Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test some more edge cases for X-Frame-Options #24618

Merged
merged 15 commits into from
Aug 18, 2020
Merged

Test some more edge cases for X-Frame-Options #24618

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
fb41769
Test some more edge cases for X-Frame-Options
domenic Jul 15, 2020
2857fcc
Fix typos in test descriptions per review
domenic Jul 17, 2020
3a6be8a
Explicit quoted value tests
domenic Jul 23, 2020
3989c90
Update for quotes being invalid
domenic Aug 5, 2020
bd999ab
Use a test framework to make the tests easier to write and read
domenic Aug 5, 2020
df97970
Incorporate everything from https://github.com/web-platform-tests/wpt…
domenic Aug 5, 2020
a89394a
Delete extra file
domenic Aug 5, 2020
ebd0f0c
Test ALLOWALL for good measure
domenic Aug 5, 2020
0d9ee15
Test INVALID + DENY
domenic Aug 5, 2020
ee94a9b
Whitespace
domenic Aug 5, 2020
df9f0ff
Helper JS cleanup
domenic Aug 5, 2020
9642279
Even moar test generation
domenic Aug 6, 2020
e5fb76e
Add embed/object TODO
domenic Aug 6, 2020
1e8df76
Some whitespace tests
domenic Aug 6, 2020
4ece5d1
Move to Chrome/Safari processing model. Even more tests.
domenic Aug 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions html/semantics/embedded-content/the-object-element/object-network-error.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>Network errors with object elements</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<body>
<script>
"use strict";

async_test(t => {
const object = document.createElement("object");
object.data = "//{{hosts[][nonexistent]}}/";
object.onload = () => t.done();
object.onerror = t.unreached_func("error event must not fire");
document.body.append(object);
}, "new object: nonexistent host");

async_test(t => {
const object = document.createElement("object");
object.data = "../resources/not-embeddable.html";
object.onload = () => t.done();
object.onerror = t.unreached_func("error event must not fire");
document.body.append(object);
}, "new object: X-Frame-Options prevents embedding");

async_test(t => {
const object = document.createElement("object");
object.data = "/common/blank.html";
object.name = "existingObject1";
object.onload = t.step_func(() => {
object.onload = () => t.done();
object.onerror = t.unreached_func("error event must not fire 2");

frames.existingObject1.location.href = "//{{hosts[][nonexistent]}}/";
});
object.onerror = t.unreached_func("error event must not fire 1");
document.body.append(object);
}, "navigating an existing object: nonexistent host");

async_test(t => {
const object = document.createElement("object");
object.data = "/common/blank.html";
object.name = "existingObject2";
object.onload = t.step_func(() => {
object.onload = () => t.done();
object.onerror = t.unreached_func("error event must not fire 2");

frames.existingObject2.location.href = "../resources/not-embeddable.html";
});
object.onerror = t.unreached_func("error event must not fire 1");
document.body.append(object);
}, "navigating an existing object: X-Frame-Options prevents embedding");
</script>
79 changes: 79 additions & 0 deletions x-frame-options/commas.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>X-Frame-Options headers with commas</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.js"></script>

<body>
<script>
"use strict";

async_test(t => {
const i = document.createElement("iframe");
i.src = "./support/xfo.py?value=SAMEORIGIN,DENY";

assert_no_message_from(i, t);

i.onload = t.step_func_done(() => {
assert_equals(i.contentDocument, null);
});

document.body.append(i);
t.add_cleanup(() => i.remove());
}, "SAMEORIGIN,DENY blocks same-origin framing");

async_test(t => {
const i = document.createElement("iframe");
i.src = "./support/xfo.py?value=,SAMEORIGIN,,DENY,";

assert_no_message_from(i, t);

i.onload = t.step_func_done(() => {
assert_equals(i.contentDocument, null);
});

document.body.append(i);
t.add_cleanup(() => i.remove());
}, ",SAMEORIGIN,,DENY, blocks same-origin framing");

async_test(t => {
const i = document.createElement("iframe");
i.src = "./support/xfo.py?value=SAMEORIGIN,\"DENY\"";

assert_no_message_from(i, t);

i.onload = t.step_func_done(() => {
assert_equals(i.contentDocument, null);
});

document.body.append(i);
t.add_cleanup(() => i.remove());
}, "SAMEORIGIN,\"DENY\" blocks same-origin framing");

async_test(t => {
const i = document.createElement("iframe");
i.src = "./support/xfo.py?value=\"SAMEORIGIN,DENY\"";

wait_for_message_from(i, t).then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
}));

document.body.append(i);
t.add_cleanup(() => i.remove());
}, "\"SAMEORIGIN,DENY\" allows same-origin framing");

async_test(t => {
const i = document.createElement("iframe");
i.src = "./support/xfo.py?value= SAMEORIGIN, DENY";

assert_no_message_from(i, t);

i.onload = t.step_func_done(() => {
assert_equals(i.contentDocument, null);
});

document.body.append(i);
t.add_cleanup(() => i.remove());
}, " SAMEORIGIN, DENY blocks same-origin framing");
</script>
28 changes: 28 additions & 0 deletions x-frame-options/deny.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,34 @@
document.body.appendChild(i);
}, "`XFO: DENY` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=denY";

assert_no_message_from(i, t);

i.onload = t.step_func_done(_ => {
assert_equals(i.contentDocument, null);
i.remove();
});

document.body.appendChild(i);
}, "`XFO: denY` blocks same-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=denY";

assert_no_message_from(i, t);

i.onload = t.step_func_done(_ => {
assert_equals(i.contentDocument, null);
i.remove();
});

document.body.appendChild(i);
}, "`XFO: denY` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=DENY&csp_value=default-src%20'self'";
Expand Down
52 changes: 52 additions & 0 deletions x-frame-options/invalid.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,58 @@
document.body.appendChild(i);
}, "`XFO: INVALID` allows cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=ALLOW-FROM https://example.com/";

wait_for_message_from(i, t)
.then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
i.remove();
}));

document.body.appendChild(i);
}, "`XFO: ALLOWFROM` allows same-origin framing.");
domenic marked this conversation as resolved.
Show resolved Hide resolved

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM https://example.com/";

wait_for_message_from(i, t)
.then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
i.remove();
}));

document.body.appendChild(i);
}, "`XFO: ALLOWFROM` allows cross-origin framing.");
domenic marked this conversation as resolved.
Show resolved Hide resolved

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=ALLOW-FROM=https://example.com/";

wait_for_message_from(i, t)
.then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
i.remove();
}));

document.body.appendChild(i);
}, "`XFO: ALLOWFROM=` allows same-origin framing.");
domenic marked this conversation as resolved.
Show resolved Hide resolved

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM=https://example.com/";

wait_for_message_from(i, t)
.then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
i.remove();
}));

document.body.appendChild(i);
}, "`XFO: ALLOWFROM=` allows cross-origin framing.");
domenic marked this conversation as resolved.
Show resolved Hide resolved

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=ALLOWALL";
Expand Down
24 changes: 24 additions & 0 deletions x-frame-options/multiple.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,18 @@
document.body.appendChild(i);
}, "`XFO: INVALID; XFO: SAMEORIGIN` allows same-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=INVALID&value2=SAMEORIGIN";

i.onload = t.step_func_done(_ => {
assert_equals(i.contentDocument, null);
i.remove();
});

document.body.appendChild(i);
}, "`XFO: INVALID; XFO: SAMEORIGIN` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=SAMEORIGIN&value2=INVALID";
Expand All @@ -71,6 +83,18 @@
document.body.appendChild(i);
}, "`XFO: SAMEORIGIN; XFO: INVALID` allows same-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=INVALID";

i.onload = t.step_func_done(_ => {
assert_equals(i.contentDocument, null);
i.remove();
});

document.body.appendChild(i);
}, "`XFO: SAMEORIGIN; XFO: INVALID` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
Expand Down
27 changes: 27 additions & 0 deletions x-frame-options/sameorigin.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,19 @@
document.body.appendChild(i);
}, "`XFO: SAMEORIGIN` allows same-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/xfo.py?value=sameOriGin";

wait_for_message_from(i, t)
.then(t.step_func_done(e => {
assert_equals(e.data, "Loaded");
i.remove();
}));

document.body.appendChild(i);
}, "`XFO: sameOriGin` allows same-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src =
Expand Down Expand Up @@ -45,6 +58,20 @@
document.body.appendChild(i);
}, "`XFO: SAMEORIGIN` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=sameOriGin";

assert_no_message_from(i, t);

i.onload = t.step_func_done(_ => {
assert_equals(i.contentDocument, null);
i.remove();
});

document.body.appendChild(i);
}, "`XFO: sameOriGin` blocks cross-origin framing.");

async_test(t => {
var i = document.createElement('iframe');
i.src = "./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";
Expand Down