01 20:48:01 -05:00 · 73a776843f
commit 73a776843f
parent f3f9303fc9
225 changed files with 5750 additions and 2858 deletions
--- a/tests/wpt/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/inheritance/iframe-srcdoc-inheritance.html
@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'self'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("First image should be blocked");
+    var t2 = async_test("Second image should be blocked");
+    window.onmessage = t1.step_func_done(function(e) {
+      if (e.data == "img blocked") {
+        frames[0].frames[0].frameElement.srcdoc =
+        `<script>
+           window.addEventListener('securitypolicyviolation', function(e) {
+             if (e.violatedDirective == 'img-src') {
+               top.postMessage('img blocked', '*');
+             }
+           })
+         </scr` + `ipt>
+         <img src='/content-security-policy/support/fail.png'
+              onload='top.postMessage("img loaded", "*")'/>`;
+        window.onmessage = t2.step_func_done(function(e) {
+          if (e.data != "img blocked")
+            assert_true(false, "The second image should have been blocked");
+        });
+      } else {
+        assert_true(false, "The first image should have been blocked");
+      }
+    });
+  </script>
+  <iframe src="support/srcdoc-child-frame.html"></iframe>
+</body>
+</html>
--- a/tests/wpt/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/inheritance/support/srcdoc-child-frame.html
@ -0,0 +1,19 @@
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+</head>
+<body>
+  <script>
+    var i = document.createElement('iframe');
+    i.srcdoc=`<script>
+                window.addEventListener('securitypolicyviolation', function(e) {
+                  if (e.violatedDirective == 'img-src') {
+                    top.postMessage('img blocked', '*');
+                  }
+                })
+              </scr` + `ipt>
+              <img src='/content-security-policy/support/fail.png'
+                onload='top.postMessage("img loaded", "*")'/>`;
+    i.id = "srcdoc-frame";
+    document.body.appendChild(i);
+  </script>
+</body>
--- a/tests/wpt/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/navigation/support/frame-with-csp.sub.html
@ -0,0 +1,2 @@
+<meta http-equiv="Content-Security-Policy" content="{{GET[csp]}}">
+CHILD FRAME
--- a/tests/wpt/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-child-csp.html
@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html?csp=script-src%20%27self%27"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script>
+  var t = async_test("Should have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      t.done();
+  });
+  window.addEventListener('securitypolicyviolation', t.unreached_func("Should not have raised a violation event"));
+  document.getElementById('special_div').click();
+</script>
+</body>
--- a/tests/wpt/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<head>
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<iframe src="support/frame-with-csp.sub.html"></iframe>
+<div onclick="frames[0].location.href = 'javascript:parent.postMessage(\'executed\', \'*\')'" id="special_div"></div>
+<script nonce='abc'>
+  var t = async_test("Should not have executed the javascript url");
+  window.onmessage = t.step_func(function(e) {
+    if (e.data == "executed")
+      assert_true(false, "Javascript url executed");
+  });
+  window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+    assert_equals(e.blockedURI, 'inline');
+    assert_equals(e.violatedDirective, 'script-src-attr');
+  }));
+  document.getElementById('special_div').click();
+</script>
+</body>