Bug 1631842 [wpt PR 23144] - Forward CSP, even for the initial empty document., a=testonly

Automatic update from web-platform-tests Forward CSP, even for the initial empty document. Bug 1064676 has been fixed by: https://chromium-review.googlesource.com/c/chromium/src/+/2111170 And tested by: https://chromium-review.googlesource.com/c/chromium/src/+/2144012 The bug was fixed for every CSP checked in the renderer process. However there are still an issue for the one checked in the browser process. It turns out the CSP in the initial empty document weren't properly propagated to the browser process. This patch: 1) Fix the bug by sending the CSP of the initial empty document. 2) Add a regression test (WPT). This patch can potentially also fix: - https://crbug.com/1072719 - https://crbug.com/955350 (I haven't checked. I will do it later after landing this patch) Bug: 1064676, 1072719, 955350 Change-Id: Ie5325035c74d9e2476d6c80af3e5d5c9068ea928 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2159242 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#762769} -- wpt-commits: 7179786e28b8266789355518b65b8df65aa962c2 wpt-pr: 23144
2020-04-28 11:45:25 +00:00 · 2020-04-28 11:45:25 +00:00 · 5e16ee915a
--- a/testing/web-platform/tests/content-security-policy/inheritance/frame-src-javascript-url.html
+++ b/testing/web-platform/tests/content-security-policy/inheritance/frame-src-javascript-url.html
@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<script>
+  const iframe_url = new URL("./support/empty.html", location.href);
+
+  // Regression test for: https://crbug.com/1064676
+  promise_test(async (t) => {
+    await new Promise(r => window.onload = r);
+
+    let url = `javascript:
+
+      window.addEventListener('securitypolicyviolation', e => {
+        parent.postMessage({
+          originalPolicy: e.originalPolicy,
+          blockedURI: e.blockedURI,
+        });
+      });
+
+      let iframe = document.createElement('iframe');
+      iframe.src = '${iframe_url}';
+      document.body.appendChild(iframe);
+
+    `;
+
+    let iframe = document.createElement('iframe');
+    iframe.src = encodeURI(url.replace(/\n/g, ""));
+
+    let violation = new Promise(r => window.addEventListener("message", r));
+    document.body.appendChild(iframe);
+    let {data} = await violation;
+
+    assert_equals(data.originalPolicy, "frame-src 'none'");
+    assert_equals(data.blockedURI, iframe_url.toString());
+
+  }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <iframe> is blocked)");
+
+</script>
--- a/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html
+++ b/testing/web-platform/tests/content-security-policy/inheritance/support/empty.html