IsolatedWorldCSP: Add more tests for navigation to javascript urls.

Add more tests for navigation to javascript urls in isolated worlds. The
tests show that the isolated world CSP is not enforced for them. This
will be fixed in a follow up. This doesn't introduce any behavior
change.

BUG=896041

Change-Id: I77510f4931608b2d0990ac5e6b60555d75959e9f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2262117Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Auto-Submit: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#782835}

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-javascript-urls-expected.txt

 ALERT: Running test #1
+ALERT: Isolated world with no CSP
+CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
 
-ALERT: Bypass main world's CSP with javascript: URL
+ALERT: Running test #2
+ALERT: Isolated world with permissive CSP
 ALERT: iframe javascript: src running
-ALERT: iframe loaded
-ALERT: Running test #0
-
-This test ensures that scripts run in isolated worlds marked with their own Content Security Policy can bypass javascript: URL restrictions.
+ALERT: Running test #3
+ALERT: Isolated world with strict CSP
+ALERT: iframe javascript: src running
+ALERT: Running test #4
+This test verifies the behavior of navigations to javascript urls in isolated worlds and its interaction with the isolated world CSP.

third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-javascript-urls.html

@@ -5,10 +5,8 @@
 <script src="resources/javascript-url-bypass.js"></script>
 </head>
 <body id="body">
-    <iframe id="testiframe"></iframe>
     <p>
-        This test ensures that scripts run in isolated worlds marked with their
-        own Content Security Policy can bypass javascript: URL restrictions.
+        This test verifies the behavior of navigations to javascript urls in isolated worlds and its interaction with the isolated world CSP.
     </p>
 </body>
 </html>

third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/javascript-url-bypass.js

 if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
+  testRunner.dumpAsText();
+  testRunner.waitUntilDone();
 }
 
-// This is needed because isolated worlds are not reset between test runs and a
-// previous test's CSP may interfere with this test. See
-// https://crbug.com/415845.
-testRunner.setIsolatedWorldInfo(1, null, null);
-
-tests = 1;
-window.addEventListener("message", function(message) {
-    tests -= 1;
-    test();
+let tests = 1;
+window.addEventListener('message', function(message) {
+  tests += 1;
+  test();
 }, false);
 
-function setup() {
+function setIframeSrcToJavaScript() {
+  const iframe = document.createElement('iframe');
+  document.body.appendChild(iframe);
 
-    var iframe = document.getElementById('testiframe');
-    iframe.onload = function () {
-        alert('iframe loaded');
-        window.postMessage("next", "*");
-    }
+  // Use a timeout to ensure the javascript alert below is executed before the
+  // next test begins.
+  setTimeout(() => {
+    window.postMessage('next', '*');
+  }, 100);
 
-    test();
+  iframe.src = 'javascript:alert(\'iframe javascript: src running\')';
 }
 
-function test() {
-    function setIframeSrcToJavaScript(num) {
-        var iframe = document.getElementById('testiframe');
-        // Provide a body in the iframe src to trigger an onload event once
-        // execution has finished.
-        iframe.src = "javascript:alert('iframe javascript: src running') || 'alerted'";
-    }
+const isolatedWorldID = 1;
+function testJavaScriptUrlInIsolatedWorld() {
+  testRunner.evaluateScriptInIsolatedWorld(
+      isolatedWorldID,
+      String(eval('setIframeSrcToJavaScript')) +
+          '\nsetIframeSrcToJavaScript();');
+}
 
-    alert("Running test #" + tests + "\n");
-    switch (tests) {
-        case 1:
-            alert("Bypass main world's CSP with javascript: URL");
-            testRunner.setIsolatedWorldInfo(1, "chrome-extension://123", "frame-src *; script-src 'unsafe-inline'");
-            testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setIframeSrcToJavaScript")) + "\nsetIframeSrcToJavaScript(1);");
-            break;
-        case 0:
-            testRunner.notifyDone();
-            break;
-    }
+function test() {
+  alert('Running test #' + tests);
+  switch (tests) {
+    case 1:
+      alert('Isolated world with no CSP');
+      testRunner.setIsolatedWorldInfo(isolatedWorldID, null, null);
+      testJavaScriptUrlInIsolatedWorld();
+      break;
+    case 2:
+      alert('Isolated world with permissive CSP');
+      testRunner.setIsolatedWorldInfo(
+          isolatedWorldID, 'chrome-extension://123',
+          'script-src \'unsafe-inline\'');
+      testJavaScriptUrlInIsolatedWorld();
+      break;
+    case 3:
+      alert('Isolated world with strict CSP');
+      testRunner.setIsolatedWorldInfo(
+          isolatedWorldID, 'chrome-extension://123', 'script-src \'none\'');
+      testJavaScriptUrlInIsolatedWorld();
+      break;
+    case 4:
+      testRunner.notifyDone();
+      break;
+  }
 }
 
-document.addEventListener('DOMContentLoaded', setup);
+document.addEventListener('DOMContentLoaded', test);