From fb4176905bed5feb97f578275fd897a1b01a84ae Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 15 Jul 2020 18:14:10 -0400
Subject: [PATCH 01/15] Test some more edge cases for X-Frame-Options

Follows https://github.com/whatwg/html/pull/5737.
---
 .../object-network-error.sub.html             | 54 +++++++++++++
 x-frame-options/commas.sub.html               | 79 +++++++++++++++++++
 x-frame-options/deny.sub.html                 | 28 +++++++
 x-frame-options/invalid.sub.html              | 52 ++++++++++++
 x-frame-options/multiple.sub.html             | 24 ++++++
 x-frame-options/sameorigin.sub.html           | 27 +++++++
 6 files changed, 264 insertions(+)
 create mode 100644 html/semantics/embedded-content/the-object-element/object-network-error.sub.html
 create mode 100644 x-frame-options/commas.sub.html

diff --git a/html/semantics/embedded-content/the-object-element/object-network-error.sub.html b/html/semantics/embedded-content/the-object-element/object-network-error.sub.html
new file mode 100644
index 00000000000000..4b80701bc1cc26
--- /dev/null
+++ b/html/semantics/embedded-content/the-object-element/object-network-error.sub.html
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Network errors with object elements</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+
+async_test(t => {
+  const object = document.createElement("object");
+  object.data = "//{{hosts[][nonexistent]}}/";
+  object.onload = () => t.done();
+  object.onerror = t.unreached_func("error event must not fire");
+  document.body.append(object);
+}, "new object: nonexistent host");
+
+async_test(t => {
+  const object = document.createElement("object");
+  object.data = "../resources/not-embeddable.html";
+  object.onload = () => t.done();
+  object.onerror = t.unreached_func("error event must not fire");
+  document.body.append(object);
+}, "new object: X-Frame-Options prevents embedding");
+
+async_test(t => {
+  const object = document.createElement("object");
+  object.data = "/common/blank.html";
+  object.name = "existingObject1";
+  object.onload = t.step_func(() => {
+    object.onload = () => t.done();
+    object.onerror = t.unreached_func("error event must not fire 2");
+
+    frames.existingObject1.location.href = "//{{hosts[][nonexistent]}}/";
+  });
+  object.onerror = t.unreached_func("error event must not fire 1");
+  document.body.append(object);
+}, "navigating an existing object: nonexistent host");
+
+async_test(t => {
+  const object = document.createElement("object");
+  object.data = "/common/blank.html";
+  object.name = "existingObject2";
+  object.onload = t.step_func(() => {
+    object.onload = () => t.done();
+    object.onerror = t.unreached_func("error event must not fire 2");
+
+    frames.existingObject2.location.href = "../resources/not-embeddable.html";
+  });
+  object.onerror = t.unreached_func("error event must not fire 1");
+  document.body.append(object);
+}, "navigating an existing object: X-Frame-Options prevents embedding");
+</script>
diff --git a/x-frame-options/commas.sub.html b/x-frame-options/commas.sub.html
new file mode 100644
index 00000000000000..cc935159dcd300
--- /dev/null
+++ b/x-frame-options/commas.sub.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers with commas</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.js"></script>
+
+<body>
+<script>
+"use strict";
+
+async_test(t => {
+  const i = document.createElement("iframe");
+  i.src = "./support/xfo.py?value=SAMEORIGIN,DENY";
+
+  assert_no_message_from(i, t);
+
+  i.onload = t.step_func_done(() => {
+    assert_equals(i.contentDocument, null);
+  });
+
+  document.body.append(i);
+  t.add_cleanup(() => i.remove());
+}, "SAMEORIGIN,DENY blocks same-origin framing");
+
+async_test(t => {
+  const i = document.createElement("iframe");
+  i.src = "./support/xfo.py?value=,SAMEORIGIN,,DENY,";
+
+  assert_no_message_from(i, t);
+
+  i.onload = t.step_func_done(() => {
+    assert_equals(i.contentDocument, null);
+  });
+
+  document.body.append(i);
+  t.add_cleanup(() => i.remove());
+}, ",SAMEORIGIN,,DENY, blocks same-origin framing");
+
+async_test(t => {
+  const i = document.createElement("iframe");
+  i.src = "./support/xfo.py?value=SAMEORIGIN,\"DENY\"";
+
+  assert_no_message_from(i, t);
+
+  i.onload = t.step_func_done(() => {
+    assert_equals(i.contentDocument, null);
+  });
+
+  document.body.append(i);
+  t.add_cleanup(() => i.remove());
+}, "SAMEORIGIN,\"DENY\" blocks same-origin framing");
+
+async_test(t => {
+  const i = document.createElement("iframe");
+  i.src = "./support/xfo.py?value=\"SAMEORIGIN,DENY\"";
+
+  wait_for_message_from(i, t).then(t.step_func_done(e => {
+    assert_equals(e.data, "Loaded");
+  }));
+
+  document.body.append(i);
+  t.add_cleanup(() => i.remove());
+}, "\"SAMEORIGIN,DENY\" allows same-origin framing");
+
+async_test(t => {
+  const i = document.createElement("iframe");
+  i.src = "./support/xfo.py?value=  SAMEORIGIN,    DENY";
+
+  assert_no_message_from(i, t);
+
+  i.onload = t.step_func_done(() => {
+    assert_equals(i.contentDocument, null);
+  });
+
+  document.body.append(i);
+  t.add_cleanup(() => i.remove());
+}, "  SAMEORIGIN,    DENY blocks same-origin framing");
+</script>
diff --git a/x-frame-options/deny.sub.html b/x-frame-options/deny.sub.html
index dd8afe8079a009..505d1ce9e74c10 100644
--- a/x-frame-options/deny.sub.html
+++ b/x-frame-options/deny.sub.html
@@ -32,6 +32,34 @@
     document.body.appendChild(i);
   }, "`XFO: DENY` blocks cross-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=denY";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: denY` blocks same-origin framing.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=denY";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: denY` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/xfo.py?value=DENY&csp_value=default-src%20'self'";
diff --git a/x-frame-options/invalid.sub.html b/x-frame-options/invalid.sub.html
index 4604033d01fc2f..f202128fc6ad82 100644
--- a/x-frame-options/invalid.sub.html
+++ b/x-frame-options/invalid.sub.html
@@ -30,6 +30,58 @@
     document.body.appendChild(i);
   }, "`XFO: INVALID` allows cross-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=ALLOW-FROM https://example.com/";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: ALLOWFROM` allows same-origin framing.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM https://example.com/";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: ALLOWFROM` allows cross-origin framing.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=ALLOW-FROM=https://example.com/";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: ALLOWFROM=` allows same-origin framing.");
+
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM=https://example.com/";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: ALLOWFROM=` allows cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/xfo.py?value=ALLOWALL";
diff --git a/x-frame-options/multiple.sub.html b/x-frame-options/multiple.sub.html
index 717e9fd25c51ee..c2726519604ee7 100644
--- a/x-frame-options/multiple.sub.html
+++ b/x-frame-options/multiple.sub.html
@@ -58,6 +58,18 @@
     document.body.appendChild(i);
   }, "`XFO: INVALID; XFO: SAMEORIGIN` allows same-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=INVALID&value2=SAMEORIGIN";
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: INVALID; XFO: SAMEORIGIN` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/xfo.py?value=SAMEORIGIN&value2=INVALID";
@@ -71,6 +83,18 @@
     document.body.appendChild(i);
   }, "`XFO: SAMEORIGIN; XFO: INVALID` allows same-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=INVALID";
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: SAMEORIGIN; XFO: INVALID` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index ede5446825995f..54916426c32e2d 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -17,6 +17,19 @@
     document.body.appendChild(i);
   }, "`XFO: SAMEORIGIN` allows same-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=sameOriGin";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: sameOriGin` allows same-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src =
@@ -45,6 +58,20 @@
     document.body.appendChild(i);
   }, "`XFO: SAMEORIGIN` blocks cross-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=sameOriGin";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: sameOriGin` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";

From 2857fcc27670682d9289586feb92d3df241838c4 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Fri, 17 Jul 2020 11:30:18 -0400
Subject: [PATCH 02/15] Fix typos in test descriptions per review

---
 x-frame-options/invalid.sub.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/x-frame-options/invalid.sub.html b/x-frame-options/invalid.sub.html
index f202128fc6ad82..68648f999a4a84 100644
--- a/x-frame-options/invalid.sub.html
+++ b/x-frame-options/invalid.sub.html
@@ -41,7 +41,7 @@
       }));
 
     document.body.appendChild(i);
-  }, "`XFO: ALLOWFROM` allows same-origin framing.");
+  }, "`XFO: ALLOW-FROM` allows same-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
@@ -54,7 +54,7 @@
       }));
 
     document.body.appendChild(i);
-  }, "`XFO: ALLOWFROM` allows cross-origin framing.");
+  }, "`XFO: ALLOW-FROM` allows cross-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
@@ -67,7 +67,7 @@
       }));
 
     document.body.appendChild(i);
-  }, "`XFO: ALLOWFROM=` allows same-origin framing.");
+  }, "`XFO: ALLOW-FROM=` allows same-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
@@ -80,7 +80,7 @@
       }));
 
     document.body.appendChild(i);
-  }, "`XFO: ALLOWFROM=` allows cross-origin framing.");
+  }, "`XFO: ALLOW-FROM=` allows cross-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');

From 3a6be8a4a091c93a7c1788f110e66320acaa05f0 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Thu, 23 Jul 2020 10:57:48 -0400
Subject: [PATCH 03/15] Explicit quoted value tests

---
 x-frame-options/deny.sub.html       | 28 ++++++++++++++++++++++++++++
 x-frame-options/sameorigin.sub.html | 27 +++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/x-frame-options/deny.sub.html b/x-frame-options/deny.sub.html
index 505d1ce9e74c10..3df7be052e78ba 100644
--- a/x-frame-options/deny.sub.html
+++ b/x-frame-options/deny.sub.html
@@ -46,6 +46,20 @@
     document.body.appendChild(i);
   }, "`XFO: denY` blocks same-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=\"denY\"";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: \"denY\"` blocks same-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=denY";
@@ -60,6 +74,20 @@
     document.body.appendChild(i);
   }, "`XFO: denY` blocks cross-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"denY\"";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: \"denY\"` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/xfo.py?value=DENY&csp_value=default-src%20'self'";
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index 54916426c32e2d..f3fdafba9b7282 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -30,6 +30,19 @@
     document.body.appendChild(i);
   }, "`XFO: sameOriGin` allows same-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "./support/xfo.py?value=\"sameOriGin\"";
+
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
+
+    document.body.appendChild(i);
+  }, "`XFO: \"sameOriGin\"` allows same-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src =
@@ -72,6 +85,20 @@
     document.body.appendChild(i);
   }, "`XFO: sameOriGin` blocks cross-origin framing.");
 
+  async_test(t => {
+    var i = document.createElement('iframe');
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"sameOriGin\"";
+
+    assert_no_message_from(i, t);
+
+    i.onload = t.step_func_done(_ => {
+      assert_equals(i.contentDocument, null);
+      i.remove();
+    });
+
+    document.body.appendChild(i);
+  }, "`XFO: \"sameOriGin\"` blocks cross-origin framing.");
+
   async_test(t => {
     var i = document.createElement('iframe');
     i.src = "./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";

From 3989c90af2c7804a252ee64eb9cfd9a2b5566be3 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 12:23:03 -0400
Subject: [PATCH 04/15] Update for quotes being invalid

---
 x-frame-options/commas.sub.html     | 10 ++++------
 x-frame-options/deny.sub.html       | 30 ++++++++++++++---------------
 x-frame-options/sameorigin.sub.html | 19 +++++++++---------
 3 files changed, 27 insertions(+), 32 deletions(-)

diff --git a/x-frame-options/commas.sub.html b/x-frame-options/commas.sub.html
index cc935159dcd300..6af31775fc433d 100644
--- a/x-frame-options/commas.sub.html
+++ b/x-frame-options/commas.sub.html
@@ -41,15 +41,13 @@
   const i = document.createElement("iframe");
   i.src = "./support/xfo.py?value=SAMEORIGIN,\"DENY\"";
 
-  assert_no_message_from(i, t);
-
-  i.onload = t.step_func_done(() => {
-    assert_equals(i.contentDocument, null);
-  });
+  wait_for_message_from(i, t).then(t.step_func_done(e => {
+    assert_equals(e.data, "Loaded");
+  }));
 
   document.body.append(i);
   t.add_cleanup(() => i.remove());
-}, "SAMEORIGIN,\"DENY\" blocks same-origin framing");
+}, "SAMEORIGIN,\"DENY\" allows same-origin framing");
 
 async_test(t => {
   const i = document.createElement("iframe");
diff --git a/x-frame-options/deny.sub.html b/x-frame-options/deny.sub.html
index 3df7be052e78ba..0b6570b95aad52 100644
--- a/x-frame-options/deny.sub.html
+++ b/x-frame-options/deny.sub.html
@@ -48,17 +48,16 @@
 
   async_test(t => {
     var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=\"denY\"";
+    i.src = "./support/xfo.py?value=\"DENY\"";
 
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
 
     document.body.appendChild(i);
-  }, "`XFO: \"denY\"` blocks same-origin framing.");
+  }, "`XFO: \"DENY\"` allows same-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
@@ -76,17 +75,16 @@
 
   async_test(t => {
     var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"denY\"";
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"DENY\"";
 
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
 
     document.body.appendChild(i);
-  }, "`XFO: \"denY\"` blocks cross-origin framing.");
+  }, "`XFO: \"DENY\"` allows cross-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index f3fdafba9b7282..4d9b2d1224b93e 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -32,7 +32,7 @@
 
   async_test(t => {
     var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=\"sameOriGin\"";
+    i.src = "./support/xfo.py?value=\"SAMEORIGIN\"";
 
     wait_for_message_from(i, t)
       .then(t.step_func_done(e => {
@@ -41,7 +41,7 @@
       }));
 
     document.body.appendChild(i);
-  }, "`XFO: \"sameOriGin\"` allows same-origin framing.");
+  }, "`XFO: \"SAMEORIGIN\"` allows same-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');
@@ -87,17 +87,16 @@
 
   async_test(t => {
     var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"sameOriGin\"";
+    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"SAMEORIGIN\"";
 
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
+    wait_for_message_from(i, t)
+      .then(t.step_func_done(e => {
+        assert_equals(e.data, "Loaded");
+        i.remove();
+      }));
 
     document.body.appendChild(i);
-  }, "`XFO: \"sameOriGin\"` blocks cross-origin framing.");
+  }, "`XFO: \"SAMEORIGIN\"` allows cross-origin framing.");
 
   async_test(t => {
     var i = document.createElement('iframe');

From bd999abdad9c32bc09cd27464e290cbf641d05a4 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:04:38 -0400
Subject: [PATCH 05/15] Use a test framework to make the tests easier to write
 and read

---
 html/README.md                        |   1 +
 x-frame-options/META.yml              |   3 +-
 x-frame-options/README.md             |   3 +-
 x-frame-options/commas.html           |  41 ++++++
 x-frame-options/commas.sub.html       |  77 ------------
 x-frame-options/deny.html             |  37 ++++++
 x-frame-options/deny.sub.html         | 115 -----------------
 x-frame-options/invalid.html          |  53 ++++++++
 x-frame-options/invalid.sub.html      | 136 --------------------
 x-frame-options/multiple.html         |  46 +++++++
 x-frame-options/multiple.sub.html     | 111 ----------------
 x-frame-options/redirect.html         |  18 +++
 x-frame-options/redirect.sub.html     |  19 ---
 x-frame-options/sameorigin.sub.html   | 174 ++++++--------------------
 x-frame-options/support/helper.js     |  13 --
 x-frame-options/support/helper.sub.js |  69 ++++++++++
 16 files changed, 309 insertions(+), 607 deletions(-)
 create mode 100644 x-frame-options/commas.html
 delete mode 100644 x-frame-options/commas.sub.html
 create mode 100644 x-frame-options/deny.html
 delete mode 100644 x-frame-options/deny.sub.html
 create mode 100644 x-frame-options/invalid.html
 delete mode 100644 x-frame-options/invalid.sub.html
 create mode 100644 x-frame-options/multiple.html
 delete mode 100644 x-frame-options/multiple.sub.html
 create mode 100644 x-frame-options/redirect.html
 delete mode 100644 x-frame-options/redirect.sub.html
 delete mode 100644 x-frame-options/support/helper.js
 create mode 100644 x-frame-options/support/helper.sub.js

diff --git a/html/README.md b/html/README.md
index a85911a8a09f74..11e5bcf81c4069 100644
--- a/html/README.md
+++ b/html/README.md
@@ -17,3 +17,4 @@ For historical reasons, parts of HTML have their own directories:
 * [/websockets](/websockets)
 * [/webstorage](/webstorage)
 * [/workers](/workers)
+* [/x-frame-options](/x-frame-options)
diff --git a/x-frame-options/META.yml b/x-frame-options/META.yml
index 674a1648847c6a..21ef0699364f40 100644
--- a/x-frame-options/META.yml
+++ b/x-frame-options/META.yml
@@ -1,4 +1,5 @@
-spec: https://tools.ietf.org/html/rfc7034
+spec: https://html.spec.whatwg.org/#the-x-frame-options-header
 suggested_reviewers:
   - annevk
   - mikewest
+  - domenic
diff --git a/x-frame-options/README.md b/x-frame-options/README.md
index 7b35f0f1d14464..9e8e257fe9cf48 100644
--- a/x-frame-options/README.md
+++ b/x-frame-options/README.md
@@ -1,2 +1 @@
-This directory contains tests for
-[HTTP Header Field X-Frame-Options](https://tools.ietf.org/html/rfc7034).
+This directory contains tests for [`X-Frame-Options`](https://html.spec.whatwg.org/#the-x-frame-options-header).
diff --git a/x-frame-options/commas.html b/x-frame-options/commas.html
new file mode 100644
index 00000000000000..382afb3851bbc0
--- /dev/null
+++ b/x-frame-options/commas.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers with commas</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN,DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `,SAMEORIGIN,,DENY,`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN,"DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `"SAMEORIGIN,DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `  SAMEORIGIN,    DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/commas.sub.html b/x-frame-options/commas.sub.html
deleted file mode 100644
index 6af31775fc433d..00000000000000
--- a/x-frame-options/commas.sub.html
+++ /dev/null
@@ -1,77 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8">
-<title>X-Frame-Options headers with commas</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="support/helper.js"></script>
-
-<body>
-<script>
-"use strict";
-
-async_test(t => {
-  const i = document.createElement("iframe");
-  i.src = "./support/xfo.py?value=SAMEORIGIN,DENY";
-
-  assert_no_message_from(i, t);
-
-  i.onload = t.step_func_done(() => {
-    assert_equals(i.contentDocument, null);
-  });
-
-  document.body.append(i);
-  t.add_cleanup(() => i.remove());
-}, "SAMEORIGIN,DENY blocks same-origin framing");
-
-async_test(t => {
-  const i = document.createElement("iframe");
-  i.src = "./support/xfo.py?value=,SAMEORIGIN,,DENY,";
-
-  assert_no_message_from(i, t);
-
-  i.onload = t.step_func_done(() => {
-    assert_equals(i.contentDocument, null);
-  });
-
-  document.body.append(i);
-  t.add_cleanup(() => i.remove());
-}, ",SAMEORIGIN,,DENY, blocks same-origin framing");
-
-async_test(t => {
-  const i = document.createElement("iframe");
-  i.src = "./support/xfo.py?value=SAMEORIGIN,\"DENY\"";
-
-  wait_for_message_from(i, t).then(t.step_func_done(e => {
-    assert_equals(e.data, "Loaded");
-  }));
-
-  document.body.append(i);
-  t.add_cleanup(() => i.remove());
-}, "SAMEORIGIN,\"DENY\" allows same-origin framing");
-
-async_test(t => {
-  const i = document.createElement("iframe");
-  i.src = "./support/xfo.py?value=\"SAMEORIGIN,DENY\"";
-
-  wait_for_message_from(i, t).then(t.step_func_done(e => {
-    assert_equals(e.data, "Loaded");
-  }));
-
-  document.body.append(i);
-  t.add_cleanup(() => i.remove());
-}, "\"SAMEORIGIN,DENY\" allows same-origin framing");
-
-async_test(t => {
-  const i = document.createElement("iframe");
-  i.src = "./support/xfo.py?value=  SAMEORIGIN,    DENY";
-
-  assert_no_message_from(i, t);
-
-  i.onload = t.step_func_done(() => {
-    assert_equals(i.contentDocument, null);
-  });
-
-  document.body.append(i);
-  t.add_cleanup(() => i.remove());
-}, "  SAMEORIGIN,    DENY blocks same-origin framing");
-</script>
diff --git a/x-frame-options/deny.html b/x-frame-options/deny.html
new file mode 100644
index 00000000000000..c966bf433d6a21
--- /dev/null
+++ b/x-frame-options/deny.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options variations of DENY</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `denY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  cspValue: `default-src 'self'`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  cspValue: `frame-ancestors 'self'`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/deny.sub.html b/x-frame-options/deny.sub.html
deleted file mode 100644
index 0b6570b95aad52..00000000000000
--- a/x-frame-options/deny.sub.html
+++ /dev/null
@@ -1,115 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=DENY";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: DENY` blocks same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=DENY";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: DENY` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=denY";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: denY` blocks same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=\"DENY\"";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: \"DENY\"` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=denY";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: denY` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"DENY\"";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: \"DENY\"` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=DENY&csp_value=default-src%20'self'";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: DENY` blocks framing when CSP is present without a frame-ancestors directive.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=DENY&csp_value=frame-ancestors%20'self'";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: DENY` does not blocks framing when CSP is present with a frame-ancestors directive.");
-</script>
diff --git a/x-frame-options/invalid.html b/x-frame-options/invalid.html
new file mode 100644
index 00000000000000..37b849a7dddba4
--- /dev/null
+++ b/x-frame-options/invalid.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options invalid values</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOW-FROM https://example.com/`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOW-FROM=https://example.com/`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOWALL`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `"DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `"SAMEORIGIN"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: ``,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+</script>
diff --git a/x-frame-options/invalid.sub.html b/x-frame-options/invalid.sub.html
deleted file mode 100644
index 68648f999a4a84..00000000000000
--- a/x-frame-options/invalid.sub.html
+++ /dev/null
@@ -1,136 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=INVALID";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: INVALID` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=INVALID";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: INVALID` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=ALLOW-FROM https://example.com/";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOW-FROM` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM https://example.com/";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOW-FROM` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=ALLOW-FROM=https://example.com/";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOW-FROM=` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOW-FROM=https://example.com/";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOW-FROM=` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=ALLOWALL";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOWALL` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=ALLOWALL";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: ALLOWALL` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "Empty `XFO:` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "Empty `XFO:` allows cross-origin framing.");
-</script>
diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
new file mode 100644
index 00000000000000..2acf7862a396e8
--- /dev/null
+++ b/x-frame-options/multiple.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers sent multiple times</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  headerValue2: `SAMEORIGIN`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  headerValue2: `SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/multiple.sub.html b/x-frame-options/multiple.sub.html
deleted file mode 100644
index c2726519604ee7..00000000000000
--- a/x-frame-options/multiple.sub.html
+++ /dev/null
@@ -1,111 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=SAMEORIGIN&value2=DENY";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN; XFO: DENY` blocks same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=DENY&value2=SAMEORIGIN";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: DENY; XFO: SAMEORIGIN` blocks same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=INVALID&value2=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: INVALID; XFO: SAMEORIGIN` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=INVALID&value2=SAMEORIGIN";
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: INVALID; XFO: SAMEORIGIN` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=SAMEORIGIN&value2=INVALID";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN; XFO: INVALID` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=INVALID";
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN; XFO: INVALID` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` blocks cross-origin framing.");
-</script>
diff --git a/x-frame-options/redirect.html b/x-frame-options/redirect.html
new file mode 100644
index 00000000000000..5fb863a278f5ae
--- /dev/null
+++ b/x-frame-options/redirect.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers sent along with a redirect</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+
+xfo_test({
+  url: `./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL`,
+  check: "loaded message",
+  message: `XFO on redirect responses is ignored`
+});
+</script>
diff --git a/x-frame-options/redirect.sub.html b/x-frame-options/redirect.sub.html
deleted file mode 100644
index 0bc708b358cb30..00000000000000
--- a/x-frame-options/redirect.sub.html
+++ /dev/null
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
-<body>
-<script>
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "XFO on redirect responses is ignored.");
-</script>
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index 4d9b2d1224b93e..2749f7a7d9af0b 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -1,139 +1,47 @@
 <!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options variations of SAMEORIGIN</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-<script src="./support/helper.js"></script>
+<script src="./support/helper.sub.js"></script>
+
 <body>
 <script>
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=sameOriGin";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: sameOriGin` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/xfo.py?value=\"SAMEORIGIN\"";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: \"SAMEORIGIN\"` allows same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src =
-      "./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` allows same-origin nested in same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=sameOriGin";
-
-    assert_no_message_from(i, t);
-
-    i.onload = t.step_func_done(_ => {
-      assert_equals(i.contentDocument, null);
-      i.remove();
-    });
-
-    document.body.appendChild(i);
-  }, "`XFO: sameOriGin` blocks cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=\"SAMEORIGIN\"";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Loaded");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: \"SAMEORIGIN\"` allows cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Failed");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` blocks cross-origin nested in same-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Failed");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` blocks same-origin nested in cross-origin framing.");
-
-  async_test(t => {
-    var i = document.createElement('iframe');
-    i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN";
-
-    wait_for_message_from(i, t)
-      .then(t.step_func_done(e => {
-        assert_equals(e.data, "Failed");
-        i.remove();
-      }));
-
-    document.body.appendChild(i);
-  }, "`XFO: SAMEORIGIN` blocks cross-origin nested in cross-origin framing.");
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `sameOriGin`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_test({
+  url: `./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true`,
+  check: "loaded message",
+  message: `SAMEORIGIN allows same-origin nested in same-origin framing`
+});
+
+xfo_test({
+  url: `./support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+  check: "failed message",
+  message: `SAMEORIGIN blocks cross-origin nested in same-origin framing`
+});
+
+xfo_test({
+  url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+  check: "failed message",
+  message: `SAMEORIGIN blocks same-origin nested in cross-origin framing`
+});
+
+xfo_test({
+  url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/nested.py?origin=http://{{domains[www]}}:{{ports[http][0]}}&value=SAMEORIGIN`,
+  check: "failed message",
+  message: `SAMEORIGIN blocks cross-origin nested in cross-origin framing`
+});
 </script>
diff --git a/x-frame-options/support/helper.js b/x-frame-options/support/helper.js
deleted file mode 100644
index 2932a0a7fb00f0..00000000000000
--- a/x-frame-options/support/helper.js
+++ /dev/null
@@ -1,13 +0,0 @@
-function assert_no_message_from(frame, test) {
-  wait_for_message_from(frame, test)
-    .then(test.unreached_func("Frame should not have sent a message."));
-}
-
-function wait_for_message_from(frame, test) {
-  return new Promise((resolve, reject) => {
-    window.addEventListener("message", test.step_func(e => {
-      if (e.source == frame.contentWindow)
-        resolve(e);
-    }));
-  });
-}
diff --git a/x-frame-options/support/helper.sub.js b/x-frame-options/support/helper.sub.js
new file mode 100644
index 00000000000000..7d69c6c24027ba
--- /dev/null
+++ b/x-frame-options/support/helper.sub.js
@@ -0,0 +1,69 @@
+function assert_no_message_from(frame, test) {
+  wait_for_message_from(frame, test)
+    .then(test.unreached_func("Frame should not have sent a message."));
+}
+
+function wait_for_message_from(frame, test) {
+  return new Promise((resolve, reject) => {
+    window.addEventListener("message", test.step_func(e => {
+      if (e.source == frame.contentWindow)
+        resolve(e);
+    }));
+  });
+}
+
+function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
+  const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
+  const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
+
+  const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
+  const value2MessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
+  const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
+
+  xfo_test({
+    url: `/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+    check: sameOriginAllowed ? "loaded message" : "no message",
+    message: `${valueMessageString}${value2MessageString} ${sameOriginAllowed ? "allows" : "blocks"} same-origin framing${cspMessageString}`
+  });
+
+  xfo_test({
+    url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+    check: crossOriginAllowed ? "loaded message" : "no message",
+    message: `${valueMessageString}${value2MessageString} ${crossOriginAllowed ? "allows" : "blocks"} cross-origin framing${cspMessageString}`
+  });
+}
+
+function xfo_test({ url, check, message }) {
+  async_test(t => {
+    const i = document.createElement("iframe");
+    i.src = url;
+
+    switch (check) {
+      case "loaded message": {
+        wait_for_message_from(i, t).then(t.step_func_done(e => {
+          assert_equals(e.data, "Loaded");
+        }));
+        break;
+      }
+      case "failed message": {
+        wait_for_message_from(i, t).then(t.step_func_done(e => {
+          assert_equals(e.data, "Failed");
+        }));
+        break;
+      }
+      case "no message": {
+        assert_no_message_from(i, t);
+        i.onload = t.step_func_done(() => {
+          assert_equals(i.contentDocument, null);
+        });
+        break;
+      }
+      default: {
+        throw new Error("Bad test");
+      }
+    }
+
+    document.body.append(i);
+    t.add_cleanup(() => i.remove());
+  }, message);
+}

From df979705d5dd2e1c94c762e8d83101b2bc762a90 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:07:23 -0400
Subject: [PATCH 06/15] Incorporate everything from
 https://github.com/web-platform-tests/wpt/pull/21730

---
 x-frame-options/commas.html | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/x-frame-options/commas.html b/x-frame-options/commas.html
index 382afb3851bbc0..e34ca1e283ea86 100644
--- a/x-frame-options/commas.html
+++ b/x-frame-options/commas.html
@@ -15,6 +15,30 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `DENY,SAMEORIGIN`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN,SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN,INVALID`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `INVALID,SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `,SAMEORIGIN,,DENY,`,
   sameOriginAllowed: false,

From a89394a5ebad88192c2261a1a0470d3c10ce6dc0 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:19:46 -0400
Subject: [PATCH 07/15] Delete extra file

---
 .../object-network-error.sub.html             | 54 -------------------
 1 file changed, 54 deletions(-)
 delete mode 100644 html/semantics/embedded-content/the-object-element/object-network-error.sub.html

diff --git a/html/semantics/embedded-content/the-object-element/object-network-error.sub.html b/html/semantics/embedded-content/the-object-element/object-network-error.sub.html
deleted file mode 100644
index 4b80701bc1cc26..00000000000000
--- a/html/semantics/embedded-content/the-object-element/object-network-error.sub.html
+++ /dev/null
@@ -1,54 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8">
-<title>Network errors with object elements</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-
-<body>
-<script>
-"use strict";
-
-async_test(t => {
-  const object = document.createElement("object");
-  object.data = "//{{hosts[][nonexistent]}}/";
-  object.onload = () => t.done();
-  object.onerror = t.unreached_func("error event must not fire");
-  document.body.append(object);
-}, "new object: nonexistent host");
-
-async_test(t => {
-  const object = document.createElement("object");
-  object.data = "../resources/not-embeddable.html";
-  object.onload = () => t.done();
-  object.onerror = t.unreached_func("error event must not fire");
-  document.body.append(object);
-}, "new object: X-Frame-Options prevents embedding");
-
-async_test(t => {
-  const object = document.createElement("object");
-  object.data = "/common/blank.html";
-  object.name = "existingObject1";
-  object.onload = t.step_func(() => {
-    object.onload = () => t.done();
-    object.onerror = t.unreached_func("error event must not fire 2");
-
-    frames.existingObject1.location.href = "//{{hosts[][nonexistent]}}/";
-  });
-  object.onerror = t.unreached_func("error event must not fire 1");
-  document.body.append(object);
-}, "navigating an existing object: nonexistent host");
-
-async_test(t => {
-  const object = document.createElement("object");
-  object.data = "/common/blank.html";
-  object.name = "existingObject2";
-  object.onload = t.step_func(() => {
-    object.onload = () => t.done();
-    object.onerror = t.unreached_func("error event must not fire 2");
-
-    frames.existingObject2.location.href = "../resources/not-embeddable.html";
-  });
-  object.onerror = t.unreached_func("error event must not fire 1");
-  document.body.append(object);
-}, "navigating an existing object: X-Frame-Options prevents embedding");
-</script>

From ebd0f0c68f3258c11b95c0afaa3c1f356d6999ae Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:27:42 -0400
Subject: [PATCH 08/15] Test ALLOWALL for good measure

---
 x-frame-options/commas.html   | 12 ++++++++++++
 x-frame-options/multiple.html | 14 ++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/x-frame-options/commas.html b/x-frame-options/commas.html
index e34ca1e283ea86..7ecabd3b23a028 100644
--- a/x-frame-options/commas.html
+++ b/x-frame-options/commas.html
@@ -39,6 +39,18 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN,ALLOWALL`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOWALL,SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `,SAMEORIGIN,,DENY,`,
   sameOriginAllowed: false,
diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
index 2acf7862a396e8..f5755548129f0e 100644
--- a/x-frame-options/multiple.html
+++ b/x-frame-options/multiple.html
@@ -43,4 +43,18 @@
   sameOriginAllowed: true,
   crossOriginAllowed: false
 });
+
+xfo_simple_tests({
+  headerValue: `ALLOWALL`,
+  headerValue2: `SAMEORIGIN`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `ALLOWALL`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
 </script>

From 0d9ee15895ac7a1e2ff82b19b03cef5f55e97c79 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:30:29 -0400
Subject: [PATCH 09/15] Test INVALID + DENY

---
 x-frame-options/commas.html   | 12 ++++++++++++
 x-frame-options/multiple.html | 14 ++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/x-frame-options/commas.html b/x-frame-options/commas.html
index 7ecabd3b23a028..7e08b88e3c039d 100644
--- a/x-frame-options/commas.html
+++ b/x-frame-options/commas.html
@@ -39,6 +39,18 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `DENY,INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `INVALID,DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `SAMEORIGIN,ALLOWALL`,
   sameOriginAllowed: true,
diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
index f5755548129f0e..1fcfde79809049 100644
--- a/x-frame-options/multiple.html
+++ b/x-frame-options/multiple.html
@@ -44,6 +44,20 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  headerValue2: `DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `ALLOWALL`,
   headerValue2: `SAMEORIGIN`,

From ee94a9bc1e31ace75956cf507a8ef4f15da75c7a Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:37:53 -0400
Subject: [PATCH 10/15] Whitespace

---
 x-frame-options/redirect.html | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-frame-options/redirect.html b/x-frame-options/redirect.html
index 5fb863a278f5ae..65fd0d5dd1434d 100644
--- a/x-frame-options/redirect.html
+++ b/x-frame-options/redirect.html
@@ -9,7 +9,6 @@
 <script>
 "use strict";
 
-
 xfo_test({
   url: `./support/redirect.py?value=DENY&url=/x-frame-options/support/xfo.py%3Fvalue%3DALLOWALL`,
   check: "loaded message",

From df9f0ff5bc81acd965b9cf536b2779e6e3ac31e4 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 5 Aug 2020 13:39:43 -0400
Subject: [PATCH 11/15] Helper JS cleanup

---
 x-frame-options/support/helper.sub.js | 30 ++++++++++++---------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/x-frame-options/support/helper.sub.js b/x-frame-options/support/helper.sub.js
index 7d69c6c24027ba..5b9fde05633a8d 100644
--- a/x-frame-options/support/helper.sub.js
+++ b/x-frame-options/support/helper.sub.js
@@ -1,17 +1,3 @@
-function assert_no_message_from(frame, test) {
-  wait_for_message_from(frame, test)
-    .then(test.unreached_func("Frame should not have sent a message."));
-}
-
-function wait_for_message_from(frame, test) {
-  return new Promise((resolve, reject) => {
-    window.addEventListener("message", test.step_func(e => {
-      if (e.source == frame.contentWindow)
-        resolve(e);
-    }));
-  });
-}
-
 function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
   const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
   const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
@@ -40,19 +26,19 @@ function xfo_test({ url, check, message }) {
 
     switch (check) {
       case "loaded message": {
-        wait_for_message_from(i, t).then(t.step_func_done(e => {
+        waitForMessageFrom(i, t).then(t.step_func_done(e => {
           assert_equals(e.data, "Loaded");
         }));
         break;
       }
       case "failed message": {
-        wait_for_message_from(i, t).then(t.step_func_done(e => {
+        waitForMessageFrom(i, t).then(t.step_func_done(e => {
           assert_equals(e.data, "Failed");
         }));
         break;
       }
       case "no message": {
-        assert_no_message_from(i, t);
+        waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message."));
         i.onload = t.step_func_done(() => {
           assert_equals(i.contentDocument, null);
         });
@@ -67,3 +53,13 @@ function xfo_test({ url, check, message }) {
     t.add_cleanup(() => i.remove());
   }, message);
 }
+
+function waitForMessageFrom(frame, test) {
+  return new Promise(resolve => {
+    window.addEventListener("message", test.step_func(e => {
+      if (e.source == frame.contentWindow) {
+        resolve(e);
+      }
+    }));
+  });
+}

From 96422795cbc8546f87c58974d9391d7ce96eff0c Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Thu, 6 Aug 2020 10:06:00 -0400
Subject: [PATCH 12/15] Even moar test generation

---
 x-frame-options/commas.html           | 89 ---------------------------
 x-frame-options/get-decode-split.html | 23 +++++++
 x-frame-options/invalid.html          |  6 ++
 x-frame-options/multiple.html         | 27 +-------
 x-frame-options/support/helper.sub.js | 57 ++++++++++++++---
 5 files changed, 80 insertions(+), 122 deletions(-)
 delete mode 100644 x-frame-options/commas.html
 create mode 100644 x-frame-options/get-decode-split.html

diff --git a/x-frame-options/commas.html b/x-frame-options/commas.html
deleted file mode 100644
index 7e08b88e3c039d..00000000000000
--- a/x-frame-options/commas.html
+++ /dev/null
@@ -1,89 +0,0 @@
-<!DOCTYPE html>
-<meta charset="utf-8">
-<title>X-Frame-Options headers with commas</title>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="support/helper.sub.js"></script>
-
-<body>
-<script>
-"use strict";
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN,DENY`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `DENY,SAMEORIGIN`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN,SAMEORIGIN`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN,INVALID`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `INVALID,SAMEORIGIN`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `DENY,INVALID`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `INVALID,DENY`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN,ALLOWALL`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `ALLOWALL,SAMEORIGIN`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `,SAMEORIGIN,,DENY,`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN,"DENY"`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
-xfo_simple_tests({
-  headerValue: `"SAMEORIGIN,DENY"`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: true
-});
-
-xfo_simple_tests({
-  headerValue: `  SAMEORIGIN,    DENY`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-</script>
diff --git a/x-frame-options/get-decode-split.html b/x-frame-options/get-decode-split.html
new file mode 100644
index 00000000000000..9f5101d610eb28
--- /dev/null
+++ b/x-frame-options/get-decode-split.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers use the get, decode, and split algorithm</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `,SAMEORIGIN,,DENY,`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `  SAMEORIGIN,    DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+</script>
diff --git a/x-frame-options/invalid.html b/x-frame-options/invalid.html
index 37b849a7dddba4..26b2905e4d44c2 100644
--- a/x-frame-options/invalid.html
+++ b/x-frame-options/invalid.html
@@ -45,6 +45,12 @@
   crossOriginAllowed: true
 });
 
+xfo_simple_tests({
+  headerValue: `"SAMEORIGIN,DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
 xfo_simple_tests({
   headerValue: ``,
   sameOriginAllowed: true,
diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
index 1fcfde79809049..babe09323cb8e1 100644
--- a/x-frame-options/multiple.html
+++ b/x-frame-options/multiple.html
@@ -24,9 +24,9 @@
 });
 
 xfo_simple_tests({
-  headerValue: `DENY`,
-  headerValue2: `SAMEORIGIN`,
-  sameOriginAllowed: false,
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `"DENY"`, // same as INVALID
+  sameOriginAllowed: true,
   crossOriginAllowed: false
 });
 
@@ -37,13 +37,6 @@
   crossOriginAllowed: false
 });
 
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN`,
-  headerValue2: `INVALID`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
-
 xfo_simple_tests({
   headerValue: `INVALID`,
   headerValue2: `DENY`,
@@ -51,24 +44,10 @@
   crossOriginAllowed: false
 });
 
-xfo_simple_tests({
-  headerValue: `DENY`,
-  headerValue2: `INVALID`,
-  sameOriginAllowed: false,
-  crossOriginAllowed: false
-});
-
 xfo_simple_tests({
   headerValue: `ALLOWALL`,
   headerValue2: `SAMEORIGIN`,
   sameOriginAllowed: true,
   crossOriginAllowed: false
 });
-
-xfo_simple_tests({
-  headerValue: `SAMEORIGIN`,
-  headerValue2: `ALLOWALL`,
-  sameOriginAllowed: true,
-  crossOriginAllowed: false
-});
 </script>
diff --git a/x-frame-options/support/helper.sub.js b/x-frame-options/support/helper.sub.js
index 5b9fde05633a8d..1fb1b5420b1372 100644
--- a/x-frame-options/support/helper.sub.js
+++ b/x-frame-options/support/helper.sub.js
@@ -1,22 +1,61 @@
 function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) {
+  simpleXFOTestsInner({
+    urlPrefix: "",
+    allowed: sameOriginAllowed,
+    headerValue,
+    headerValue2,
+    cspValue,
+    sameOrCross: "same-origin"
+  });
+
+  simpleXFOTestsInner({
+    urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}",
+    allowed: crossOriginAllowed,
+    headerValue,
+    headerValue2,
+    cspValue,
+    sameOrCross: "cross-origin"
+  });
+}
+
+function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) {
   const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``;
   const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``;
 
   const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue;
-  const value2MessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
+  const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2;
+  const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``;
   const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``;
 
+  // This will test the multi-header variant, if headerValue2 is not undefined.
   xfo_test({
-    url: `/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
-    check: sameOriginAllowed ? "loaded message" : "no message",
-    message: `${valueMessageString}${value2MessageString} ${sameOriginAllowed ? "allows" : "blocks"} same-origin framing${cspMessageString}`
+    url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
+    check: allowed ? "loaded message" : "no message",
+    message: `${valueMessageString}${value2MaybeMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
   });
 
-  xfo_test({
-    url: `http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
-    check: crossOriginAllowed ? "loaded message" : "no message",
-    message: `${valueMessageString}${value2MessageString} ${crossOriginAllowed ? "allows" : "blocks"} cross-origin framing${cspMessageString}`
-  });
+  if (headerValue2 !== undefined && headerValue2 !== headerValue) {
+    // Reversed variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `${value2MessageString};${valueMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+
+    // Comma variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `${valueMessageString},${value2MessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+
+    // Comma + reversed variant
+    xfo_test({
+      url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
+      check: allowed ? "loaded message" : "no message",
+      message: `${value2MessageString},${valueMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    });
+  }
 }
 
 function xfo_test({ url, check, message }) {

From e5fb76ef8239c087d65d27c7c7ca8a1f071403af Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Thu, 6 Aug 2020 10:07:05 -0400
Subject: [PATCH 13/15] Add embed/object TODO

---
 x-frame-options/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-frame-options/README.md b/x-frame-options/README.md
index 9e8e257fe9cf48..2fad3599d5cf2b 100644
--- a/x-frame-options/README.md
+++ b/x-frame-options/README.md
@@ -1 +1,3 @@
 This directory contains tests for [`X-Frame-Options`](https://html.spec.whatwg.org/#the-x-frame-options-header).
+
+Currently it only tests `<iframe>`. It would be nice to test `<embed>` and `<object>` as well.

From 1e8df76ce84f58029a83e8139d669ad35a31d907 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Thu, 6 Aug 2020 10:11:33 -0400
Subject: [PATCH 14/15] Some whitespace tests

---
 x-frame-options/deny.html             | 6 ++++++
 x-frame-options/sameorigin.sub.html   | 6 ++++++
 x-frame-options/support/helper.sub.js | 8 ++++----
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/x-frame-options/deny.html b/x-frame-options/deny.html
index c966bf433d6a21..90f65d3f439ff3 100644
--- a/x-frame-options/deny.html
+++ b/x-frame-options/deny.html
@@ -21,6 +21,12 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `  DENY `,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `DENY`,
   cspValue: `default-src 'self'`,
diff --git a/x-frame-options/sameorigin.sub.html b/x-frame-options/sameorigin.sub.html
index 2749f7a7d9af0b..45f9b01bf156a4 100644
--- a/x-frame-options/sameorigin.sub.html
+++ b/x-frame-options/sameorigin.sub.html
@@ -21,6 +21,12 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `  SAMEORIGIN `,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
 xfo_test({
   url: `./support/nested.py?origin=http://{{host}}:{{ports[http][0]}}&value=SAMEORIGIN&loadShouldSucceed=true`,
   check: "loaded message",
diff --git a/x-frame-options/support/helper.sub.js b/x-frame-options/support/helper.sub.js
index 1fb1b5420b1372..23663dd2d07236 100644
--- a/x-frame-options/support/helper.sub.js
+++ b/x-frame-options/support/helper.sub.js
@@ -31,7 +31,7 @@ function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cs
   xfo_test({
     url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`,
     check: allowed ? "loaded message" : "no message",
-    message: `${valueMessageString}${value2MaybeMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+    message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
   });
 
   if (headerValue2 !== undefined && headerValue2 !== headerValue) {
@@ -39,21 +39,21 @@ function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cs
     xfo_test({
       url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`,
       check: allowed ? "loaded message" : "no message",
-      message: `${value2MessageString};${valueMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+      message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
     });
 
     // Comma variant
     xfo_test({
       url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`,
       check: allowed ? "loaded message" : "no message",
-      message: `${valueMessageString},${value2MessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+      message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
     });
 
     // Comma + reversed variant
     xfo_test({
       url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`,
       check: allowed ? "loaded message" : "no message",
-      message: `${value2MessageString},${valueMessageString} ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
+      message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}`
     });
   }
 }

From 4ece5d13a9eb975bec908fa6e32b33f057acf201 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Fri, 7 Aug 2020 15:05:19 -0400
Subject: [PATCH 15/15] Move to Chrome/Safari processing model. Even more
 tests.

---
 x-frame-options/multiple.html | 85 ++++++++++++++++++++++++++++++++---
 1 file changed, 78 insertions(+), 7 deletions(-)

diff --git a/x-frame-options/multiple.html b/x-frame-options/multiple.html
index babe09323cb8e1..cc8d6e3fdaa272 100644
--- a/x-frame-options/multiple.html
+++ b/x-frame-options/multiple.html
@@ -16,6 +16,13 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `sameOrigin`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `SAMEORIGIN`,
   headerValue2: `DENY`,
@@ -23,31 +30,95 @@
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `SAMEORIGIN`,
+  headerValue2: `ALLOWALL`, // same as INVALID
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `SAMEORIGIN`,
   headerValue2: `"DENY"`, // same as INVALID
-  sameOriginAllowed: true,
+  sameOriginAllowed: false,
   crossOriginAllowed: false
 });
 
 xfo_simple_tests({
-  headerValue: `INVALID`,
-  headerValue2: `SAMEORIGIN`,
-  sameOriginAllowed: true,
+  headerValue: `SAMEORIGIN`,
+  headerValue2: ``, // same as INVALID
+  sameOriginAllowed: false,
   crossOriginAllowed: false
 });
 
 xfo_simple_tests({
-  headerValue: `INVALID`,
+  headerValue: `DENY`,
   headerValue2: `DENY`,
   sameOriginAllowed: false,
   crossOriginAllowed: false
 });
 
+xfo_simple_tests({
+  headerValue: `DENY`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  headerValue2: `ALLOWALL`, // same as INVALID
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  headerValue2: `"SAMEORIGIN"`, // same as INVALID
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
 xfo_simple_tests({
   headerValue: `ALLOWALL`,
-  headerValue2: `SAMEORIGIN`,
-  sameOriginAllowed: true,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOWALL`,
+  headerValue2: ``,
+  sameOriginAllowed: false,
   crossOriginAllowed: false
 });
+
+xfo_simple_tests({
+  headerValue: `allowAll`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  headerValue2: `INVALID`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  headerValue2: ``,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
 </script>