playwright/tests/library/browsercontext-csp.spec.ts

/**
 * Copyright 2018 Google Inc. All rights reserved.
 * Modifications copyright (c) Microsoft Corporation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import { browserTest as it, expect } from '../config/browserTest';
import { attachFrame } from '../config/utils';

it('should bypass CSP meta tag @smoke', async ({ browser, server }) => {
  // Make sure CSP prohibits addScriptTag.
  {
    const context = await browser.newContext();
    const page = await context.newPage();
    await page.goto(server.PREFIX + '/csp.html');
    await page.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);
    expect(await page.evaluate('window["__injected"]')).toBe(undefined);
    await context.close();
  }

  // By-pass CSP and try one more time.
  {
    const context = await browser.newContext({ bypassCSP: true });
    const page = await context.newPage();
    await page.goto(server.PREFIX + '/csp.html');
    await page.addScriptTag({ content: 'window["__injected"] = 42;' });
    expect(await page.evaluate('window["__injected"]')).toBe(42);
    await context.close();
  }
});

it('should bypass CSP header', async ({ browser, server }) => {
  // Make sure CSP prohibits addScriptTag.
  server.setCSP('/empty.html', 'default-src "self"');

  {
    const context = await browser.newContext();
    const page = await context.newPage();
    await page.goto(server.EMPTY_PAGE);
    await page.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);
    expect(await page.evaluate('window["__injected"]')).toBe(undefined);
    await context.close();
  }

  // By-pass CSP and try one more time.
  {
    const context = await browser.newContext({ bypassCSP: true });
    const page = await context.newPage();
    await page.goto(server.EMPTY_PAGE);
    await page.addScriptTag({ content: 'window["__injected"] = 42;' });
    expect(await page.evaluate('window["__injected"]')).toBe(42);
    await context.close();
  }
});

it('should bypass after cross-process navigation', async ({ browser, server }) => {
  const context = await browser.newContext({ bypassCSP: true });
  const page = await context.newPage();
  await page.goto(server.PREFIX + '/csp.html');
  await page.addScriptTag({ content: 'window["__injected"] = 42;' });
  expect(await page.evaluate('window["__injected"]')).toBe(42);

  await page.goto(server.CROSS_PROCESS_PREFIX + '/csp.html');
  await page.addScriptTag({ content: 'window["__injected"] = 42;' });
  expect(await page.evaluate('window["__injected"]')).toBe(42);
  await context.close();
});

it('should bypass CSP in iframes as well', async ({ browser, server }) => {
  // Make sure CSP prohibits addScriptTag in an iframe.
  {
    const context = await browser.newContext();
    const page = await context.newPage();
    await page.goto(server.EMPTY_PAGE);
    const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');
    await frame.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);
    expect(await frame.evaluate('window["__injected"]')).toBe(undefined);
    await context.close();
  }

  // By-pass CSP and try one more time.
  {
    const context = await browser.newContext({ bypassCSP: true });
    const page = await context.newPage();
    await page.goto(server.EMPTY_PAGE);
    const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');
    await frame.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);
    expect(await frame.evaluate('window["__injected"]')).toBe(42);
    await context.close();
  }
});
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`/**`
			`* Copyright 2018 Google Inc. All rights reserved.`
			`* Modifications copyright (c) Microsoft Corporation.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`
test: migrate most non-page tests to new folio (#6059) 2021-04-03 12:07:45 +08:00
chore: group tests under tests/ (1) (#13081) 2022-03-26 07:05:50 +08:00			`import { browserTest as it, expect } from '../config/browserTest';`
			`import { attachFrame } from '../config/utils';`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00
test: rename #smoke to @smoke as test tags (#12652) 2022-03-11 02:42:52 +08:00			`it('should bypass CSP meta tag @smoke', async ({ browser, server }) => {`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`// Make sure CSP prohibits addScriptTag.`
			`{`
			`const context = await browser.newContext();`
			`const page = await context.newPage();`
			`await page.goto(server.PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(undefined);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`

			`// By-pass CSP and try one more time.`
			`{`
			`const context = await browser.newContext({ bypassCSP: true });`
			`const page = await context.newPage();`
			`await page.goto(server.PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' });`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(42);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`
			`});`

chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`it('should bypass CSP header', async ({ browser, server }) => {`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`// Make sure CSP prohibits addScriptTag.`
			`server.setCSP('/empty.html', 'default-src "self"');`

			`{`
			`const context = await browser.newContext();`
			`const page = await context.newPage();`
			`await page.goto(server.EMPTY_PAGE);`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(undefined);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`

			`// By-pass CSP and try one more time.`
			`{`
			`const context = await browser.newContext({ bypassCSP: true });`
			`const page = await context.newPage();`
			`await page.goto(server.EMPTY_PAGE);`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' });`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(42);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`
			`});`

chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`it('should bypass after cross-process navigation', async ({ browser, server }) => {`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`const context = await browser.newContext({ bypassCSP: true });`
			`const page = await context.newPage();`
			`await page.goto(server.PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' });`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(42);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00
			`await page.goto(server.CROSS_PROCESS_PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await page.addScriptTag({ content: 'window["__injected"] = 42;' });`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await page.evaluate('window["__injected"]')).toBe(42);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`});`

chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`it('should bypass CSP in iframes as well', async ({ browser, server }) => {`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`// Make sure CSP prohibits addScriptTag in an iframe.`
			`{`
			`const context = await browser.newContext();`
			`const page = await context.newPage();`
			`await page.goto(server.EMPTY_PAGE);`
test: migrate some helpers to fixtures, use testOutputDir (#3926) 2020-09-19 06:52:14 +08:00			`const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await frame.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await frame.evaluate('window["__injected"]')).toBe(undefined);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`

			`// By-pass CSP and try one more time.`
			`{`
			`const context = await browser.newContext({ bypassCSP: true });`
			`const page = await context.newPage();`
			`await page.goto(server.EMPTY_PAGE);`
test: migrate some helpers to fixtures, use testOutputDir (#3926) 2020-09-19 06:52:14 +08:00			`const frame = await attachFrame(page, 'frame1', server.PREFIX + '/csp.html');`
chore: enable object-curly-spacing in ESLint (#9168) 2021-09-28 00:58:08 +08:00			`await frame.addScriptTag({ content: 'window["__injected"] = 42;' }).catch(e => void e);`
chore(tests): convert all tests to typescript (#3384) 2020-08-12 06:50:53 +08:00			`expect(await frame.evaluate('window["__injected"]')).toBe(42);`
test: remove describes (#3274) 2020-08-04 04:41:48 +08:00			`await context.close();`
			`}`
			`});`