1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
<title>base-uri works correctly inside a sandboxed iframe.</title>
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
<body>
<h1>base-uri works correctly inside a sandboxed iframe.</h1>
<div id='log'></div>
<script>
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('No CSP violation report should have been fired.');
});
async_test(function(t) {
var i = document.createElement('iframe');
i.sandbox = 'allow-scripts';
i.style.display = 'none';
i.srcdoc = `
<script>
window.addEventListener('securitypolicyviolation', function() {
top.postMessage('FAIL', '*');
});
</sc` + `ript>
<base href="{{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/">
<script>
top.postMessage(document.baseURI, '*');
</sc` + `ript>`;
window.addEventListener('message', t.step_func(function(e) {
if (e.source === i.contentWindow) {
assert_equals(e.data, location.origin + '/base/');
t.done();
}
}));
document.body.appendChild(i);
}, 'base-uri \'self\' works with same-origin sandboxed iframes.');
async_test(function(t) {
var i = document.createElement('iframe');
i.sandbox = 'allow-scripts';
i.style.display = 'none';
i.srcdoc = `
<script>
window.addEventListener('securitypolicyviolation',
function(violation) {
if (violation.blockedURI !== '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/' || violation.effectiveDirective !== 'base-uri') {
top.postMessage('FAIL');
return;
}
top.postMessage(document.baseURI, '*');
});
</sc` + `ript>
<base href="{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/base/">
<script>
top.postMessage(document.baseURI, '*');
</sc` + `ript>`;
window.addEventListener('message', t.step_func(function(e) {
if (e.source === i.contentWindow) {
assert_equals(e.data, location.href);
t.done();
}
}));
document.body.appendChild(i);
}, 'base-uri \'self\' blocks foreign-origin sandboxed iframes.');
</script>
</body>
</html>
|