Changeset 197972 in webkit
- Timestamp:
- Mar 10, 2016 4:45:13 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 13 added
- 69 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r197969 r197972 1 2016-03-10 Daniel Bates <dabates@apple.com> 2 3 CSP: Implement frame-ancestors directive 4 https://bugs.webkit.org/show_bug.cgi?id=154345 5 <rdar://problem/24702161> 6 7 Reviewed by Brent Fulgham. 8 9 Adds new tests to ensure we ignore directive frame-ancestors when defined a policy delivered 10 in an HTML meta element or in a report-only policy (i.e. delivered via HTTP header Content- 11 Security-Policy-Report-Only). Also adds new test to ensure that we send a violation report 12 when the directive frame-ancestors is violated. 13 14 Updated many existing tests and test results that unnecessarily depended on a DOM SecurityError 15 exception being thrown when accessing the content of a cross-origin frame. It is sufficient 16 and more direct to test directive frame-ancestors by dumping the contents of all children frames 17 on the page. We design the tests such that a child frame that was blocked by the frame-ancestors 18 directive is expected to have no content. A child frame that was allowed by the frame-ancestors 19 directive is expected to have content. 20 21 * TestExpectations: Mark frame-ancestors tests as PASS so that we run them. 22 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt: Added. 23 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html: Added. 24 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt: Added. 25 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html: Added. 26 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt: 27 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html: 28 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt: 29 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html: 30 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt: 31 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html: 32 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt: 33 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html: 34 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt: 35 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html: 36 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt: 37 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html: 38 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt: 39 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html: 40 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt: 41 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html: 42 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt: 43 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html: 44 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt: 45 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html: 46 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt: 47 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html: 48 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt: 49 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html: 50 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt: 51 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html: 52 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt: 53 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html: 54 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt: 55 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html: 56 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt: 57 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html: 58 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt: 59 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html: 60 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt: 61 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html: 62 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt: 63 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html: 64 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt: 65 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html: 66 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt: 67 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html: 68 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt: 69 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html: 70 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt: 71 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html: 72 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt: 73 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html: 74 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt: 75 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html: 76 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt: 77 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html: 78 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt: 79 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html: 80 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt: 81 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html: 82 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt: Added. 83 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt: Added. 84 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html: Added. 85 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html: Added. 86 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt: Added. 87 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt: Added. 88 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html: Added. 89 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html: Added. 90 * http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl: Added. 91 * http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js: 92 (done): Added. 93 (injectIFrame): Modified to make use of handleFrameEvent(). 94 (handleFrameEvent): Added. 95 (iframeLoaded): Deleted. 96 * http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl: 97 1 98 2016-03-10 Andy VanWagoner <andy@instructure.com> 2 99 -
trunk/LayoutTests/TestExpectations
r197944 r197972 809 809 webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1 810 810 http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ] 811 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors [ Pass ] 811 812 http/tests/security/contentSecurityPolicy/1.1/form-action-src-allowed.html [ Pass ] 812 813 http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html [ Pass ] -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 2 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "'none'" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); 10 11 testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 2 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "'self'" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); 10 11 testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'. 2 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. 1 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a cross-origin child with a policy of "*" nested in a cross-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); 10 11 testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000%20http://localhost:8080'. 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. 1 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt
r195367 r197972 1 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080". 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "http://localhost:8080" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 2 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "'none'" nested in a same-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html
r195367 r197972 3 3 <html> 4 4 <head> 5 <script src="/js-test-resources/js-test.js"></script>6 5 <script src="../../resources/frame-ancestors-test.js"></script> 7 6 </head> 8 7 <body> 9 <script> 10 description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); 11 12 testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 13 </script> 8 <p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 9 <script> 10 testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 11 </script> 14 12 </body> 15 13 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 2 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "'self'" nested in a same-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); 10 11 testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt
r195367 r197972 1 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. 1 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked. 2 2 3 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".4 5 6 Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a cross-origin child with a policy of "*" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 10 24 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); 10 11 debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked."); 12 testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 13 </script> 7 <p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p> 8 <script> 9 testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 14 11 </body> 15 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt
r195367 r197972 1 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. 1 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked. 2 2 3 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".4 5 6 Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 10 24 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked."); 12 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 13 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p> 8 <script> 9 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 14 11 </body> 15 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt
r195367 r197972 1 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080". 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a cross-origin child with a policy of "http://localhost:8080" nested in a same-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 2 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a same-origin child with a policy of "'none'" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); 10 11 testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 2 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a same-origin child with a policy of "'self'" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); 10 11 testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'. 2 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. 1 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "*" nested in a cross-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); 10 11 testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000%20http://localhost:8080'. 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. 1 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt
r195367 r197972 1 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://127.0.0.1:8000". 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a same-origin child with a policy of "http://127.0.0.1:8000" nested in a cross-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 2 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. 1 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a same-origin child with a policy of "'none'" nested in a same-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames."); 10 11 testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27'. 2 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. 1 A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "'self'" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames."); 10 11 testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'. 2 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. 1 A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "*" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames."); 10 11 testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000'. 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. 1 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "http://127.0.0.1:8000" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt
r195367 r197972 1 1 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080". 2 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED. 5 4 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 5 12 6 … … 16 10 Testing a same-origin child with a policy of "http://localhost:8080" nested in a same-origin parent. 17 11 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 IFrame load event fired: the IFrame is cross-origin (or was blocked).22 PASS The IFrame should have been blocked (or cross-origin). It was.23 12 24 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate."); 10 11 testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 2 A 'frame-ancestors' CSP directive with a value 'none' should block rendering. 1 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'none' should block rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED. 5 4 6 7 IFrame load event fired: the IFrame is cross-origin (or was blocked).8 PASS The IFrame should have been blocked (or cross-origin). It was.9 PASS successfullyParsed is true10 11 TEST COMPLETE12 5 13 6 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering."); 10 11 sameOriginFrameShouldBeBlocked("'none'"); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 sameOriginFrameShouldBeBlocked("'none'"); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*.0.0.1:8000'. 2 A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames. 1 A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The inner IFrame passed.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 … … 16 8 Testing a same-origin child with a policy of "*.0.0.1:8000" nested in a same-origin parent. 17 9 18 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".19 20 21 PASS The IFrame should not have been blocked. It wasn't.22 10 23 11 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames."); 10 11 testNestedIFrame("*.0.0.1:8000", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p> 8 <script> 9 testNestedIFrame("*.0.0.1:8000", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27'. 2 A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. 1 A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The IFrame should not have been blocked. It wasn't.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering."); 10 11 sameOriginFrameShouldBeAllowed("'self'"); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 sameOriginFrameShouldBeAllowed("'self'"); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 2 A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED. 5 4 6 7 IFrame load event fired: the IFrame is cross-origin (or was blocked).8 PASS The IFrame should have been blocked (or cross-origin). It was.9 PASS successfullyParsed is true10 11 TEST COMPLETE12 5 13 6 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering."); 10 11 crossOriginFrameShouldBeBlocked("'self'"); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 crossOriginFrameShouldBeBlocked("'self'"); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt
r195367 r197972 1 A 'frame-ancestors' CSP directive with '*' should allow rendering. 1 A 'frame-ancestors' CSP directive with '*' should allow rendering. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked. 2 2 3 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".4 5 6 Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.7 IFrame load event fired: the IFrame is cross-origin (or was blocked).8 PASS The IFrame should have been blocked (or cross-origin). It was.9 PASS successfullyParsed is true10 11 TEST COMPLETE12 3 13 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with '*' should allow rendering."); 10 11 debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked."); 12 crossOriginFrameShouldBeBlocked("*"); 13 </script> 7 <p>A 'frame-ancestors' CSP directive with '*' should allow rendering. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p> 8 <script> 9 crossOriginFrameShouldBeBlocked("*"); 10 </script> 14 11 </body> 15 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'. 2 A 'frame-ancestors' CSP directive with '*' should allow rendering. 1 A 'frame-ancestors' CSP directive with '*' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The IFrame should not have been blocked. It wasn't.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with '*' should allow rendering."); 10 11 sameOriginFrameShouldBeAllowed("*"); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with '*' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 sameOriginFrameShouldBeAllowed("*"); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt
r195367 r197972 1 CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000'. 2 A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. 1 A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED. 3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".5 6 7 PASS The IFrame should not have been blocked. It wasn't.8 PASS successfullyParsed is true9 10 TEST COMPLETE11 3 12 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering."); 10 11 sameOriginFrameShouldBeAllowed(window.location.origin); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 sameOriginFrameShouldBeAllowed(window.location.origin); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt
r195367 r197972 1 1 CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://example.com/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://example.com/". 2 A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked.3 2 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".3 A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED. 5 4 6 7 IFrame load event fired: the IFrame is cross-origin (or was blocked).8 PASS The IFrame should have been blocked (or cross-origin). It was.9 PASS successfullyParsed is true10 11 TEST COMPLETE12 5 13 6 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html
r195367 r197972 2 2 <html> 3 3 <head> 4 <script src="/js-test-resources/js-test.js"></script>5 4 <script src="../../resources/frame-ancestors-test.js"></script> 6 5 </head> 7 6 <body> 8 <script> 9 description("A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked."); 10 11 crossOriginFrameShouldBeBlocked("http://example.com/"); 12 </script> 7 <p>A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p> 8 <script> 9 crossOriginFrameShouldBeBlocked("http://example.com/"); 10 </script> 13 11 </body> 14 12 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js
r195367 r197972 8 8 var CROSSORIGIN_ORIGIN = "http://localhost:8080"; 9 9 10 window.jsTestIsAsync = true; 11 window.wasPostTestScriptParsed = true; 10 if (window.testRunner) { 11 testRunner.dumpAsText(); 12 testRunner.dumpChildFramesAsText(); 13 testRunner.waitUntilDone(); 14 } 12 15 13 if (window.testRunner) 14 testRunner.dumpChildFramesAsText(); 16 function done() { 17 if (window.testRunner) 18 testRunner.notifyDone(); 19 } 15 20 16 21 window.addEventListener("message", function (e) { 17 22 if (window.parent != window) { 18 23 window.parent.postMessage(e.data, "*"); 19 } else { 20 if (e.data) 21 testFailed("The inner IFrame failed."); 22 else 23 testPassed("The inner IFrame passed."); 24 25 finishJSTest(); 24 return; 26 25 } 26 done(); 27 27 }); 28 28 … … 41 41 } 42 42 43 function injectIFrame(policy, sameOrigin , expectBlock) {43 function injectIFrame(policy, sameOrigin) { 44 44 var iframe = document.createElement("iframe"); 45 iframe.addEventListener("load", iframeLoaded(expectBlock));46 iframe.addEventListener("error", iframeLoaded(expectBlock));45 iframe.addEventListener("load", handleFrameEvent); 46 iframe.addEventListener("error", handleFrameEvent); 47 47 48 48 var url = "/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=" + policy; … … 54 54 } 55 55 56 function iframeLoaded(expectBlock) { 57 return function(ev) { 58 var failed = true; 59 try { 60 console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'."); 61 if (expectBlock) { 62 testFailed("The IFrame should have been blocked (or cross-origin). It wasn't."); 63 failed = true; 64 } else { 65 testPassed("The IFrame should not have been blocked. It wasn't."); 66 failed = false; 67 } 68 } catch (ex) { 69 debug("IFrame load event fired: the IFrame is cross-origin (or was blocked)."); 70 if (expectBlock) { 71 testPassed("The IFrame should have been blocked (or cross-origin). It was."); 72 failed = false; 73 } else { 74 testFailed("The IFrame should not have been blocked. It was."); 75 failed = true; 76 } 77 } 78 if (window.parent != window) 79 window.parent.postMessage(failed, '*'); 80 else 81 finishJSTest(); 82 }; 56 function handleFrameEvent(event) { 57 if (window.parent != window) { 58 window.parent.postMessage(null, '*'); 59 return; 60 } 61 done(); 83 62 } 84 63 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl
r195367 r197972 10 10 print "<html>\n"; 11 11 print "<body>\n"; 12 print " <script src='/js-test-resources/js-test.js'></script>\n";13 12 print " <script src='/security/contentSecurityPolicy/resources/frame-ancestors-test.js'></script>\n"; 13 print " <p>Testing a " . $cgi->param("child") . "-origin child with a policy of "" . $cgi->param("policy") . "" nested in a " . $cgi->param("parent") . "-origin parent.</p>"; 14 14 print " <script>\n"; 15 print " description(\"Testing a " . $cgi->param("child") . "-origin child with a policy of \\\"" . $cgi->param("policy") . "\\\" nested in a " . $cgi->param("parent") . "-origin parent.\");\n";16 15 print " " . $cgi->param("child") . "OriginFrameShouldBe" . $cgi->param("expectation") . "(\"" . $cgi->param("policy") . "\");\n"; 17 16 print " </script>\n"; -
trunk/Source/WebCore/ChangeLog
r197968 r197972 1 2016-03-10 Daniel Bates <dabates@apple.com> 2 3 CSP: Implement frame-ancestors directive 4 https://bugs.webkit.org/show_bug.cgi?id=154345 5 <rdar://problem/24702161> 6 7 Reviewed by Brent Fulgham. 8 9 Add support for the Content Security Policy directive frame-ancestors per the Content Security 10 Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>. 11 12 Tests: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html 13 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html 14 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 15 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 16 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 17 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 18 19 * loader/DocumentLoader.cpp: 20 (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied): Extracted from DocumentLoader::responseReceived(). 21 (WebCore::DocumentLoader::responseReceived): Extracted logic to cancel a load and dispatch a DOM Load 22 event at the frame owner into DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(). 23 Make use of this function when loading of the frame is blocked by either the Content Security Policy or 24 the X-Frame-Option policy. We explicitly instantiate a ContentSecurityPolicy object with a SecurityOrigin 25 and Frame instead of using ScriptExecutionContext m_frame->document() because m_frame->document() is not 26 in a stable state (for instance, Document::m_url has not been initialized) as we are in the process of 27 loading the underlying document data for it. 28 * loader/DocumentLoader.h: 29 * loader/FrameLoader.cpp: 30 (WebCore::FrameLoader::didBeginDocument): Pass ContentSecurityPolicy::ReportParsingErrors::No to silence 31 errors raised when parsing the Content Security Policy headers to avoid duplicate error messages. Any 32 parsing errors would have been raised when we parsed the Content Security Policy in DocumentLoader. 33 * page/csp/ContentSecurityPolicy.cpp: 34 (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take an optional pointer to a Frame (defaults 35 to nullptr). The specified Frame is used to support emitting console messages for violations/syntax errors and 36 send violation reports. We make use of this constructor variant in DocumentLoader to support emitting console 37 message and sending violation reports in the context of DocumentLoader where its associated Document is not in a 38 stable state and making use of a Frame seems less error prone. 39 (WebCore::ContentSecurityPolicy::didReceiveHeaders): Modified to take argument reportParsingErrors as 40 to whether to silence parsing errors when parsing the specified headers. 41 (WebCore::isAllowedByAllWithFrame): Helper function to query a ContentSecurityPolicyDirectiveList function 42 passing a Frame and URL for each Content Security Policy. 43 (WebCore::ContentSecurityPolicy::allowFrameAncestors): Calls WebCore::isAllowedByAllWithFrame(). 44 (WebCore::ContentSecurityPolicy::reportViolation): Modified to support sending a violation report when 45 we have a Frame and no ScriptExecutionContext (such as when we are instantiated in DocumentLoader). 46 Additionally, we only will send a report if reporting is enabled (i.e. ContentSecurityPolicy::m_isReportingEnabled == true). 47 (WebCore::ContentSecurityPolicy::logToConsole): Modified to support logging a message to the console 48 we have a Frame and no ScriptExecutionContext. We also only allow logging if reporting is enabled. 49 * page/csp/ContentSecurityPolicy.h: 50 * page/csp/ContentSecurityPolicyDirectiveList.cpp: 51 (WebCore::checkFrameAncestors): Added. 52 (WebCore::ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation): Added. 53 (WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Added. 54 (WebCore::ContentSecurityPolicyDirectiveList::parse): Ignore the directive frame-ancestors when defined 55 in a policy given in an HTML meta element and report such use as invalid. 56 (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive frame-ancestors. 57 * page/csp/ContentSecurityPolicyDirectiveList.h: 58 * page/csp/ContentSecurityPolicyResponseHeaders.h: Mark constructor "explicit". 59 1 60 2016-03-10 Jer Noble <jer.noble@apple.com> 2 61 -
trunk/Source/WebCore/loader/DocumentLoader.cpp
r197608 r197972 37 37 #include "CachedResourceLoader.h" 38 38 #include "ContentExtensionError.h" 39 #include "ContentSecurityPolicy.h" 39 40 #include "DOMWindow.h" 40 41 #include "Document.h" … … 616 617 } 617 618 619 void DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse& response) 620 { 621 InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, *this, identifier, response); 622 m_frame->document()->enforceSandboxFlags(SandboxOrigin); 623 if (HTMLFrameOwnerElement* ownerElement = m_frame->ownerElement()) 624 ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false)); 625 626 // The load event might have detached this frame. In that case, the load will already have been cancelled during detach. 627 if (FrameLoader* frameLoader = this->frameLoader()) 628 cancelMainResourceLoad(frameLoader->cancelledError(m_request)); 629 } 630 618 631 void DocumentLoader::responseReceived(CachedResource* resource, const ResourceResponse& response) 619 632 { … … 635 648 return; 636 649 650 ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource); 651 unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier(); 652 ASSERT(identifier); 653 654 ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(response.url()), m_frame); 655 contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); 656 if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, response.url())) { 657 stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response); 658 return; 659 } 660 637 661 const auto& commonHeaders = response.httpHeaderFields().commonHeaders(); 638 662 auto it = commonHeaders.find(HTTPHeaderName::XFrameOptions); 639 663 if (it != commonHeaders.end()) { 640 664 String content = it->value; 641 ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource);642 unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();643 ASSERT(identifier);644 665 if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), identifier)) { 645 InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, *this, identifier, response);646 666 String message = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; 647 frame()->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier); 648 frame()->document()->enforceSandboxFlags(SandboxOrigin); 649 if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement()) 650 ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false)); 651 652 // The load event might have detached this frame. In that case, the load will already have been cancelled during detach. 653 if (frameLoader()) 654 cancelMainResourceLoad(frameLoader()->cancelledError(m_request)); 667 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier); 668 stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response); 655 669 return; 656 670 } -
trunk/Source/WebCore/loader/DocumentLoader.h
r197563 r197972 330 330 ResourceError interruptedForPolicyChangeError() const; 331 331 332 void stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse&); 333 332 334 #if HAVE(RUNLOOP_TIMER) 333 335 typedef RunLoopTimer<DocumentLoader> DocumentLoaderTimer; -
trunk/Source/WebCore/loader/FrameLoader.cpp
r197950 r197972 689 689 m_frame.document()->parseDNSPrefetchControlHeader(dnsPrefetchControl); 690 690 691 m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response()) );691 m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response()), ContentSecurityPolicy::ReportParsingErrors::No); 692 692 693 693 String headerContentLanguage = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentLanguage); -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r197944 r197972 53 53 #include <inspector/ScriptCallStack.h> 54 54 #include <inspector/ScriptCallStackFactory.h> 55 #include <wtf/TemporaryChange.h> 55 56 #include <wtf/text/TextPosition.h> 56 57 … … 69 70 } 70 71 71 ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin) 72 : m_sandboxFlags(SandboxNone) 72 ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin, const Frame* frame) 73 : m_frame(frame) 74 , m_sandboxFlags(SandboxNone) 73 75 { 74 76 m_selfSourceProtocol = securityOrigin.protocol(); … … 96 98 } 97 99 98 void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers) 99 { 100 void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers, ReportParsingErrors reportParsingErrors) 101 { 102 TemporaryChange<bool> isReportingEnabled(m_isReportingEnabled, reportParsingErrors == ReportParsingErrors::Yes); 100 103 for (auto& header : headers.m_headers) 101 104 didReceiveHeader(header.first, header.second, ContentSecurityPolicy::PolicyFrom::HTTPHeader); … … 156 159 return url.protocolIsInHTTPFamily(); 157 160 return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol); 161 } 162 163 template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const> 164 static bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) 165 { 166 for (auto& policy : policies) { 167 if (!(policy.get()->*allowed)(frame, url, reportingStatus)) 168 return false; 169 } 170 return true; 158 171 } 159 172 … … 315 328 } 316 329 330 bool ContentSecurityPolicy::allowFrameAncestors(const Frame& frame, const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const 331 { 332 if (overrideContentSecurityPolicy) 333 return true; 334 Frame& topFrame = frame.tree().top(); 335 if (&frame == &topFrame) 336 return true; 337 return isAllowedByAllWithFrame<&ContentSecurityPolicyDirectiveList::allowFrameAncestors>(m_policies, frame, url, reportingStatus); 338 } 339 317 340 String ContentSecurityPolicy::evalDisabledErrorMessage() const 318 341 { … … 427 450 logToConsole(consoleMessage, contextURL, contextLine, state); 428 451 452 if (!m_isReportingEnabled) 453 return; 454 429 455 // FIXME: Support sending reports from worker. 430 if (!is<Document>(m_scriptExecutionContext) )456 if (!is<Document>(m_scriptExecutionContext) && !m_frame) 431 457 return; 432 458 433 Document& document = downcast<Document>(*m_scriptExecutionContext); 459 // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp. 460 // See <https://bugs.webkit.org/show_bug.cgi?id=155133>. 461 ASSERT(!m_frame || effectiveDirective == "frame-ancestors"); 462 463 Document& document = is<Document>(m_scriptExecutionContext) ? downcast<Document>(*m_scriptExecutionContext) : *m_frame->document(); 434 464 Frame* frame = document.frame(); 465 ASSERT(!m_frame || m_frame == frame); 435 466 if (!frame) 436 467 return; 437 468 438 String documentURI = document.url().strippedForUseAsReferrer(); 439 String referrer = document.referrer(); 440 String blockedURI = stripURLForUseInReport(document, blockedURL); 469 String documentURI; 470 String blockedURI; 471 if (is<Document>(m_scriptExecutionContext)) { 472 documentURI = document.url().strippedForUseAsReferrer(); 473 blockedURI = stripURLForUseInReport(document, blockedURL); 474 } else { 475 // The URL of |document| may not have been initialized (say, when reporting a frame-ancestors violation). 476 // So, we use the URL of the blocked document for the protected document URL. 477 documentURI = blockedURL; 478 blockedURI = blockedURL; 479 } 441 480 String violatedDirective = directiveText; 442 481 String originalPolicy = header; 482 String referrer = document.referrer(); 443 483 ASSERT(document.loader()); 444 484 unsigned short statusCode = document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0; … … 586 626 void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const 587 627 { 628 if (!m_isReportingEnabled) 629 return; 630 588 631 // FIXME: <http://webkit.org/b/114317> ContentSecurityPolicy::logToConsole should include a column number 589 632 if (m_scriptExecutionContext) 590 633 m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state); 634 else if (m_frame && m_frame->document()) 635 static_cast<ScriptExecutionContext*>(m_frame->document())->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state); 591 636 } 592 637 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
r197944 r197972 57 57 public: 58 58 explicit ContentSecurityPolicy(ScriptExecutionContext&); 59 explicit ContentSecurityPolicy(const SecurityOrigin& );59 explicit ContentSecurityPolicy(const SecurityOrigin&, const Frame* = nullptr); 60 60 ~ContentSecurityPolicy(); 61 61 … … 78 78 }; 79 79 ContentSecurityPolicyResponseHeaders responseHeaders() const; 80 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 80 enum ReportParsingErrors { No, Yes }; 81 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&, ReportParsingErrors = ReportParsingErrors::Yes); 81 82 void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); } 82 83 … … 104 105 bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const; 105 106 bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const; 107 bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const; 106 108 107 109 void setOverrideAllowInlineStyle(bool); … … 161 163 const TextEncoding& documentEncoding() const; 162 164 165 // We can never have both a script execution context and a frame. 163 166 ScriptExecutionContext* m_scriptExecutionContext { nullptr }; 167 const Frame* m_frame { nullptr }; 164 168 std::unique_ptr<ContentSecurityPolicySource> m_selfSource; 165 169 String m_selfSourceProtocol; … … 168 172 SandboxFlags m_sandboxFlags; 169 173 bool m_overrideInlineStyleAllowed { false }; 174 bool m_isReportingEnabled { true }; 170 175 OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts; 171 176 OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
r197944 r197972 28 28 #include "ContentSecurityPolicyDirectiveList.h" 29 29 30 #include "Document.h" 31 #include "Frame.h" 30 32 #include "ParsingUtilities.h" 31 33 #include "SecurityContext.h" … … 52 54 static const char formAction[] = "form-action"; 53 55 static const char pluginTypes[] = "plugin-types"; 56 static const char frameAncestors[] = "frame-ancestors"; 54 57 #if ENABLE(CSP_NEXT) 55 58 static const char reflectedXSS[] = "reflected-xss"; … … 129 132 { 130 133 return !directive || directive->allows(nonce); 134 } 135 136 static inline bool checkFrameAncestors(ContentSecurityPolicySourceListDirective* directive, const Frame& frame) 137 { 138 if (!directive) 139 return true; 140 for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) { 141 if (!directive->allows(current->document()->url())) 142 return false; 143 } 144 return true; 131 145 } 132 146 … … 265 279 } 266 280 281 bool ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const Frame& frame, const URL& url, const String& effectiveDirective) const 282 { 283 if (checkFrameAncestors(directive, frame)) 284 return true; 285 reportViolation(directive->text(), effectiveDirective, makeString("Refused to display '", url.stringCenterEllipsizedToLength(), "' in a frame because an ancestor violates the following Content Security Policy directive: \"", directive->text(), "\".", '\n'), url); 286 return denyIfEnforcingPolicy(); 287 } 288 267 289 bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 268 290 { … … 415 437 return checkSourceAndReportViolation(m_baseURI.get(), url, baseURI); 416 438 return m_reportOnly || checkSource(m_baseURI.get(), url); 439 } 440 441 bool ContentSecurityPolicyDirectiveList::allowFrameAncestors(const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 442 { 443 if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport) 444 return checkFrameAncestorsAndReportViolation(m_frameAncestors.get(), frame, url, frameAncestors); 445 return m_reportOnly || checkFrameAncestors(m_frameAncestors.get(), frame); 417 446 } 418 447 … … 439 468 switch (policyFrom) { 440 469 case ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta: 441 if (equalLettersIgnoringASCIICase(name, sandbox) || equalLettersIgnoringASCIICase(name, reportURI)) { 470 if (equalLettersIgnoringASCIICase(name, sandbox) || equalLettersIgnoringASCIICase(name, reportURI) 471 || equalLettersIgnoringASCIICase(name, frameAncestors)) { 442 472 m_policy.reportInvalidDirectiveInHTTPEquivMeta(name); 443 473 break; … … 638 668 else if (equalLettersIgnoringASCIICase(name, baseURI)) 639 669 setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI); 640 else if (equalLettersIgnoringASCIICase(name, pluginTypes)) 670 else if (equalLettersIgnoringASCIICase(name, frameAncestors)) { 671 if (m_reportOnly) { 672 m_policy.reportInvalidDirectiveInReportOnlyMode(name); 673 return; 674 } 675 setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameAncestors); 676 } else if (equalLettersIgnoringASCIICase(name, pluginTypes)) 641 677 setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes); 642 678 else if (equalLettersIgnoringASCIICase(name, sandbox)) -
trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
r197944 r197972 72 72 bool allowBaseURI(const URL&, ContentSecurityPolicy::ReportingStatus) const; 73 73 74 bool allowFrameAncestors(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const; 75 74 76 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; } 75 77 ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; } … … 99 101 100 102 bool checkSourceAndReportViolation(ContentSecurityPolicySourceListDirective*, const URL&, const String& effectiveDirective) const; 103 bool checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective*, const Frame&, const URL&, const String& effectiveDirective) const; 101 104 bool checkMediaTypeAndReportViolation(ContentSecurityPolicyMediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const; 102 105 … … 120 123 std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc; 121 124 std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction; 125 std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameAncestors; 122 126 std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameSrc; 123 127 std::unique_ptr<ContentSecurityPolicySourceListDirective> m_imgSrc; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h
r195948 r197972 44 44 class ContentSecurityPolicyResponseHeaders { 45 45 public: 46 ContentSecurityPolicyResponseHeaders(const ResourceResponse&);46 explicit ContentSecurityPolicyResponseHeaders(const ResourceResponse&); 47 47 48 48 ContentSecurityPolicyResponseHeaders isolatedCopy() const;
Note: See TracChangeset
for help on using the changeset viewer.