chromium/src/third_party/blink/web_tests/external/wpt/content-security-policy/embedded-enforcement/allow_csp_from-header.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
 <title>Embedded Enforcement: Allow-CSP-From header.</title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/testharness-helper.sub.js"></script>
 </head>
 <body>
   <script>
     var tests = [
       { "name": "Same origin iframes are always allowed.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": "¢¥§",
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": "",
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": null,
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
         "origin": Host.SAME_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": "http://example.com:888",
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'unsafe-inline'",
         "allow_csp_from": "",
         "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
       { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'unsafe-inline'",
         "allow_csp_from": null,
         "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
       { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
         "allow_csp_from": getOrigin(),
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Iframe with improper Allow-CSP-From header gets blocked.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'unsafe-inline'",
         "allow_csp_from": "* ¢¥§",
         "expected": IframeLoad.EXPECT_BLOCK,
         "blockedURI": null},
       { "name": "Allow-CSP-From header with a star value allows cross origin frame.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'unsafe-inline'",
         "allow_csp_from": "*",
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": null},
       { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "script-src 'nonce-123'",
         "allow_csp_from": "*",
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": "inline"},
       { "name": "Allow-CSP-From header enforces EmbeddingCSP.",
         "origin": Host.CROSS_ORIGIN,
         "csp": "style-src 'none'; script-src 'nonce-123'",
         "allow_csp_from": getOrigin(),
         "expected": IframeLoad.EXPECT_LOAD,
         "blockedURI": "inline"},
     ];

     tests.forEach(test => {
       async_test(t =>  {
         var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from);
         assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI);
       }, test.name);
     });
   </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<title>Embedded Enforcement: Allow-CSP-From header.</title>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="support/testharness-helper.sub.js"></script>
	</head>
	<body>
	<script>
	var tests = [
	{ "name": "Same origin iframes are always allowed.",
	"origin": Host.SAME_ORIGIN,
	"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
	"allow_csp_from": "¢¥§",
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
	"origin": Host.SAME_ORIGIN,
	"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
	"allow_csp_from": "",
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
	"origin": Host.SAME_ORIGIN,
	"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
	"allow_csp_from": null,
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
	"origin": Host.SAME_ORIGIN,
	"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
	"allow_csp_from": "http://example.com:888",
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "script-src 'unsafe-inline'",
	"allow_csp_from": "",
	"expected": IframeLoad.EXPECT_BLOCK,
	"blockedURI": null},
	{ "name": "Cross origin iframe without Allow-CSP-From header gets blocked.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "script-src 'unsafe-inline'",
	"allow_csp_from": null,
	"expected": IframeLoad.EXPECT_BLOCK,
	"blockedURI": null},
	{ "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
	"allow_csp_from": getOrigin(),
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Iframe with improper Allow-CSP-From header gets blocked.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "script-src 'unsafe-inline'",
	"allow_csp_from": "* ¢¥§",
	"expected": IframeLoad.EXPECT_BLOCK,
	"blockedURI": null},
	{ "name": "Allow-CSP-From header with a star value allows cross origin frame.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "script-src 'unsafe-inline'",
	"allow_csp_from": "*",
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": null},
	{ "name": "Star Allow-CSP-From header enforces EmbeddingCSP.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "script-src 'nonce-123'",
	"allow_csp_from": "*",
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": "inline"},
	{ "name": "Allow-CSP-From header enforces EmbeddingCSP.",
	"origin": Host.CROSS_ORIGIN,
	"csp": "style-src 'none'; script-src 'nonce-123'",
	"allow_csp_from": getOrigin(),
	"expected": IframeLoad.EXPECT_LOAD,
	"blockedURI": "inline"},
	];

	tests.forEach(test => {
	async_test(t => {
	var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from);
	assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI);
	}, test.name);
	});
	</script>
	</body>
	</html>