File: to-javascript-parent-initiated-parent-csp.html

package info (click to toggle)
firefox 143.0.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,617,328 kB
  • sloc: cpp: 7,478,492; javascript: 6,417,157; ansic: 3,720,058; python: 1,396,372; xml: 627,523; asm: 438,677; java: 186,156; sh: 63,477; makefile: 19,171; objc: 13,059; perl: 12,983; yacc: 4,583; cs: 3,846; pascal: 3,405; lex: 1,720; ruby: 1,003; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 53; csh: 10
file content (77 lines) | stat: -rw-r--r-- 2,499 bytes parent folder | download | duplicates (12) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
<!DOCTYPE html>
<head>
<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-abc'">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/utils.js"></script>
</head>
<body>
<!-- <frame-with-csp.sub.html> without parameters corresponds to no csp.-->
<iframe id="iframe" name="iframe" src="support/frame-with-csp.sub.html"></iframe>

<a target="iframe" id="anchorElementWithTargetIframe">a</a>

<a target="otherTab" id="anchorElementWithTargetOtherTab">a2</a>

<map name="m">
  <area target="iframe" id="areaElementWithTargetIframe" shape="default">
  <area target="otherTab" id="areaElementWithTargetOtherTab" shape="default">
</map>
<img usemap="#m" alt="i">

<script nonce='abc'>
  function addSuccessAndFailureEventListeners(test, resolve) {
    window.addEventListener("message", test.step_func(function(e) {
      if (e.data == "executed")
        assert_true(false, "Javascript url executed");
    }), { once: true });
    window.addEventListener('securitypolicyviolation', test.step_func_done(function(e) {
      assert_equals(e.blockedURI, 'inline');
      assert_equals(e.violatedDirective, 'script-src-elem');
      resolve();
    }), { once: true });
  }

  const otherTab = window.open("about:blank", "otherTab");

  const kTestCases = [
    { elementId: "iframe",
      propertySequence: ["contentWindow", "location", "href"],
    },
    { elementId: "iframe",
      propertySequence: ["src"],
    },
    { targetWindow: otherTab,
      propertySequence: ["location", "href"],
    },
    { elementId: "areaElementWithTargetIframe",
      propertySequence: ["href"],
      navigationFunction: "click",
    },
    { elementId: "areaElementWithTargetOtherTab",
      propertySequence: ["href"],
      navigationFunction: "click",
    },
    { elementId: "anchorElementWithTargetOtherTab",
      propertySequence: ["href"],
      navigationFunction: "click",
    },
    { elementId: "anchorElementWithTargetIframe",
      propertySequence: ["href"],
      navigationFunction: "click",
    },
  ]

  for (const testCase of kTestCases) {
    const injectionSinkDescription =
      determineInjectionSinkDescription(testCase);

    promise_test(t => new Promise(resolve => {
      addSuccessAndFailureEventListeners(t, resolve);

      assignJavascriptURLToInjectionSink(testCase);
    }), `Should not have executed the javascript url for
      ${injectionSinkDescription}`);
  }
</script>
</body>