File: required-csp-header-cascade.html

package info (click to toggle)

firefox-esr 140.4.0esr-1~deb13u1

links: PTS, VCS
area: main
in suites: trixie
size: 4,539,284 kB
sloc: cpp: 7,381,286; javascript: 6,388,710; ansic: 3,710,139; python: 1,393,780; xml: 628,165; asm: 426,916; java: 184,004; sh: 65,742; makefile: 19,302; objc: 13,059; perl: 12,912; yacc: 4,583; cs: 3,846; pascal: 3,352; lex: 1,720; ruby: 1,226; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10

file content (67 lines) | stat: -rw-r--r-- 3,418 bytes

parent folder | download | duplicates (25)

<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Sec-Required-CSP header.</title>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/testharness-helper.sub.js"></script>
</head>
<body>
  <script>
    var tests = [
      { "name": "Test same policy for both iframes",
        "csp1": "script-src 'unsafe-inline';",
        "csp2": "script-src 'unsafe-inline';",
        "expected1": "script-src 'unsafe-inline';",
        "expected2": "script-src 'unsafe-inline';"},
      { "name": "Test more restrictive policy on second iframe",
        "csp1": "script-src 'unsafe-inline';",
        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
        "expected1": "script-src 'unsafe-inline';",
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test less restrictive policy on second iframe",
        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
        "csp2": "script-src 'unsafe-inline';",
        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test no policy on second iframe",
        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
        "csp2": "",
        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test no policy on first iframe",
        "csp1": "",
        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
        "expected1": null,
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test invalid policy on first iframe (bad directive name)",
        "csp1": "default-src http://example.com; i//nvalid-policy-name http://example.com",
        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
        "expected1": null,
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test invalid policy on first iframe (report directive)",
        "csp1": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
        "csp2": "script-src 'unsafe-inline'; style-src 'self';",
        "expected1": null,
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test invalid policy on second iframe (bad directive name)",
        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
        "csp2": "default-src http://example.com; i//nvalid-policy-name http://example.com",
        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
      { "name": "Test invalid policy on second iframe (report directive)",
        "csp1": "script-src 'unsafe-inline'; style-src 'self';",
        "csp2": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
        "expected1": "script-src 'unsafe-inline'; style-src 'self';",
        "expected2": "script-src 'unsafe-inline'; style-src 'self';"},
    ];

    tests.forEach(test => {
      async_test(t =>  {
        var url = generateURLStringWithSecondIframeParams(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP, test.csp2);
        assert_required_csp(t, url, test.csp1, [test.expected1, test.expected2]);
      }, "Test same origin: " + test.name);
    });
  </script>
</body>
</html>