| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta charset="utf-8"> |
| <title>Sequence of the checks performed against a navigation response</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| <body> |
| <script> |
| 'use strict'; |
| const collect = (win) => { |
| const report = new Promise((resolve) => { |
| if (!win.ReportingObserver) { |
| return; |
| } |
| |
| const observer = new win.ReportingObserver(resolve); |
| observer.observe(); |
| }).then((reports) => reports[0].type); |
| // Although CSP also makes use of ReportingObserver, monitoring this event |
| // allows the test to provide value to implementations that have not yet |
| // integrated CSP and Reporting (as of the time of this writing, Firefox and |
| // Safari). |
| const cspViolation = new Promise((resolve) => { |
| win.document.addEventListener('securitypolicyviolation', () => resolve('csp-violation')); |
| }); |
| const halfASecond = new Promise((resolve) => setTimeout(() => resolve(null), 500)); |
| |
| return Promise.race([report, cspViolation, halfASecond]); |
| }; |
| |
| const createWindow = (t, url) => { |
| const win = open(url); |
| t.add_cleanup(() => win.close()); |
| return new Promise((resolve) => win.onload = () => resolve(win)); |
| }; |
| |
| promise_test(async (t) => { |
| const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)'); |
| const iframe = win.document.createElement('iframe'); |
| iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)'; |
| win.document.body.appendChild(iframe); |
| |
| assert_equals(await collect(win), 'csp-violation'); |
| }, 'CSP check precedes X-Frame-Options check'); |
| |
| promise_test(async (t) => { |
| const win = await createWindow(t, '/common/blank.html?pipe=header(content-security-policy, frame-src none)|header(cross-origin-embedder-policy, require-corp)'); |
| const iframe = win.document.createElement('iframe'); |
| iframe.src = '/common/blank.html'; |
| win.document.body.appendChild(iframe); |
| |
| assert_equals(await collect(win), 'csp-violation'); |
| }, 'CSP check precedes COEP check - CSP header first'); |
| |
| promise_test(async (t) => { |
| const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)|header(content-security-policy, frame-src none)'); |
| const iframe = win.document.createElement('iframe'); |
| iframe.src = '/common/blank.html'; |
| win.document.body.appendChild(iframe); |
| |
| assert_equals(await collect(win), 'csp-violation'); |
| }, 'CSP check precedes COEP check - COEP header first'); |
| |
| promise_test(async (t) => { |
| const win = await createWindow(t, '/common/blank.html?pipe=header(cross-origin-embedder-policy, require-corp)'); |
| const iframe = win.document.createElement('iframe'); |
| iframe.src = '/common/blank.html?pipe=header(x-frame-options, deny)'; |
| win.document.body.appendChild(iframe); |
| |
| assert_equals(await collect(win), 'coep'); |
| }, 'COEP check precedes X-Frame-Options check'); |
| </script> |
| </body> |
| </html> |