Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/merge_pr_26609^! / .
commit858185d1877e45b195670170672001c0f1e275b1[log] [tgz]
authorAntonio Sartori <antoniosartori@chromium.org>Mon Nov 23 17:01:33 2020
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Mon Nov 23 17:20:50 2020
treea4aaf834a1ae68202a5edeb77e8a3e80273f74ed
parent91509164d9bbf21af389b8c089fb7bc9e91c7e44 [diff]
Add WPT for CSP frame-src 'self' on sandboxed embedder

The Content-Security-Policy keyword 'self' in a source expression is a
placeholder for allowing sources with the same origin as the
document. Even if the document is sandboxed (i.e. has a unique opaque
origin), the keyword 'self' should match the document URL's origin.

This test checks that a document with CSPs:
    Content-Security-Policy: sandbox; frame-src 'self'
can still embed a frame delivered by the same document URL's origin.

Bug: 1151323
Change-Id: Icba5fb8a15bca30ab807ca81ae97152122efb292
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2552593
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#830203}

diff --git a/content-security-policy/frame-src/frame-src-sandboxed-allowed.html b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
new file mode 100644
index 0000000..419a144
--- /dev/null
+++ b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Frame-src: 'self' matches even if the parent's origin is unique.</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script>
+      var t = async_test('SubframeLoaded');
+
+      window.addEventListener('securitypolicyviolation', t.step_func(function(e) {
+        if (e.violatedDirective === "frame-src") {
+          assert_unreached('unexpected securitypolicyviolation');
+          t.done();
+        }
+      }));
+
+      window.addEventListener("message", t.step_func(function(event) {
+        assert_equals(event.data, "PASS", 'unexpected message: ' + event.data);
+        t.done();
+      }));
+
+      f = document.createElement("iframe");
+      f.src = "/content-security-policy/support/postmessage-pass.html";
+      document.body.appendChild(f);
+    </script>
+  </body>
+</html>

diff --git a/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
new file mode 100644
index 0000000..ec9e8de
--- /dev/null
+++ b/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers

@@ -0,0 +1,4 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-src 'self'; sandbox allow-scripts