48 lines
1.9 KiB
HTML
48 lines
1.9 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<!-- Only allow same-origin frames, and frames from https://{{hosts[][www1]}}:{{ports[https][0]}} -->
|
|
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://{{hosts[][www1]}}:{{ports[https][0]}};">
|
|
<title>frame-src-cross-origin-load</title>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
</head>
|
|
<body>
|
|
<p>
|
|
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked
|
|
state. This means they appear to be normal cross-origin loads, thereby not leaking URL
|
|
information directly to JS.
|
|
</p>
|
|
<script>
|
|
promise_test(async t => {
|
|
return new Promise((resolve, reject) => {
|
|
let f = document.createElement('iframe');
|
|
f.src = "../support/postmessage-pass.html";
|
|
f.onload = resolve;
|
|
f.onerror = reject;
|
|
document.body.appendChild(f);
|
|
}, "Same-origin allowed frame fires a `load` event.");
|
|
});
|
|
|
|
promise_test(async t => {
|
|
return new Promise((resolve, reject) => {
|
|
let f = document.createElement('iframe');
|
|
f.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html";
|
|
f.onload = resolve;
|
|
f.onerror = reject;
|
|
document.body.appendChild(f);
|
|
}, "Cross-origin allowed frame fires a `load` event.");
|
|
});
|
|
|
|
promise_test(async t => {
|
|
return new Promise((resolve, reject) => {
|
|
let f = document.createElement('iframe');
|
|
f.src = "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-fail.html";
|
|
f.onload = resolve;
|
|
f.onerror = reject;
|
|
document.body.appendChild(f);
|
|
}, "Cross-origin blocked frame fires a `load` event.");
|
|
});
|
|
</script>
|
|
</body>
|
|
</html>
|