Inherit CSP when self-navigating to local-scheme URL
As the linked bug example shows, we should inherit CSP when we navigate
to a local-scheme URL (even if we are in a main browsing context).
Bug: 799747
Change-Id: I8413aa8e8049461ebcf0ffbf7b04c41d1340af02
Reviewed-on: https://chromium-review.googlesource.com/c/1234337
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597889}
diff --git a/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html b/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
new file mode 100644
index 0000000..3b54528
--- /dev/null
+++ b/content-security-policy/inheritance/blob-url-self-navigate-inherits.sub.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+ <script nonce="abc" src="/resources/testharness.js"></script>
+ <script nonce="abc" src="/resources/testharnessreport.js"></script>
+</head>
+
+<!-- This tests that navigating a main window to a local scheme preserves the current CSP.
+ We need to test this in a main window with no parent/opener so we use
+ a link with target=_blank and rel=noopener. -->
+<body>
+ <script>
+ const a = document.createElement("a")
+ a.href = "support/navigate-self-to-blob.html?csp=script-src%20%27nonce-abc%27&report_id={{$id:uuid()}}";
+ a.target = "_blank"
+ a.rel = "noopener"
+ a.click()
+ </script>
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27nonce-abc%27&reportID={{$id}}'></script>
+</body>
+
+</html>
diff --git a/content-security-policy/inheritance/support/navigate-self-to-blob.html b/content-security-policy/inheritance/support/navigate-self-to-blob.html
new file mode 100644
index 0000000..9ea0699
--- /dev/null
+++ b/content-security-policy/inheritance/support/navigate-self-to-blob.html
@@ -0,0 +1,6 @@
+<script nonce="abc">
+ var blob_string = "<script>alert(document.domain)<\/script>";
+ var blob = new Blob([blob_string], {type : 'text/html'});
+ var url = URL.createObjectURL(blob);
+ location.href=url;
+</script>
diff --git a/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers b/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
new file mode 100644
index 0000000..27aa5f4
--- /dev/null
+++ b/content-security-policy/inheritance/support/navigate-self-to-blob.html.sub.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: {{GET[csp]}}; report-uri http://{{host}}:{{ports[http][0]}}/content-security-policy/support/report.py?op=put&reportID={{GET[report_id]}}
