File: failure-check-sequence.https.html

package info (click to toggle)
thunderbird 1%3A144.0.1-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 4,725,312 kB
  • sloc: cpp: 7,869,225; javascript: 5,974,276; ansic: 3,946,747; python: 1,421,062; xml: 654,642; asm: 474,045; java: 183,117; sh: 110,973; makefile: 20,398; perl: 14,362; objc: 13,086; yacc: 4,583; pascal: 3,448; lex: 1,720; ruby: 999; exp: 762; sql: 731; awk: 580; php: 436; lisp: 430; sed: 69; csh: 10
file content (76 lines) | stat: -rw-r--r-- 2,954 bytes parent folder | download | duplicates (24) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Sequence of the checks performed against a navigation response</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
'use strict';
const collect = (win) => {
  const report = new Promise((resolve) => {
    if (!win.ReportingObserver) {
      return;
    }

    const observer = new win.ReportingObserver(resolve);
    observer.observe();
  }).then((reports) => reports[0].type);
  // Although CSP also makes use of ReportingObserver, monitoring this event
  // allows the test to provide value to implementations that have not yet
  // integrated CSP and Reporting (as of the time of this writing, Firefox and
  // Safari).
  const cspViolation = new Promise((resolve) => {
    win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation'));
  });
  const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500));

  return Promise.race([report, cspViolation, halfASecond]);
};

const createWindow = (t, url) => {
  const win = open(url);
  t.add_cleanup(() => win.close());
  return new Promise((resolve) => win.onload = () => resolve(win));
};

promise_test(async (t) => {
  const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)');
  const iframe = win.document.createElement('iframe');
  iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
  win.document.body.appendChild(iframe);

  assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes X-Frame-Options check');

promise_test(async (t) => {
  const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)');
  const iframe = win.document.createElement('iframe');
  iframe.src = '/common/blank.html';
  win.document.body.appendChild(iframe);

  assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - CSP header first');

promise_test(async (t) => {
  const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)');
  const iframe = win.document.createElement('iframe');
  iframe.src = '/common/blank.html';
  win.document.body.appendChild(iframe);

  assert_equals(await collect(win), 'csp-violation');
}, 'CSP check precedes COEP check - COEP header first');

promise_test(async (t) => {
  const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)');
  const iframe = win.document.createElement('iframe');
  iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)';
  win.document.body.appendChild(iframe);

  assert_equals(await collect(win), 'coep');
}, 'COEP check precedes X-Frame-Options check');
</script>
</body>
</html>