chromium/src/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <!--
 	TODO(mkwst, arthursonzogni). This test fails. See https://crbug.com/700964
 -->
 <html>
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
 </head>
 <body>
   <form
     action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html"
     target="namedWindow"
     method="post">
     <input type='submit' id='submit'>
   </form>

   <script>
     async_test(t => {
       // #1 Open a new window with the name matching the form.target attribute
       //    above.
       var namedWindow = window.open('/security/resources/empty.html', 'namedWindow')

       // #2 Wait the window to be loaded. It prevents the document url to still
       //    be about:blank and to have inherited from its opener's CSP.
       t.step_timeout(function() {
         window.addEventListener('message', t.step_func(e => {
           if (e.source == namedWindow && e.data == "done")
             assert_unreached("The form submission wasn't blocked.");
         }));

         // The navigation should be blocked, either in the current window 1) or
         // in the new window 2).

         // 1) The navigation is blocked in the current window.
         window.addEventListener('securitypolicyviolation', t.step_func(e => {
           assert_equals(e.effectiveDirective, "form-action");
           assert_equals(e.blockedURI, "localhost:8000/resources/post-done-to-opener.html");
           namedWindow.close();
           t.done();
         }));

         // 2) The navigation is blocked in the new window.
         t.step_timeout(t.step_func(() => {
           namedWindow.close();
           t.done();
         }), 1000);

         // #3 Make a form submission with a redirect. It should be blocked by
         //    the form-action directive after the redirect.
         document.getElementById('submit').click();

       }, 1000);
     }, "The form resubmission should be blocked after the redirect");

   </script>
 </body>
 </html>
	<!DOCTYPE html>
	<!--
	TODO(mkwst, arthursonzogni). This test fails. See https://crbug.com/700964
	-->
	<html>
	<head>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
	</head>
	<body>
	<form
	action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html"
	target="namedWindow"
	method="post">
	<input type='submit' id='submit'>
	</form>

	<script>
	async_test(t => {
	// #1 Open a new window with the name matching the form.target attribute
	// above.
	var namedWindow = window.open('/security/resources/empty.html', 'namedWindow')

	// #2 Wait the window to be loaded. It prevents the document url to still
	// be about:blank and to have inherited from its opener's CSP.
	t.step_timeout(function() {
	window.addEventListener('message', t.step_func(e => {
	if (e.source == namedWindow && e.data == "done")
	assert_unreached("The form submission wasn't blocked.");
	}));

	// The navigation should be blocked, either in the current window 1) or
	// in the new window 2).

	// 1) The navigation is blocked in the current window.
	window.addEventListener('securitypolicyviolation', t.step_func(e => {
	assert_equals(e.effectiveDirective, "form-action");
	assert_equals(e.blockedURI, "localhost:8000/resources/post-done-to-opener.html");
	namedWindow.close();
	t.done();
	}));

	// 2) The navigation is blocked in the new window.
	t.step_timeout(t.step_func(() => {
	namedWindow.close();
	t.done();
	}), 1000);

	// #3 Make a form submission with a redirect. It should be blocked by
	// the form-action directive after the redirect.
	document.getElementById('submit').click();

	}, 1000);
	}, "The form resubmission should be blocked after the redirect");

	</script>
	</body>
	</html>