summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/inheritance/document-write-iframe.html
blob: d6ad88ddc93df40894ee27d9a141219d9f1725e8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<!DOCTYPE html>
<head>
  <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <title>document.open() does not change Content Security Policies</title>
</head>
<body>
  <script>
    let message_from = (w) => {
      return new Promise(resolve => {
        let listener = msg => {
          if (msg.source != w)
            return;
          window.removeEventListener('message', listener);
          resolve(msg.data);
        };
        window.addEventListener('message', listener);
      });
    };

    var documentBody = function(should_load) {
      let image = should_load ? "pass.png" : "fail.png";
      return `
      <script>
        function loaded() {
          window.top.postMessage("loaded", '*');
        };
        window.addEventListener('securitypolicyviolation', function(e) {
          window.top.postMessage("blocked", '*');
        });
      </scr`+`ipt>
      <img src='/content-security-policy/support/${image}' onload='loaded()'>`;
    };

    promise_test(async () => {
      let iframe = document.createElement('iframe');
      document.body.appendChild(iframe);

      let msg = message_from(iframe.contentWindow);
      let doc = iframe.contentWindow.document;
      doc.open();
      doc.write("<html><body>" + documentBody(false) + "</body></html>");
      doc.close();
      assert_equals(await msg, "blocked");
    }, "document.open() keeps inherited CSPs on empty iframe.");

    promise_test(async () => {
      let iframe = document.createElement('iframe');
      let loaded = new Promise(resolve => iframe.onload = resolve);
      iframe.src = "/common/blank.html";
      document.body.appendChild(iframe);
      await loaded;

      let msg = message_from(iframe.contentWindow);
      let doc = iframe.contentWindow.document;
      doc.open();
      doc.write("<html><body>" + documentBody(true) + "</body></html>");
      doc.close();
      assert_equals(await msg, "loaded");
    }, "document.open() does not change delivered CSPs.");

  </script>
</body>
</html>