1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
<!DOCTYPE HTML>
<html>
<head>
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
<body>
<div id=log></div>
<iframe id=frame></iframe>
<script>
// Navigate the frame to a test page with the given policy and wait for
// postMessage to arrive. Resolve the result promise with the message.
function navigate(policy) {
return new Promise(resolve => {
window.addEventListener("message", event => { resolve(event.data); },
{ once: true });
document.getElementById("frame").src =
"/origin-policy/sec-origin-policy-header.html.py?policy=" + policy;
});
}
// Check whether the message returned from the frame meets our expectations.
function expect(expect_script, expect_eval, message) {
assert_own_property(message, "inline_allowed");
assert_own_property(message, "eval_allowed");
assert_equals(message.inline_allowed, expect_script);
assert_equals(message.eval_allowed, expect_eval);
}
// Generate a more descriptive error message. Re-throw the error.
function descriptive_message(policy, expect_inline, expect_eval,
index, error) {
error.message = `Error occured on entry #${index + 1} ["${policy
}", ${expect_inline}, ${expect_eval}]: "${error}".`;
throw(error);
}
// Run the navigation + expectation checking for one test case line.
function test_case_entry([policy, expect_inline, expect_eval], index) {
return navigate(policy)
.then(message => expect(expect_inline, expect_eval, message))
// This catch handler merely logs a more friendly message,
// pointing you to the exact line of the failing test.
.catch(error => descriptive_message(policy, expect_inline,
expect_eval, index, error));
}
function origin_policy_csp_test_case(test_case_list) {
return t => {
// Setup the promise chain for the test.
let chain = Promise.resolve();
for ([index, val] of test_case_list.entries())
chain = chain.then(test_case_entry.bind(this, val, index));
// Delete the policy as the last element of the chain, on both
// resolve + reject paths, so that a left-over policy won't break
// subsequent tests.
return chain.then(() => navigate("0"),
(error) => { navigate("0"); throw error; });
}
}
// Sanity check: A request with no policy.
promise_test(origin_policy_csp_test_case([
["", true, true], // No policy.
]), "sanity check");
// Basic functionality. A policy should have an effect.
promise_test(origin_policy_csp_test_case([
["", true, true], // No policy.
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["0", true, true], // Delete the policy again.
]), "The basics: A policy should have an effect..");
// Basic functionality. Set a policy. Make sure it "sticks".
promise_test(origin_policy_csp_test_case([
["", true, true], // No policy.
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["", true, false], // No policy. Should remember p...-csp-1.
["0", true, true], // Delete the policy again.
]), "The basics: A policy should stick.");
// Set, update, and delete a policy.
promise_test(origin_policy_csp_test_case([
["", true, true],
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["policy-csp-2", false, false], // policy-csp-2, forbids script + eval.
["0", true, true], // Delete the policy.
]), "Policy set, update, and delete.");
// Set, update, and delete a policy. Check on each step whether it 'sticks'.
promise_test(origin_policy_csp_test_case([
["", true, true],
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["", true, false],
["policy-csp-2", false, false], // Forbid script + eval.
["", false, false],
["0", true, true], // Delete the policy.
["", true, true],
]), "Policy set-update-delete cycle with checks.");
// Set a policy, update, then revert to the old one.
promise_test(origin_policy_csp_test_case([
["", true, true],
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["policy-csp-2", false, false], // Forbid script + eval.
["policy-csp-1", true, false], // policy-csp-1 again.
["0", true, true],
]), "Policy set-update-delete cycle.");
// Set, delete, re-set, and re-delete a policy.
promise_test(origin_policy_csp_test_case([
["", true, true], // No policy.
["policy-csp-1", true, false], // policy-csp-1, which forbids eval.
["", true, false],
["0", true, true], // Delete the policy.
["", true, true],
["policy-csp-1", true, false], // Set policy after policy was deleted.
["", true, false],
["0", true, true], // Delete the policy again.
["", true, true],
]), "Policy re-set and re-delete.");
// We've had some bugs with repeated policies being set, so lets just
// run through a set-update-delete cycle but with every request being
// made twice.
promise_test(origin_policy_csp_test_case([
["", true, true],
["", true, true],
["policy-csp-1", true, false],
["policy-csp-1", true, false],
["policy-csp-2", false, false],
["policy-csp-2", false, false],
["0", true, true],
["0", true, true],
["", true, true],
["", true, true],
]), "Double Trouble");
</script>
</body>
</html>
|
