49 lines
1.7 KiB
HTML
49 lines
1.7 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
|
|
<head>
|
|
<title>frame-src-self-unique-origin</title>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
</head>
|
|
|
|
<body>
|
|
<p>
|
|
The origin of an URL is called "unique" when it is considered to be
|
|
different from every origin, including itself. The origin of a
|
|
data-url is unique. When the current origin is unique, the CSP source
|
|
'self' must not match any URL.
|
|
</p>
|
|
<script>
|
|
var iframe = document.createElement("iframe");
|
|
iframe.src = encodeURI(`data:text/html,
|
|
<script>
|
|
/* Add the CSP: frame-src: 'self'. */
|
|
var meta = document.createElement('meta');
|
|
meta.httpEquiv = 'Content-Security-Policy';
|
|
meta.content = "frame-src 'self'";
|
|
document.getElementsByTagName('head')[0].appendChild(meta);
|
|
|
|
/* Notify the parent the iframe has been blocked. */
|
|
window.addEventListener('securitypolicyviolation', e => {
|
|
if (e.originalPolicy == "frame-src 'self'")
|
|
window.parent.postMessage('Test PASS', '*');
|
|
});
|
|
</scr`+`ipt>
|
|
|
|
This iframe should be blocked by CSP:
|
|
<iframe src='data:text/html,blocked_iframe'></iframe>
|
|
`);
|
|
if (window.async_test) {
|
|
async_test(t => {
|
|
window.addEventListener("message", e => {
|
|
if (e.data == "Test PASS")
|
|
t.done();
|
|
});
|
|
}, "Iframe's url must not match with 'self'. It must be blocked.");
|
|
}
|
|
document.body.appendChild(iframe);
|
|
</script>
|
|
</body>
|
|
|
|
</html>
|