Test some more edge cases for X-Frame-Options

html/README.md

@@ -17,3 +17,4 @@ For historical reasons, parts of HTML have their own directories:
 * [/websockets](/websockets)
 * [/webstorage](/webstorage)
 * [/workers](/workers)
+* [/x-frame-options](/x-frame-options)

x-frame-options/META.yml

@@ -1,4 +1,5 @@
-spec: https://tools.ietf.org/html/rfc7034
+spec: https://html.spec.whatwg.org/#the-x-frame-options-header
 suggested_reviewers:
   - annevk
   - mikewest
+  - domenic

x-frame-options/README.md

@@ -1,2 +1,3 @@
-This directory contains tests for
-[HTTP Header Field X-Frame-Options](https://tools.ietf.org/html/rfc7034).
+This directory contains tests for [`X-Frame-Options`](https://html.spec.whatwg.org/#the-x-frame-options-header).
+
+Currently it only tests `<iframe>`. It would be nice to test `<embed>` and `<object>` as well.

x-frame-options/deny.html

@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options variations of DENY</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `denY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `  DENY `,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  cspValue: `default-src 'self'`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `DENY`,
+  cspValue: `frame-ancestors 'self'`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: false
+});
+</script>

x-frame-options/get-decode-split.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options headers use the get, decode, and split algorithm</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `,SAMEORIGIN,,DENY,`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+
+xfo_simple_tests({
+  headerValue: `  SAMEORIGIN,    DENY`,
+  sameOriginAllowed: false,
+  crossOriginAllowed: false
+});
+</script>

x-frame-options/invalid.html

@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>X-Frame-Options invalid values</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/helper.sub.js"></script>
+
+<body>
+<script>
+"use strict";
+
+xfo_simple_tests({
+  headerValue: `INVALID`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOW-FROM https://example.com/`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOW-FROM=https://example.com/`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `ALLOWALL`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `"DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `"SAMEORIGIN"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: `"SAMEORIGIN,DENY"`,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+
+xfo_simple_tests({
+  headerValue: ``,
+  sameOriginAllowed: true,
+  crossOriginAllowed: true
+});
+</script>