Update web-platform-tests to revision d7afcb8708eac08a614d161d5622a48172daf7e3

2025-08-03 20:50:07 +01:00 · 2019-05-15 10:40:54 -04:00 · 2019-05-15 10:40:54 -04:00 · edff458e23
commit edff458e23
parent 6f8bb4dd40
791 changed files with 17647 additions and 10322 deletions
--- a/tests/wpt/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html
+++ b/tests/wpt/web-platform-tests/content-security-policy/inheritance/document-write-iframe.html
@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+</head>
+<body>
+  <script>
+    var t0 = async_test("Image loaded in srcdoc iframe using document.write is blocked");
+    var t1 = async_test("Image loaded in normal iframe using document.write is blocked");
+    var t2 = async_test("Image loaded directly in simple srcdoc iframe is blocked");
+
+    window.onmessage = function(e) {
+      var current_test;
+      if (e.data.type == "spv0") {
+        current_test = t0;
+      } else if (e.data.type == "spv1") {
+        current_test = t1;
+      } else if (e.data.type == "spv2") {
+        current_test = t2;
+      } else {
+        t0.step(function() {assert_true(false, "Unexpected message received from child frames")});
+        t1.step(function() {assert_true(false, "Unexpected message received from child frames")});
+        t2.step(function() {assert_true(false, "Unexpected message received from child frames")});
+      }
+
+      current_test.step(function() {
+        assert_equals(e.data.violatedDirective, 'img-src');
+        current_test.done();
+      });
+    }
+  </script>
+
+  <!--As discovered thanks to crbug.com/920531, there is a bug in CSP where the
+      CSP is not inherited when using document.open/document.write to edit a
+      document's contents. -->
+  <iframe id="frame1" srcdoc=""></iframe>
+
+  <!-- This is speculatively correct https://github.com/whatwg/html/issues/4510 -->
+  <iframe id="frame2" src="/content-security-policy/common/blank.html"></iframe>
+
+  <!--<script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+          window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*');
+        });
+      </script>
+      <img src='/content-security-policy/support/fail.png'>
+  -->
+  <iframe srcdoc="<script>window.addEventListener('securitypolicyviolation', function(e) {window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*');});</script><img src='/content-security-policy/support/fail.png'>"></iframe>
+  <script>
+    var frames = ['frame1', 'frame2'];
+    for (var i = 0; i < frames.length; i++) {
+      var body_text = ['<script>',
+                       ' window.addEventListener("securitypolicyviolation", function(e) {',
+                       '  window.top.postMessage({type: "spv'+ i + '", violatedDirective: e.violatedDirective}, "*");',
+                       ' });',
+                       '</scr' + 'ipt>',
+                       '<img src="/content-security-policy/support/fail.png">'].join('\n');
+
+      var e = document.getElementById(frames[i]);
+      var n = e.contentWindow.document;
+      n.open();
+      n.write("<html><body>" + body_text + "</body></html>");
+      n.close();
+    }
+  </script>
+</body>
+</html>