summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/location-reload.html')
-rw-r--r--testing/web-platform/tests/content-security-policy/inheritance/location-reload.html120
1 files changed, 120 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html
new file mode 100644
index 0000000000..5d68e381bc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inheritance/location-reload.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<body>
+<script>
+ let message_from = (w, starts_with) => {
+ return new Promise(resolve => {
+ window.addEventListener('message', msg => {
+ if (msg.source == w) {
+ if (!starts_with || msg.data.startsWith(starts_with))
+ resolve(msg.data);
+ }
+ });
+ });
+ };
+
+ const img_url = window.origin + "/content-security-policy/support/fail.png";
+ const img_tag_string = `
+ <img src="${img_url}"
+ onload="top.postMessage('img loaded', '*');"
+ onerror="top.postMessage('img blocked', '*');"
+ >
+ `;
+
+ const html_test_payload = `
+ <!doctype html>
+ <div>${img_tag_string}</div>
+ `;
+ let blob_url = URL.createObjectURL(
+ new Blob([html_test_payload], { type: 'text/html' }));
+
+ let write_img_to_iframe = (iframe) => {
+ let div = iframe.contentDocument.createElement('div');
+ div.innerHTML = img_tag_string;
+ iframe.contentDocument.body.appendChild(div);
+ };
+
+
+ // Test location.reload() for "about:blank".
+ promise_test(async t => {
+ // Create an empty iframe.
+ window.iframe = document.createElement('iframe');
+ document.body.appendChild(iframe);
+
+ // Add an img.
+ let message = message_from(iframe.contentWindow);
+ write_img_to_iframe(iframe);
+
+ // Check that the empty document inherits CSP from the initiator.
+ assert_equals(await message, "img blocked",
+ "Image should be blocked by CSP inherited from the parent.");
+
+ // Now perform a reload.
+ let message_2 = message_from(iframe.contentWindow);
+ let loaded = new Promise(resolve => iframe.onload = resolve);
+ iframe.contentWindow.location.reload();
+ await loaded;
+
+ // Add an img.
+ write_img_to_iframe(iframe);
+
+ // Check that the empty document still has the right CSP after reload.
+ assert_equals(await message_2, "img blocked",
+ "Image should be blocked by CSP after reload.");
+ }, "location.reload() of empty iframe.");
+
+
+ // Test location.reload() for a blob URL.
+ promise_test(async t => {
+ // Create an iframe.
+ window.iframe = document.createElement('iframe');
+ document.body.appendChild(iframe);
+
+ // Navigate to the blob URL.
+ let message = message_from(iframe.contentWindow);
+ iframe.contentWindow.location = blob_url;
+
+ // Check that the blob URL inherits CSP from the initiator.
+ assert_equals(await message, "img blocked",
+ "Image should be blocked by CSP inherited from navigation initiator.");
+
+ // Now perform a reload.
+ let message_2 = message_from(iframe.contentWindow);
+ let loaded = new Promise(resolve => iframe.onload = resolve);
+ iframe.contentWindow.location.reload();
+ await loaded;
+
+ // Check that the blob URL document still has the right CSP after reload.
+ assert_equals(await message_2, "img blocked",
+ "Image should be blocked by CSP after reload.");
+ }, "location.reload() of blob URL iframe.");
+
+
+ // Test location.reload() for a srcdoc iframe.
+ promise_test(async t => {
+ // Create a srcdoc iframe.
+ window.iframe = document.createElement('iframe');
+ document.body.appendChild(iframe);
+
+ let message = message_from(iframe.contentWindow);
+ iframe.srcdoc = `${html_test_payload}`;
+
+ // Check that the srcdoc iframe inherits from the parent.
+ assert_equals(await message, "img blocked",
+ "Image should be blocked by CSP inherited from navigation initiator.");
+
+ // Now perform a reload.
+ let message_2 = message_from(iframe.contentWindow);
+ let loaded = new Promise(resolve => iframe.onload = resolve);
+ iframe.contentWindow.location.reload();
+ await loaded;
+
+ // Check that the srcdoc iframe still has the right CSP after reload.
+ assert_equals(await message_2, "img blocked",
+ "Image should be blocked by CSP after reload.");
+ }, "location.reload() of srcdoc iframe.");
+</script>
+</body>