third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
     <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
 </head>
 <body>
     <script>
       async_test(t => {
           url = generateUrlWithCSP(CROSS_ORIGIN, "");
           injectIframeWithCSP(url, EXPECT_LOAD, "", t, "0");
         }, "If there is no required csp, the page should load.");

       async_test(t => {
           required_csp = "frame-src http://c.com:*";
           url = generateUrlWithCSP(CROSS_ORIGIN, "");
           injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "1");
         }, "Iframe with empty CSP should be blocked.");

       async_test(t => {
           required_csp = "frame-src http://c.com:443 http://b.com:80";
           returned_csp = "frame-src http://b.com:80 http://c.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2");
         }, "Iframe with matching CSP should load.");

       async_test(t => {
           required_csp = "frame-src http://c.com:443 http://b.com:80 http://c.com:* http://a.com";
           returned_csp = "frame-src http://b.com:80 http://c.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3");
         }, "Iframe with more restricting CSP should load.");

       async_test(t => {
           required_csp = "frame-src http://b.com:80";
           returned_csp = "frame-src http://b.com:80 http://c.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
         }, "Iframe with less restricting CSP should be blocked.");

       async_test(t => {
           required_csp = "frame-src http://a.com:80";
           returned_csp = "frame-src http://b.com:80 http://c.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "5");
         }, "Iframe with a different CSP should be blocked.");

       async_test(t => {
           required_csp = "frame-src http://c.com:443 http://b.com";
           returned_csp = "frame-src http://b.com:80 http://c.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6");
         }, "Iframe with a matching and more restrictive ports should load.");

       async_test(t => {
           required_csp = "frame-src http://b.com:80";
           returned_csp = "child-src https://b.com:443";
           url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
           injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "7");
         }, "Iframe must load even if the ports are different but are default for the protocols.");
     </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
	</head>
	<body>
	<script>
	async_test(t => {
	url = generateUrlWithCSP(CROSS_ORIGIN, "");
	injectIframeWithCSP(url, EXPECT_LOAD, "", t, "0");
	}, "If there is no required csp, the page should load.");

	async_test(t => {
	required_csp = "frame-src http://c.com:*";
	url = generateUrlWithCSP(CROSS_ORIGIN, "");
	injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "1");
	}, "Iframe with empty CSP should be blocked.");

	async_test(t => {
	required_csp = "frame-src http://c.com:443 http://b.com:80";
	returned_csp = "frame-src http://b.com:80 http://c.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2");
	}, "Iframe with matching CSP should load.");

	async_test(t => {
	required_csp = "frame-src http://c.com:443 http://b.com:80 http://c.com:* http://a.com";
	returned_csp = "frame-src http://b.com:80 http://c.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3");
	}, "Iframe with more restricting CSP should load.");

	async_test(t => {
	required_csp = "frame-src http://b.com:80";
	returned_csp = "frame-src http://b.com:80 http://c.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
	}, "Iframe with less restricting CSP should be blocked.");

	async_test(t => {
	required_csp = "frame-src http://a.com:80";
	returned_csp = "frame-src http://b.com:80 http://c.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "5");
	}, "Iframe with a different CSP should be blocked.");

	async_test(t => {
	required_csp = "frame-src http://c.com:443 http://b.com";
	returned_csp = "frame-src http://b.com:80 http://c.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6");
	}, "Iframe with a matching and more restrictive ports should load.");

	async_test(t => {
	required_csp = "frame-src http://b.com:80";
	returned_csp = "child-src https://b.com:443";
	url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
	injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "7");
	}, "Iframe must load even if the ports are different but are default for the protocols.");
	</script>
	</body>
	</html>