Add WPT for CSP frame-src 'self' on sandboxed embedder
The Content-Security-Policy keyword 'self' in a source expression is a
placeholder for allowing sources with the same origin as the
document. Even if the document is sandboxed (i.e. has a unique opaque
origin), the keyword 'self' should match the document URL's origin.
This test checks that a document with CSPs:
Content-Security-Policy: sandbox; frame-src 'self'
can still embed a frame delivered by the same document URL's origin.
Bug: 1151323
Change-Id: Icba5fb8a15bca30ab807ca81ae97152122efb292
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2552593
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#830203}
diff --git a/content-security-policy/frame-src/frame-src-sandboxed-allowed.html b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
new file mode 100644
index 0000000..419a144
--- /dev/null
+++ b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Frame-src: 'self' matches even if the parent's origin is unique.</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script>
+ var t = async_test('SubframeLoaded');
+
+ window.addEventListener('securitypolicyviolation', t.step_func(function(e) {
+ if (e.violatedDirective === "frame-src") {
+ assert_unreached('unexpected securitypolicyviolation');
+ t.done();
+ }
+ }));
+
+ window.addEventListener("message", t.step_func(function(event) {
+ assert_equals(event.data, "PASS", 'unexpected message: ' + event.data);
+ t.done();
+ }));
+
+ f = document.createElement("iframe");
+ f.src = "/content-security-policy/support/postmessage-pass.html";
+ document.body.appendChild(f);
+ </script>
+ </body>
+</html>
diff --git a/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
new file mode 100644
index 0000000..ec9e8de
--- /dev/null
+++ b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-src 'self'; sandbox allow-scripts