Add WPT for CSP frame-src 'self' on sandboxed embedder

The Content-Security-Policy keyword 'self' in a source expression is a placeholder for allowing sources with the same origin as the document. Even if the document is sandboxed (i.e. has a unique opaque origin), the keyword 'self' should match the document URL's origin. This test checks that a document with CSPs: Content-Security-Policy: sandbox; frame-src 'self' can still embed a frame delivered by the same document URL's origin. Bug: 1151323 Change-Id: Icba5fb8a15bca30ab807ca81ae97152122efb292 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2552593 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#830203}

Add WPT for CSP frame-src 'self' on sandboxed embedder
The Content-Security-Policy keyword 'self' in a source expression is a placeholder for allowing sources with the same origin as the document. Even if the document is sandboxed (i.e. has a unique opaque origin), the keyword 'self' should match the document URL's origin. This test checks that a document with CSPs: Content-Security-Policy: sandbox; frame-src 'self' can still embed a frame delivered by the same document URL's origin. Bug: 1151323 Change-Id: Icba5fb8a15bca30ab807ca81ae97152122efb292 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2552593 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#830203}
9ef9a71c · Antonio Sartori · Commit Bot · 238ee77b · 9ef9a71c · 9ef9a71c
Commit 9ef9a71c authored Nov 23, 2020 by Antonio Sartori Committed by Commit Bot Nov 23, 2020
3 changed files
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed-expected.txt
+This is a testharness.js-based test.
+FAIL SubframeLoaded assert_unreached: unexpected securitypolicyviolation Reached unreachable code
+Harness: the test ran to completion.
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed.html
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Frame-src: 'self' matches even if the parent's origin is unique.</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script>
+      var t = async_test('SubframeLoaded');
+      window.addEventListener('securitypolicyviolation', t.step_func(function(e) {
+        if (e.violatedDirective === "frame-src") {
+          assert_unreached('unexpected securitypolicyviolation');
+          t.done();
+        }
+      }));
+      window.addEventListener("message", t.step_func(function(event) {
+        assert_equals(event.data, "PASS", 'unexpected message: ' + event.data);
+        t.done();
+      }));
+      f = document.createElement("iframe");
+      f.src = "/content-security-policy/support/postmessage-pass.html";
+      document.body.appendChild(f);
+    </script>
+  </body>
+</html>
--- a/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/frame-src/frame-src-sandboxed-allowed.html.headers
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-src 'self'; sandbox allow-scripts