<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197972] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197972">197972</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-10 16:45:13 -0800 (Thu, 10 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Implement frame-ancestors directive
https://bugs.webkit.org/show_bug.cgi?id=154345
<rdar://problem/24702161>
Reviewed by Brent Fulgham.
Source/WebCore:
Add support for the Content Security Policy directive frame-ancestors per the Content Security
Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
Tests: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html
http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html
http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html
http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html
http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied): Extracted from DocumentLoader::responseReceived().
(WebCore::DocumentLoader::responseReceived): Extracted logic to cancel a load and dispatch a DOM Load
event at the frame owner into DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
Make use of this function when loading of the frame is blocked by either the Content Security Policy or
the X-Frame-Option policy. We explicitly instantiate a ContentSecurityPolicy object with a SecurityOrigin
and Frame instead of using ScriptExecutionContext m_frame->document() because m_frame->document() is not
in a stable state (for instance, Document::m_url has not been initialized) as we are in the process of
loading the underlying document data for it.
* loader/DocumentLoader.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument): Pass ContentSecurityPolicy::ReportParsingErrors::No to silence
errors raised when parsing the Content Security Policy headers to avoid duplicate error messages. Any
parsing errors would have been raised when we parsed the Content Security Policy in DocumentLoader.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take an optional pointer to a Frame (defaults
to nullptr). The specified Frame is used to support emitting console messages for violations/syntax errors and
send violation reports. We make use of this constructor variant in DocumentLoader to support emitting console
message and sending violation reports in the context of DocumentLoader where its associated Document is not in a
stable state and making use of a Frame seems less error prone.
(WebCore::ContentSecurityPolicy::didReceiveHeaders): Modified to take argument reportParsingErrors as
to whether to silence parsing errors when parsing the specified headers.
(WebCore::isAllowedByAllWithFrame): Helper function to query a ContentSecurityPolicyDirectiveList function
passing a Frame and URL for each Content Security Policy.
(WebCore::ContentSecurityPolicy::allowFrameAncestors): Calls WebCore::isAllowedByAllWithFrame().
(WebCore::ContentSecurityPolicy::reportViolation): Modified to support sending a violation report when
we have a Frame and no ScriptExecutionContext (such as when we are instantiated in DocumentLoader).
Additionally, we only will send a report if reporting is enabled (i.e. ContentSecurityPolicy::m_isReportingEnabled == true).
(WebCore::ContentSecurityPolicy::logToConsole): Modified to support logging a message to the console
we have a Frame and no ScriptExecutionContext. We also only allow logging if reporting is enabled.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkFrameAncestors): Added.
(WebCore::ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation): Added.
(WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Added.
(WebCore::ContentSecurityPolicyDirectiveList::parse): Ignore the directive frame-ancestors when defined
in a policy given in an HTML meta element and report such use as invalid.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive frame-ancestors.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicyResponseHeaders.h: Mark constructor "explicit".
LayoutTests:
Adds new tests to ensure we ignore directive frame-ancestors when defined a policy delivered
in an HTML meta element or in a report-only policy (i.e. delivered via HTTP header Content-
Security-Policy-Report-Only). Also adds new test to ensure that we send a violation report
when the directive frame-ancestors is violated.
Updated many existing tests and test results that unnecessarily depended on a DOM SecurityError
exception being thrown when accessing the content of a cross-origin frame. It is sufficient
and more direct to test directive frame-ancestors by dumping the contents of all children frames
on the page. We design the tests such that a child frame that was blocked by the frame-ancestors
directive is expected to have no content. A child frame that was allowed by the frame-ancestors
directive is expected to have content.
* TestExpectations: Mark frame-ancestors tests as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html: Added.
* http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl: Added.
* http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js:
(done): Added.
(injectIFrame): Modified to make use of handleFrameEvent().
(handleFrameEvent): Added.
(iframeLoaded): Deleted.
* http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossstarallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossstarallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamestarallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamestarallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossstarallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossstarallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameselfallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameselfallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamestarallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamestarallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsprotocollessallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsprotocollessallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowcrossoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowsameoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowsameoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlallowexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlallowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesframeancestorstestjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesframeinframepl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoaderh">trunk/Source/WebCore/loader/DocumentLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyResponseHeadersh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinmetaelementignoredexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinmetaelementignoredhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinreportonlyignoredexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinreportonlyignoredhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesechointertagpl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/ChangeLog 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,3 +1,100 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement frame-ancestors directive
+ https://bugs.webkit.org/show_bug.cgi?id=154345
+ <rdar://problem/24702161>
+
+ Reviewed by Brent Fulgham.
+
+ Adds new tests to ensure we ignore directive frame-ancestors when defined a policy delivered
+ in an HTML meta element or in a report-only policy (i.e. delivered via HTTP header Content-
+ Security-Policy-Report-Only). Also adds new test to ensure that we send a violation report
+ when the directive frame-ancestors is violated.
+
+ Updated many existing tests and test results that unnecessarily depended on a DOM SecurityError
+ exception being thrown when accessing the content of a cross-origin frame. It is sufficient
+ and more direct to test directive frame-ancestors by dumping the contents of all children frames
+ on the page. We design the tests such that a child frame that was blocked by the frame-ancestors
+ directive is expected to have no content. A child frame that was allowed by the frame-ancestors
+ directive is expected to have content.
+
+ * TestExpectations: Mark frame-ancestors tests as PASS so that we run them.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js:
+ (done): Added.
+ (injectIFrame): Modified to make use of handleFrameEvent().
+ (handleFrameEvent): Added.
+ (iframeLoaded): Deleted.
+ * http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl:
+
</ins><span class="cx"> 2016-03-10 Andy VanWagoner <andy@instructure.com>
</span><span class="cx">
</span><span class="cx"> Add shouldNotBe to standalone test harness
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/TestExpectations 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -808,6 +808,7 @@
</span><span class="cx"> # Content Security Policy failures
</span><span class="cx"> webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/frame-ancestors [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-allowed.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-default-ignored.html [ Pass ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinmetaelementignoredexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: The Content Security Policy directive 'frame-ancestors' is ignored when delivered via an HTML meta element.
+Tests that loading a page in an <iframe> with Content Security Policy "frame-ancestors 'none'" is allowed. This test PASSED if you see the word PASS below. Otherwise, it FAILED.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinmetaelementignoredhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+}
+</script>
+</head>
+<p>Tests that loading a page in an &lt;iframe&gt; with Content Security Policy &quot;frame-ancestors 'none'&quot; is allowed. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?head=%3Cmeta+http-equiv%3D%22Content-Security-Policy%22+content%3D%22frame-ancestors+%27none%27%22%3E&q=PASS"></iframe>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinreportonlyignoredexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy.
+Tests that loading a page in an <iframe> with a report-only Content Security Policy "frame-ancestors 'none'" is allowed. This test PASSED if you see the word PASS below. Otherwise, it FAILED.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsinreportonlyignoredhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+}
+</script>
+</head>
+<p>Tests that loading a page in an &lt;iframe&gt; with a report-only Content Security Policy &quot;frame-ancestors 'none'&quot; is allowed. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy-Report-Only%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php&q=PASS"></iframe>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "'none'" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossnoneblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
-
- testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+testNestedIFrame("'none'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "'self'" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossselfblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
-
- testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'self'", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossstarallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'.
-A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "*" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossstarallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
-
- testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("*", CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000%20http://localhost:8080'.
-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
</span><del>-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "http://localhost:8080" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossincrossurlblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "'none'" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamenoneblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -2,15 +2,13 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
-
- testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'none'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "'self'" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameselfblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
-
- testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'self'", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamestarallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,14 @@
</span><del>-A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "*" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsamestarallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
-
- debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.");
- testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p>
+<script>
+ testNestedIFrame("*", SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,14 @@
</span><del>-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.");
- testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p>
+<script>
+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
</span><del>-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a cross-origin child with a policy of "http://localhost:8080" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedcrossinsameurlblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "'none'" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossnoneblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
-
- testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'none'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "'self'" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossselfblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
-
- testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'self'", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossstarallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'.
-A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "*" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossstarallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
-
- testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("*", CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000%20http://localhost:8080'.
-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://127.0.0.1:8000".
</span><del>-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "http://127.0.0.1:8000" nested in a cross-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameincrossurlblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(SAMEORIGIN_ORIGIN, CROSS_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "'none'" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamenoneblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames.");
-
- testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering in nested frames. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'none'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameselfallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27'.
-A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "'self'" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameselfallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames.");
-
- testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'same' should block render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("'self'", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamestarallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'.
-A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "*" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsamestarallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value '*' should render in nested frames.");
-
- testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value '*' should render in nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("*", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000'.
-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "http://127.0.0.1:8000" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(SAMEORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,27 +1,16 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://localhost:8080' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://localhost:8080".
</span><del>-A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.
</del><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "http://localhost:8080" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnestedsameinsameurlblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate.");
-
- testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL value should block or allow rendering in nested frames as appropriate. This test PASSED if you do not see any content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame(CROSSORIGIN_ORIGIN, SAME_ORIGIN, SAME_ORIGIN, EXPECT_BLOCK);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,16 +1,9 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27none%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
-A 'frame-ancestors' CSP directive with a value 'none' should block rendering.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='none'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'none' should block rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsnoneblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,13 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'none' should block rendering.");
-
- sameOriginFrameShouldBeBlocked("'none'");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'none' should block rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ sameOriginFrameShouldBeBlocked("'none'");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsprotocollessallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,26 +1,14 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*.0.0.1:8000'.
-A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames.
</del><ins>+A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The inner IFrame passed.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span><span class="cx"> Testing a same-origin child with a policy of "*.0.0.1:8000" nested in a same-origin parent.
</span><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsprotocollessallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-protocolless-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames.");
-
- testNestedIFrame("*.0.0.1:8000", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value '*.0.0.1' should allow render in same-origin nested frames. This test PASSED if you see content in the inner-most nested iframe below. Otherwise, it FAILED.</p>
+<script>
+ testNestedIFrame("*.0.0.1:8000", SAME_ORIGIN, SAME_ORIGIN, EXPECT_LOAD);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,7 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27'.
-A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.
</del><ins>+A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,13 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.");
-
- sameOriginFrameShouldBeAllowed("'self'");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ sameOriginFrameShouldBeAllowed("'self'");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,16 +1,9 @@
</span><del>-CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=%27self%27' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
-A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.
</del><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy='self'' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsselfblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,13 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a value 'self' should allow rendering.");
-
- crossOriginFrameShouldBeBlocked("'self'");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a value 'self' should allow rendering. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ crossOriginFrameShouldBeBlocked("'self'");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowcrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,16 +1,7 @@
</span><del>-A 'frame-ancestors' CSP directive with '*' should allow rendering.
</del><ins>+A 'frame-ancestors' CSP directive with '*' should allow rendering. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.
-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowcrossoriginhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with '*' should allow rendering.");
-
- debug("Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test passes if no console message declares that the frame was blocked.");
- crossOriginFrameShouldBeBlocked("*");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with '*' should allow rendering. Note that we can't distinguish blocked URLs from allowed cross-origin URLs due to the same-origin policy. This test PASSED if no console message declares that the frame was blocked.</p>
+<script>
+ crossOriginFrameShouldBeBlocked("*");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowsameoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,7 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=*'.
-A 'frame-ancestors' CSP directive with '*' should allow rendering.
</del><ins>+A 'frame-ancestors' CSP directive with '*' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsstarallowsameoriginhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with '*' should allow rendering.");
-
- sameOriginFrameShouldBeAllowed("*");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with '*' should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ sameOriginFrameShouldBeAllowed("*");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,15 +1,7 @@
</span><del>-CONSOLE MESSAGE: line 60: IFrame load event fired: the IFrame's location is 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000'.
-A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering.
</del><ins>+A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><span class="cx">
</span><del>-PASS The IFrame should not have been blocked. It wasn't.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlallowhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering.");
-
- sameOriginFrameShouldBeAllowed(window.location.origin);
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL matching this origin should allow rendering. This test PASSED if you see content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ sameOriginFrameShouldBeAllowed(window.location.origin);
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,16 +1,9 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to display 'http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://example.com/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://example.com/".
</span><del>-A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked.
</del><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><ins>+A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.
</ins><span class="cx">
</span><span class="cx">
</span><del>-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
</del><span class="cx">
</span><del>-TEST COMPLETE
-
-
</del><span class="cx"> --------
</span><span class="cx"> Frame: '<!--framePath //<!--frame0-->-->'
</span><span class="cx"> --------
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsframeancestorsurlblockhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,14 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><span class="cx"> <script src="../../resources/frame-ancestors-test.js"></script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked.");
-
- crossOriginFrameShouldBeBlocked("http://example.com/");
- </script>
</del><ins>+<p>A 'frame-ancestors' CSP directive with a URL which doesn't match this origin should be blocked. This test PASSED if you do not see any content in the iframe below. Otherwise, it FAILED.</p>
+<script>
+ crossOriginFrameShouldBeBlocked("http://example.com/");
+</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/csp-report
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-ori
gin.html&q=FAIL","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: Refused to display 'https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/csp-report
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-o
rigin.html&q=FAIL","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+}
+</script>
+</head>
+<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+}
+</script>
+</head>
+<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/csp-report
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin
.html&q=FAIL","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/csp-report
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-orig
in.html&q=FAIL","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html";
+}
+</script>
+</head>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html";
+}
+</script>
+</head>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesechointertagpl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl (0 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=" . ($cgi->param("charset") || "UTF8") . "\n";
+if ($cgi->param("header")) {
+ print $cgi->param("header") . "\n";
+}
+print "\n\n";
+print <<EOF;
+<!DOCTYPE html>
+<html>
+<head>
+EOF
+if ($cgi->param("head")) {
+ print $cgi->param("head") . "\n";
+}
+print <<EOF;
+</head>
+<body>
+EOF
+print $cgi->param("q") . "\n";
+if ($cgi->param("notifyDidLoad")) {
+ print '<script nonce="notifyDidLoad">window.top.postMessage("dispatchDidLoad", "*")</script>' . "\n";
+}
+print <<EOF;
+</body>
+</html>
+EOF
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-intertag.pl
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesframeancestorstestjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -7,23 +7,23 @@
</span><span class="cx"> var SAMEORIGIN_ORIGIN = "http://127.0.0.1:8000";
</span><span class="cx"> var CROSSORIGIN_ORIGIN = "http://localhost:8080";
</span><span class="cx">
</span><del>-window.jsTestIsAsync = true;
-window.wasPostTestScriptParsed = true;
-
-if (window.testRunner)
</del><ins>+if (window.testRunner) {
+ testRunner.dumpAsText();
</ins><span class="cx"> testRunner.dumpChildFramesAsText();
</span><ins>+ testRunner.waitUntilDone();
+}
</ins><span class="cx">
</span><ins>+function done() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
</ins><span class="cx"> window.addEventListener("message", function (e) {
</span><span class="cx"> if (window.parent != window) {
</span><span class="cx"> window.parent.postMessage(e.data, "*");
</span><del>- } else {
- if (e.data)
- testFailed("The inner IFrame failed.");
- else
- testPassed("The inner IFrame passed.");
-
- finishJSTest();
</del><ins>+ return;
</ins><span class="cx"> }
</span><ins>+ done();
</ins><span class="cx"> });
</span><span class="cx">
</span><span class="cx"> function injectNestedIframe(policy, parent, child, expectation) {
</span><span class="lines">@@ -40,10 +40,10 @@
</span><span class="cx"> document.body.appendChild(iframe);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-function injectIFrame(policy, sameOrigin, expectBlock) {
</del><ins>+function injectIFrame(policy, sameOrigin) {
</ins><span class="cx"> var iframe = document.createElement("iframe");
</span><del>- iframe.addEventListener("load", iframeLoaded(expectBlock));
- iframe.addEventListener("error", iframeLoaded(expectBlock));
</del><ins>+ iframe.addEventListener("load", handleFrameEvent);
+ iframe.addEventListener("error", handleFrameEvent);
</ins><span class="cx">
</span><span class="cx"> var url = "/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=" + policy;
</span><span class="cx"> if (!sameOrigin)
</span><span class="lines">@@ -53,33 +53,12 @@
</span><span class="cx"> document.body.appendChild(iframe);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-function iframeLoaded(expectBlock) {
- return function(ev) {
- var failed = true;
- try {
- console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'.");
- if (expectBlock) {
- testFailed("The IFrame should have been blocked (or cross-origin). It wasn't.");
- failed = true;
- } else {
- testPassed("The IFrame should not have been blocked. It wasn't.");
- failed = false;
- }
- } catch (ex) {
- debug("IFrame load event fired: the IFrame is cross-origin (or was blocked).");
- if (expectBlock) {
- testPassed("The IFrame should have been blocked (or cross-origin). It was.");
- failed = false;
- } else {
- testFailed("The IFrame should not have been blocked. It was.");
- failed = true;
- }
- }
- if (window.parent != window)
- window.parent.postMessage(failed, '*');
- else
- finishJSTest();
- };
</del><ins>+function handleFrameEvent(event) {
+ if (window.parent != window) {
+ window.parent.postMessage(null, '*');
+ return;
+ }
+ done();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> function crossOriginFrameShouldBeBlocked(policy) {
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesframeinframepl"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -9,10 +9,9 @@
</span><span class="cx"> print "<!DOCTYPE html>\n";
</span><span class="cx"> print "<html>\n";
</span><span class="cx"> print "<body>\n";
</span><del>-print " <script src='/js-test-resources/js-test.js'></script>\n";
</del><span class="cx"> print " <script src='/security/contentSecurityPolicy/resources/frame-ancestors-test.js'></script>\n";
</span><ins>+print " <p>Testing a " . $cgi->param("child") . "-origin child with a policy of &quot;" . $cgi->param("policy") . "&quot; nested in a " . $cgi->param("parent") . "-origin parent.</p>";
</ins><span class="cx"> print " <script>\n";
</span><del>-print " description(\"Testing a " . $cgi->param("child") . "-origin child with a policy of \\\"" . $cgi->param("policy") . "\\\" nested in a " . $cgi->param("parent") . "-origin parent.\");\n";
</del><span class="cx"> print " " . $cgi->param("child") . "OriginFrameShouldBe" . $cgi->param("expectation") . "(\"" . $cgi->param("policy") . "\");\n";
</span><span class="cx"> print " </script>\n";
</span><span class="cx"> print "</body>\n";
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/ChangeLog 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -1,3 +1,62 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement frame-ancestors directive
+ https://bugs.webkit.org/show_bug.cgi?id=154345
+ <rdar://problem/24702161>
+
+ Reviewed by Brent Fulgham.
+
+ Add support for the Content Security Policy directive frame-ancestors per the Content Security
+ Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-meta-element-ignored.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-in-report-only-ignored.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied): Extracted from DocumentLoader::responseReceived().
+ (WebCore::DocumentLoader::responseReceived): Extracted logic to cancel a load and dispatch a DOM Load
+ event at the frame owner into DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
+ Make use of this function when loading of the frame is blocked by either the Content Security Policy or
+ the X-Frame-Option policy. We explicitly instantiate a ContentSecurityPolicy object with a SecurityOrigin
+ and Frame instead of using ScriptExecutionContext m_frame->document() because m_frame->document() is not
+ in a stable state (for instance, Document::m_url has not been initialized) as we are in the process of
+ loading the underlying document data for it.
+ * loader/DocumentLoader.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::didBeginDocument): Pass ContentSecurityPolicy::ReportParsingErrors::No to silence
+ errors raised when parsing the Content Security Policy headers to avoid duplicate error messages. Any
+ parsing errors would have been raised when we parsed the Content Security Policy in DocumentLoader.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take an optional pointer to a Frame (defaults
+ to nullptr). The specified Frame is used to support emitting console messages for violations/syntax errors and
+ send violation reports. We make use of this constructor variant in DocumentLoader to support emitting console
+ message and sending violation reports in the context of DocumentLoader where its associated Document is not in a
+ stable state and making use of a Frame seems less error prone.
+ (WebCore::ContentSecurityPolicy::didReceiveHeaders): Modified to take argument reportParsingErrors as
+ to whether to silence parsing errors when parsing the specified headers.
+ (WebCore::isAllowedByAllWithFrame): Helper function to query a ContentSecurityPolicyDirectiveList function
+ passing a Frame and URL for each Content Security Policy.
+ (WebCore::ContentSecurityPolicy::allowFrameAncestors): Calls WebCore::isAllowedByAllWithFrame().
+ (WebCore::ContentSecurityPolicy::reportViolation): Modified to support sending a violation report when
+ we have a Frame and no ScriptExecutionContext (such as when we are instantiated in DocumentLoader).
+ Additionally, we only will send a report if reporting is enabled (i.e. ContentSecurityPolicy::m_isReportingEnabled == true).
+ (WebCore::ContentSecurityPolicy::logToConsole): Modified to support logging a message to the console
+ we have a Frame and no ScriptExecutionContext. We also only allow logging if reporting is enabled.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkFrameAncestors): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::parse): Ignore the directive frame-ancestors when defined
+ in a policy given in an HTML meta element and report such use as invalid.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive frame-ancestors.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicyResponseHeaders.h: Mark constructor "explicit".
+
</ins><span class="cx"> 2016-03-10 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> Add WebCore, WebKit, & WebKit2 preference/setting to enable Main Content heuristic.
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -36,6 +36,7 @@
</span><span class="cx"> #include "CachedRawResource.h"
</span><span class="cx"> #include "CachedResourceLoader.h"
</span><span class="cx"> #include "ContentExtensionError.h"
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "DOMWindow.h"
</span><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "DocumentParser.h"
</span><span class="lines">@@ -615,6 +616,18 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse& response)
+{
+ InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, *this, identifier, response);
+ m_frame->document()->enforceSandboxFlags(SandboxOrigin);
+ if (HTMLFrameOwnerElement* ownerElement = m_frame->ownerElement())
+ ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
+
+ // The load event might have detached this frame. In that case, the load will already have been cancelled during detach.
+ if (FrameLoader* frameLoader = this->frameLoader())
+ cancelMainResourceLoad(frameLoader->cancelledError(m_request));
+}
+
</ins><span class="cx"> void DocumentLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(CONTENT_FILTERING)
</span><span class="lines">@@ -634,24 +647,25 @@
</span><span class="cx"> if (willLoadFallback)
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource);
+ unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();
+ ASSERT(identifier);
+
+ ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(response.url()), m_frame);
+ contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
+ if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, response.url())) {
+ stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
+ return;
+ }
+
</ins><span class="cx"> const auto& commonHeaders = response.httpHeaderFields().commonHeaders();
</span><span class="cx"> auto it = commonHeaders.find(HTTPHeaderName::XFrameOptions);
</span><span class="cx"> if (it != commonHeaders.end()) {
</span><span class="cx"> String content = it->value;
</span><del>- ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource);
- unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();
- ASSERT(identifier);
</del><span class="cx"> if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), identifier)) {
</span><del>- InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, *this, identifier, response);
</del><span class="cx"> String message = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
</span><del>- frame()->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
- frame()->document()->enforceSandboxFlags(SandboxOrigin);
- if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
- ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
-
- // The load event might have detached this frame. In that case, the load will already have been cancelled during detach.
- if (frameLoader())
- cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
</del><ins>+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
+ stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.h (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.h 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/loader/DocumentLoader.h 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -329,6 +329,8 @@
</span><span class="cx"> void stopLoadingForPolicyChange();
</span><span class="cx"> ResourceError interruptedForPolicyChangeError() const;
</span><span class="cx">
</span><ins>+ void stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse&);
+
</ins><span class="cx"> #if HAVE(RUNLOOP_TIMER)
</span><span class="cx"> typedef RunLoopTimer<DocumentLoader> DocumentLoaderTimer;
</span><span class="cx"> #else
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -688,7 +688,7 @@
</span><span class="cx"> if (!dnsPrefetchControl.isEmpty())
</span><span class="cx"> m_frame.document()->parseDNSPrefetchControlHeader(dnsPrefetchControl);
</span><span class="cx">
</span><del>- m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response()));
</del><ins>+ m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response()), ContentSecurityPolicy::ReportParsingErrors::No);
</ins><span class="cx">
</span><span class="cx"> String headerContentLanguage = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentLanguage);
</span><span class="cx"> if (!headerContentLanguage.isEmpty()) {
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -52,6 +52,7 @@
</span><span class="cx"> #include <inspector/InspectorValues.h>
</span><span class="cx"> #include <inspector/ScriptCallStack.h>
</span><span class="cx"> #include <inspector/ScriptCallStackFactory.h>
</span><ins>+#include <wtf/TemporaryChange.h>
</ins><span class="cx"> #include <wtf/text/TextPosition.h>
</span><span class="cx">
</span><span class="cx"> using namespace Inspector;
</span><span class="lines">@@ -68,8 +69,9 @@
</span><span class="cx"> m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin)
- : m_sandboxFlags(SandboxNone)
</del><ins>+ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin, const Frame* frame)
+ : m_frame(frame)
+ , m_sandboxFlags(SandboxNone)
</ins><span class="cx"> {
</span><span class="cx"> m_selfSourceProtocol = securityOrigin.protocol();
</span><span class="cx"> m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
</span><span class="lines">@@ -95,8 +97,9 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers)
</del><ins>+void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers, ReportParsingErrors reportParsingErrors)
</ins><span class="cx"> {
</span><ins>+ TemporaryChange<bool> isReportingEnabled(m_isReportingEnabled, reportParsingErrors == ReportParsingErrors::Yes);
</ins><span class="cx"> for (auto& header : headers.m_headers)
</span><span class="cx"> didReceiveHeader(header.first, header.second, ContentSecurityPolicy::PolicyFrom::HTTPHeader);
</span><span class="cx"> }
</span><span class="lines">@@ -157,6 +160,16 @@
</span><span class="cx"> return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const>
+static bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
+{
+ for (auto& policy : policies) {
+ if (!(policy.get()->*allowed)(frame, url, reportingStatus))
+ return false;
+ }
+ return true;
+}
+
</ins><span class="cx"> template<bool (ContentSecurityPolicyDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const>
</span><span class="cx"> bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus)
</span><span class="cx"> {
</span><span class="lines">@@ -314,6 +327,16 @@
</span><span class="cx"> return overrideContentSecurityPolicy || isAllowedByAllWithState<&ContentSecurityPolicyDirectiveList::allowEval>(m_policies, state, reportingStatus);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::allowFrameAncestors(const Frame& frame, const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ if (overrideContentSecurityPolicy)
+ return true;
+ Frame& topFrame = frame.tree().top();
+ if (&frame == &topFrame)
+ return true;
+ return isAllowedByAllWithFrame<&ContentSecurityPolicyDirectiveList::allowFrameAncestors>(m_policies, frame, url, reportingStatus);
+}
+
</ins><span class="cx"> String ContentSecurityPolicy::evalDisabledErrorMessage() const
</span><span class="cx"> {
</span><span class="cx"> for (auto& policy : m_policies) {
</span><span class="lines">@@ -426,20 +449,37 @@
</span><span class="cx"> {
</span><span class="cx"> logToConsole(consoleMessage, contextURL, contextLine, state);
</span><span class="cx">
</span><ins>+ if (!m_isReportingEnabled)
+ return;
+
</ins><span class="cx"> // FIXME: Support sending reports from worker.
</span><del>- if (!is<Document>(m_scriptExecutionContext))
</del><ins>+ if (!is<Document>(m_scriptExecutionContext) && !m_frame)
</ins><span class="cx"> return;
</span><span class="cx">
</span><del>- Document& document = downcast<Document>(*m_scriptExecutionContext);
</del><ins>+ // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=155133>.
+ ASSERT(!m_frame || effectiveDirective == "frame-ancestors");
+
+ Document& document = is<Document>(m_scriptExecutionContext) ? downcast<Document>(*m_scriptExecutionContext) : *m_frame->document();
</ins><span class="cx"> Frame* frame = document.frame();
</span><ins>+ ASSERT(!m_frame || m_frame == frame);
</ins><span class="cx"> if (!frame)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- String documentURI = document.url().strippedForUseAsReferrer();
- String referrer = document.referrer();
- String blockedURI = stripURLForUseInReport(document, blockedURL);
</del><ins>+ String documentURI;
+ String blockedURI;
+ if (is<Document>(m_scriptExecutionContext)) {
+ documentURI = document.url().strippedForUseAsReferrer();
+ blockedURI = stripURLForUseInReport(document, blockedURL);
+ } else {
+ // The URL of |document| may not have been initialized (say, when reporting a frame-ancestors violation).
+ // So, we use the URL of the blocked document for the protected document URL.
+ documentURI = blockedURL;
+ blockedURI = blockedURL;
+ }
</ins><span class="cx"> String violatedDirective = directiveText;
</span><span class="cx"> String originalPolicy = header;
</span><ins>+ String referrer = document.referrer();
</ins><span class="cx"> ASSERT(document.loader());
</span><span class="cx"> unsigned short statusCode = document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0;
</span><span class="cx">
</span><span class="lines">@@ -585,9 +625,14 @@
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
</span><span class="cx"> {
</span><ins>+ if (!m_isReportingEnabled)
+ return;
+
</ins><span class="cx"> // FIXME: <http://webkit.org/b/114317> ContentSecurityPolicy::logToConsole should include a column number
</span><span class="cx"> if (m_scriptExecutionContext)
</span><span class="cx"> m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
</span><ins>+ else if (m_frame && m_frame->document())
+ static_cast<ScriptExecutionContext*>(m_frame->document())->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::reportBlockedScriptExecutionToInspector(const String& directiveText) const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -56,7 +56,7 @@
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><span class="cx"> explicit ContentSecurityPolicy(ScriptExecutionContext&);
</span><del>- explicit ContentSecurityPolicy(const SecurityOrigin&);
</del><ins>+ explicit ContentSecurityPolicy(const SecurityOrigin&, const Frame* = nullptr);
</ins><span class="cx"> ~ContentSecurityPolicy();
</span><span class="cx">
</span><span class="cx"> void copyStateFrom(const ContentSecurityPolicy*);
</span><span class="lines">@@ -77,7 +77,8 @@
</span><span class="cx"> Inherited,
</span><span class="cx"> };
</span><span class="cx"> ContentSecurityPolicyResponseHeaders responseHeaders() const;
</span><del>- void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
</del><ins>+ enum ReportParsingErrors { No, Yes };
+ void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&, ReportParsingErrors = ReportParsingErrors::Yes);
</ins><span class="cx"> void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
</span><span class="cx">
</span><span class="cx"> enum class ReportingStatus {
</span><span class="lines">@@ -103,6 +104,7 @@
</span><span class="cx"> bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><ins>+ bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</ins><span class="cx">
</span><span class="cx"> void setOverrideAllowInlineStyle(bool);
</span><span class="cx">
</span><span class="lines">@@ -160,13 +162,16 @@
</span><span class="cx">
</span><span class="cx"> const TextEncoding& documentEncoding() const;
</span><span class="cx">
</span><ins>+ // We can never have both a script execution context and a frame.
</ins><span class="cx"> ScriptExecutionContext* m_scriptExecutionContext { nullptr };
</span><ins>+ const Frame* m_frame { nullptr };
</ins><span class="cx"> std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
</span><span class="cx"> String m_selfSourceProtocol;
</span><span class="cx"> CSPDirectiveListVector m_policies;
</span><span class="cx"> String m_lastPolicyEvalDisabledErrorMessage;
</span><span class="cx"> SandboxFlags m_sandboxFlags;
</span><span class="cx"> bool m_overrideInlineStyleAllowed { false };
</span><ins>+ bool m_isReportingEnabled { true };
</ins><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts;
</span><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -27,6 +27,8 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "ContentSecurityPolicyDirectiveList.h"
</span><span class="cx">
</span><ins>+#include "Document.h"
+#include "Frame.h"
</ins><span class="cx"> #include "ParsingUtilities.h"
</span><span class="cx"> #include "SecurityContext.h"
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><span class="lines">@@ -51,6 +53,7 @@
</span><span class="cx"> static const char childSrc[] = "child-src";
</span><span class="cx"> static const char formAction[] = "form-action";
</span><span class="cx"> static const char pluginTypes[] = "plugin-types";
</span><ins>+static const char frameAncestors[] = "frame-ancestors";
</ins><span class="cx"> #if ENABLE(CSP_NEXT)
</span><span class="cx"> static const char reflectedXSS[] = "reflected-xss";
</span><span class="cx"> #endif
</span><span class="lines">@@ -130,6 +133,17 @@
</span><span class="cx"> return !directive || directive->allows(nonce);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static inline bool checkFrameAncestors(ContentSecurityPolicySourceListDirective* directive, const Frame& frame)
+{
+ if (!directive)
+ return true;
+ for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
+ if (!directive->allows(current->document()->url()))
+ return false;
+ }
+ return true;
+}
+
</ins><span class="cx"> static inline bool checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute)
</span><span class="cx"> {
</span><span class="cx"> if (!directive)
</span><span class="lines">@@ -264,6 +278,14 @@
</span><span class="cx"> return denyIfEnforcingPolicy();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective* directive, const Frame& frame, const URL& url, const String& effectiveDirective) const
+{
+ if (checkFrameAncestors(directive, frame))
+ return true;
+ reportViolation(directive->text(), effectiveDirective, makeString("Refused to display '", url.stringCenterEllipsizedToLength(), "' in a frame because an ancestor violates the following Content Security Policy directive: \"", directive->text(), "\".", '\n'), url);
+ return denyIfEnforcingPolicy();
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
</span><span class="lines">@@ -416,6 +438,13 @@
</span><span class="cx"> return m_reportOnly || checkSource(m_baseURI.get(), url);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowFrameAncestors(const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ return checkFrameAncestorsAndReportViolation(m_frameAncestors.get(), frame, url, frameAncestors);
+ return m_reportOnly || checkFrameAncestors(m_frameAncestors.get(), frame);
+}
+
</ins><span class="cx"> // policy = directive-list
</span><span class="cx"> // directive-list = [ directive *( ";" [ directive ] ) ]
</span><span class="cx"> //
</span><span class="lines">@@ -438,7 +467,8 @@
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><span class="cx"> switch (policyFrom) {
</span><span class="cx"> case ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta:
</span><del>- if (equalLettersIgnoringASCIICase(name, sandbox) || equalLettersIgnoringASCIICase(name, reportURI)) {
</del><ins>+ if (equalLettersIgnoringASCIICase(name, sandbox) || equalLettersIgnoringASCIICase(name, reportURI)
+ || equalLettersIgnoringASCIICase(name, frameAncestors)) {
</ins><span class="cx"> m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -637,7 +667,13 @@
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, baseURI))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
</span><del>- else if (equalLettersIgnoringASCIICase(name, pluginTypes))
</del><ins>+ else if (equalLettersIgnoringASCIICase(name, frameAncestors)) {
+ if (m_reportOnly) {
+ m_policy.reportInvalidDirectiveInReportOnlyMode(name);
+ return;
+ }
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_frameAncestors);
+ } else if (equalLettersIgnoringASCIICase(name, pluginTypes))
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, sandbox))
</span><span class="cx"> applySandboxPolicy(name, value);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -71,6 +71,8 @@
</span><span class="cx"> bool allowFormAction(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowBaseURI(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx">
</span><ins>+ bool allowFrameAncestors(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const;
+
</ins><span class="cx"> const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
</span><span class="cx"> ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
</span><span class="cx"> bool isReportOnly() const { return m_reportOnly; }
</span><span class="lines">@@ -98,6 +100,7 @@
</span><span class="cx"> bool checkInlineAndReportViolation(ContentSecurityPolicySourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
</span><span class="cx">
</span><span class="cx"> bool checkSourceAndReportViolation(ContentSecurityPolicySourceListDirective*, const URL&, const String& effectiveDirective) const;
</span><ins>+ bool checkFrameAncestorsAndReportViolation(ContentSecurityPolicySourceListDirective*, const Frame&, const URL&, const String& effectiveDirective) const;
</ins><span class="cx"> bool checkMediaTypeAndReportViolation(ContentSecurityPolicyMediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
</span><span class="cx">
</span><span class="cx"> bool denyIfEnforcingPolicy() const { return m_reportOnly; }
</span><span class="lines">@@ -119,6 +122,7 @@
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_defaultSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction;
</span><ins>+ std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameAncestors;
</ins><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_imgSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_mediaSrc;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyResponseHeadersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h (197971 => 197972)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h 2016-03-11 00:44:20 UTC (rev 197971)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h 2016-03-11 00:45:13 UTC (rev 197972)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx">
</span><span class="cx"> class ContentSecurityPolicyResponseHeaders {
</span><span class="cx"> public:
</span><del>- ContentSecurityPolicyResponseHeaders(const ResourceResponse&);
</del><ins>+ explicit ContentSecurityPolicyResponseHeaders(const ResourceResponse&);
</ins><span class="cx">
</span><span class="cx"> ContentSecurityPolicyResponseHeaders isolatedCopy() const;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>