playwright/test/browsercontext-csp.spec.ts

102 lines
3.9 KiB
TypeScript
Raw Normal View History

2020-08-03 23:41:48 +03:00
/**
* Copyright 2018 Google Inc. All rights reserved.
* Modifications copyright (c) Microsoft Corporation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import { it, expect } from './playwright.fixtures';
import { attachFrame } from './utils';
2020-08-03 23:41:48 +03:00
it('should bypass CSP meta tag', async ({browser, server}) => {
2020-08-03 23:41:48 +03:00
// Make sure CSP prohibits addScriptTag.
{
const context = await browser.newContext();
const page = await context.newPage();
await page.goto(server.PREFIX + '/csp.html');
await page.addScriptTag({content: 'window["__injected"] = 42;'}).catch(e => void e);
expect(await page.evaluate('window["__injected"]')).toBe(undefined);
2020-08-03 23:41:48 +03:00
await context.close();
}
// By-pass CSP and try one more time.
{
const context = await browser.newContext({ bypassCSP: true });
const page = await context.newPage();
await page.goto(server.PREFIX + '/csp.html');
await page.addScriptTag({content: 'window["__injected"] = 42;'});
expect(await page.evaluate('window["__injected"]')).toBe(42);
2020-08-03 23:41:48 +03:00
await context.close();
}
});
it('should bypass CSP header', async ({browser, server}) => {
2020-08-03 23:41:48 +03:00
// Make sure CSP prohibits addScriptTag.
server.setCSP('/empty.html', 'default-src "self"');
{
const context = await browser.newContext();
const page = await context.newPage();
await page.goto(server.EMPTY_PAGE);
await page.addScriptTag({content: 'window["__injected"] = 42;'}).catch(e => void e);
expect(await page.evaluate('window["__injected"]')).toBe(undefined);
2020-08-03 23:41:48 +03:00
await context.close();
}
// By-pass CSP and try one more time.
{
const context = await browser.newContext({ bypassCSP: true });
const page = await context.newPage();
await page.goto(server.EMPTY_PAGE);
await page.addScriptTag({content: 'window["__injected"] = 42;'});
expect(await page.evaluate('window["__injected"]')).toBe(42);
2020-08-03 23:41:48 +03:00
await context.close();
}
});
it('should bypass after cross-process navigation', async ({browser, server}) => {
2020-08-03 23:41:48 +03:00
const context = await browser.newContext({ bypassCSP: true });
const page = await context.newPage();
await page.goto(server.PREFIX + '/csp.html');
await page.addScriptTag({content: 'window["__injected"] = 42;'});
expect(await page.evaluate('window["__injected"]')).toBe(42);
2020-08-03 23:41:48 +03:00
await page.goto(server.CROSS_PROCESS_PREFIX + '/csp.html');
await page.addScriptTag({content: 'window["__injected"] = 42;'});
expect(await page.evaluate('window["__injected"]')).toBe(42);
2020-08-03 23:41:48 +03:00
await context.close();
});
it('should bypass CSP in iframes as well', async ({browser, server}) => {
2020-08-03 23:41:48 +03:00
// Make sure CSP prohibits addScriptTag in an iframe.
{
const context = await browser.newContext();
const page = await context.newPage();
await page.goto(server.EMPTY_PAGE);
const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');
await frame.addScriptTag({content: 'window["__injected"] = 42;'}).catch(e => void e);
expect(await frame.evaluate('window["__injected"]')).toBe(undefined);
2020-08-03 23:41:48 +03:00
await context.close();
}
// By-pass CSP and try one more time.
{
const context = await browser.newContext({ bypassCSP: true });
const page = await context.newPage();
await page.goto(server.EMPTY_PAGE);
const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');
await frame.addScriptTag({content: 'window["__injected"] = 42;'}).catch(e => void e);
expect(await frame.evaluate('window["__injected"]')).toBe(42);
2020-08-03 23:41:48 +03:00
await context.close();
}
});