Expand X-Frame-Options tests
Follows https://github.com/whatwg/html/pull/5737. Closes https://github.com/web-platform-tests/wpt/pull/21730 by incorporating all of those tests.
diff --git a/html/README.md b/html/README.md
index a85911a..11e5bcf 100644
--- a/html/README.md
+++ b/html/README.md
@@ -17,3 +17,4 @@
* [/websockets](/websockets)
* [/webstorage](/webstorage)
* [/workers](/workers)
+* [/x-frame-options](/x-frame-options)
diff --git a/x-frame-options/META.yml b/x-frame-options/META.yml
index 674a164..21ef069 100644
--- a/x-frame-options/META.yml
+++ b/x-frame-options/META.yml
@@ -1,4 +1,5 @@
-spec: https://tools.ietf.org/html/rfc7034
+spec: https://html.spec.whatwg.org/#the-x-frame-options-header
suggested_reviewers:
- annevk
- mikewest
+ - domenic
diff --git a/x-frame-options/README.md b/x-frame-options/README.md
index 7b35f0f..2fad359 100644
--- a/x-frame-options/README.md
+++ b/x-frame-options/README.md
@@ -1,2 +1,3 @@
-This directory contains tests for
-[HTTP Header Field X-Frame-Options](https://tools.ietf.org/html/rfc7034).
+This directory contains tests for [`X-Frame-Options`](https://html.spec.whatwg.org/#the-x-frame-options-header).
+
+Currently it only tests `<iframe>`. It would be nice to test `<embed>` and `<object>` as well.
diff --git a/x-frame-options/deny.html b/x-frame-options/deny.html
new file mode 100644
index 0000000..90f65d3
--- /dev/null
+++ b/x-frame-options/deny.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options variations of DENY</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `denY`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: ` DENY `,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ cspValue: `default-src 'self'`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ cspValue: `frame-ancestors 'self'`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/deny.sub.html b/x-frame-options/deny.sub.html
deleted file mode 100644
index dd8afe8..0000000
--- a/x-frame-options/deny.sub.html
+++ /dev/null
@@ -1,61 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=DENY";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: DENY` blocks same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=DENY";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: DENY` blocks cross-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=DENY&csp_value=default-src%20'self'";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: DENY` blocks framing when CSP is present without a frame-ancestors directive.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=DENY&csp_value=frame-ancestors%20'self'";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: DENY` does not blocks framing when CSP is present with a frame-ancestors directive.");
-</script>
diff --git a/x-frame-options/get-decode-split.html b/x-frame-options/get-decode-split.html
new file mode 100644
index 0000000..9f5101d
--- /dev/null
+++ b/x-frame-options/get-decode-split.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers use the get, decode, and split algorithm</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+ headerValue: `,SAMEORIGIN,,DENY,`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: ` SAMEORIGIN, DENY`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/invalid.html b/x-frame-options/invalid.html
new file mode 100644
index 0000000..26b2905
--- /dev/null
+++ b/x-frame-options/invalid.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options invalid values</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+ headerValue: `INVALID`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `ALLOW-FROM https://example.com/`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `ALLOW-FROM=https://example.com/`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `ALLOWALL`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `"DENY"`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `"SAMEORIGIN"`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `"SAMEORIGIN,DENY"`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: ``,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+</script>
diff --git a/x-frame-options/invalid.sub.html b/x-frame-options/invalid.sub.html
deleted file mode 100644
index 4604033..0000000
--- a/x-frame-options/invalid.sub.html
+++ /dev/null
@@ -1,84 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=INVALID";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: INVALID` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=INVALID";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: INVALID` allows cross-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=ALLOWALL";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: ALLOWALL` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOWALL";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: ALLOWALL` allows cross-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "Empty `XFO:` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "Empty `XFO:` allows cross-origin framing.");
-</script>
diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
new file mode 100644
index 0000000..cc8d6e3
--- /dev/null
+++ b/x-frame-options/multiple.html
@@ -0,0 +1,124 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers sent multiple times</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `SAMEORIGIN`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `sameOrigin`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `DENY`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `INVALID`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `ALLOWALL`, // same as INVALID
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: `"DENY"`, // same as INVALID
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ headerValue2: ``, // same as INVALID
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ headerValue2: `DENY`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ headerValue2: `INVALID`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ headerValue2: `ALLOWALL`, // same as INVALID
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `DENY`,
+ headerValue2: `"SAMEORIGIN"`, // same as INVALID
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `ALLOWALL`,
+ headerValue2: `INVALID`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `ALLOWALL`,
+ headerValue2: ``,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `allowAll`,
+ headerValue2: `INVALID`,
+ sameOriginAllowed: false,
+ crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+ headerValue: `INVALID`,
+ headerValue2: `INVALID`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+ headerValue: `INVALID`,
+ headerValue2: ``,
+ sameOriginAllowed: true,
+ crossOriginAllowed: true
+});
+
+</script>
diff --git a/x-frame-options/multiple.sub.html b/x-frame-options/multiple.sub.html
deleted file mode 100644
index 717e9fd..0000000
--- a/x-frame-options/multiple.sub.html
+++ /dev/null
@@ -1,87 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=SAMEORIGIN&value2=DENY";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN; XFO: DENY` blocks same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=DENY&value2=SAMEORIGIN";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: DENY; XFO: SAMEORIGIN` blocks same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=INVALID&value2=SAMEORIGIN";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: INVALID; XFO: SAMEORIGIN` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=SAMEORIGIN&value2=INVALID";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN; XFO: INVALID` allows same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
-
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` blocks cross-origin framing.");
-</script>
diff --git a/x-frame-options/redirect.html b/x-frame-options/redirect.html
new file mode 100644
index 0000000..65fd0d5
--- /dev/null
+++ b/x-frame-options/redirect.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers sent along with a redirect</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_test({
+ url: `./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL`,
+ check: "loaded message",
+ message: `XFO on redirect responses is ignored`
+});
+</script>
diff --git a/x-frame-options/redirect.sub.html b/x-frame-options/redirect.sub.html
deleted file mode 100644
index 0bc708b..0000000
--- a/x-frame-options/redirect.sub.html
+++ /dev/null
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "XFO on redirect responses is ignored.");
-</script>
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index ede5446..45f9b01 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -1,86 +1,53 @@
<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options variations of SAMEORIGIN</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
+<script src="./support/helper.sub.js"></script>
+
<body>
<script>
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/xfo.py?value=SAMEORIGIN";
+"use strict";
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
+xfo_simple_tests({
+ headerValue: `SAMEORIGIN`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` allows same-origin framing.");
+xfo_simple_tests({
+ headerValue: `sameOriGin`,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
- async_test(t => {
- var i = document.createElement('iframe');
- i.src =
- "./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true";
+xfo_simple_tests({
+ headerValue: ` SAMEORIGIN `,
+ sameOriginAllowed: true,
+ crossOriginAllowed: false
+});
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Loaded");
- i.remove();
- }));
+xfo_test({
+ url: `./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true`,
+ check: "loaded message",
+ message: `SAMEORIGIN allows same-origin nested in same-origin framing`
+});
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` allows same-origin nested in same-origin framing.");
+xfo_test({
+ url: `./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+ check: "failed message",
+ message: `SAMEORIGIN blocks cross-origin nested in same-origin framing`
+});
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN";
+xfo_test({
+ url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+ check: "failed message",
+ message: `SAMEORIGIN blocks same-origin nested in cross-origin framing`
+});
- assert_no_message_from(i, t);
-
- i.onload = t.step_func_done(_ => {
- assert_equals(i.contentDocument, null);
- i.remove();
- });
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` blocks cross-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Failed");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` blocks cross-origin nested in same-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Failed");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` blocks same-origin nested in cross-origin framing.");
-
- async_test(t => {
- var i = document.createElement('iframe');
- i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
- wait_for_message_from(i, t)
- .then(t.step_func_done(e => {
- assert_equals(e.data, "Failed");
- i.remove();
- }));
-
- document.body.appendChild(i);
- }, "`XFO: SAMEORIGIN` blocks cross-origin nested in cross-origin framing.");
+xfo_test({
+ url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+ check: "failed message",
+ message: `SAMEORIGIN blocks cross-origin nested in cross-origin framing`
+});
</script>
diff --git a/x-frame-options/support/helper.js b/x-frame-options/support/helper.js
deleted file mode 100644
index 2932a0a..0000000
--- a/x-frame-options/support/helper.js
+++ /dev/null
@@ -1,13 +0,0 @@
-function assert_no_message_from(frame, test) {
- wait_for_message_from(frame, test)
- .then(test.unreached_func("Frame should not have sent a message."));
-}
-
-function wait_for_message_from(frame, test) {
- return new Promise((resolve, reject) => {
- window.addEventListener("message", test.step_func(e => {
- if (e.source == frame.contentWindow)
- resolve(e);
- }));
- });
-}
diff --git a/x-frame-options/support/helper.sub.js b/x-frame-options/support/helper.sub.js
new file mode 100644
index 0000000..23663dd
--- /dev/null
+++ b/x-frame-options/support/helper.sub.js
@@ -0,0 +1,104 @@
+function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
+ simpleXFOTestsInner({
+ urlPrefix: "",
+ allowed: sameOriginAllowed,
+ headerValue,
+ headerValue2,
+ cspValue,
+ sameOrCross: "same-origin"
+ });
+
+ simpleXFOTestsInner({
+ urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}",
+ allowed: crossOriginAllowed,
+ headerValue,
+ headerValue2,
+ cspValue,
+ sameOrCross: "cross-origin"
+ });
+}
+
+function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) {
+ const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
+ const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
+
+ const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
+ const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2;
+ const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
+ const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
+
+ // This will test the multi-header variant, if headerValue2 is not undefined.
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ if (headerValue2 !== undefined && headerValue2 !== headerValue) {
+ // Reversed variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ // Comma variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+
+ // Comma + reversed variant
+ xfo_test({
+ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
+ check: allowed ? "loaded message" : "no message",
+ message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+ });
+ }
+}
+
+function xfo_test({ url, check, message }) {
+ async_test(t => {
+ const i = document.createElement("iframe");
+ i.src = url;
+
+ switch (check) {
+ case "loaded message": {
+ waitForMessageFrom(i, t).then(t.step_func_done(e => {
+ assert_equals(e.data, "Loaded");
+ }));
+ break;
+ }
+ case "failed message": {
+ waitForMessageFrom(i, t).then(t.step_func_done(e => {
+ assert_equals(e.data, "Failed");
+ }));
+ break;
+ }
+ case "no message": {
+ waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message."));
+ i.onload = t.step_func_done(() => {
+ assert_equals(i.contentDocument, null);
+ });
+ break;
+ }
+ default: {
+ throw new Error("Bad test");
+ }
+ }
+
+ document.body.append(i);
+ t.add_cleanup(() => i.remove());
+ }, message);
+}
+
+function waitForMessageFrom(frame, test) {
+ return new Promise(resolve => {
+ window.addEventListener("message", test.step_func(e => {
+ if (e.source == frame.contentWindow) {
+ resolve(e);
+ }
+ }));
+ });
+}