1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
<!DOCTYPE html>
<html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body></body>
<script>
const createDataUrlIframe = (url, cors) => {
const iframe = document.createElement("iframe");
const fetchURL = new URL(url, location.href) +
`${cors === 'null-origin'
? '?pipe=header(Access-Control-Allow-Origin, null)' : ''}`;
const tag_name = 'script';
iframe.src =
`data:text/html, <${tag_name}>` +
`async function test() {` +
` let allowed = true;` +
` try {` +
` await fetch('${fetchURL}');` +
` } catch (e) {` +
` allowed = false;` +
` }` +
` parent.postMessage({allowed}, '*');` +
`}` +
`test(); </${tag_name}>`;
return iframe;
};
const fetch_from_data_url_iframe_test =
(url, cors, expectation, description) => {
promise_test(async () => {
const iframe = createDataUrlIframe(url, cors);
document.body.appendChild(iframe);
const msgEvent = await new Promise(resolve => window.onmessage = resolve);
assert_equals(msgEvent.data.allowed ? 'allowed' : 'rejected', expectation);
}, description);
};
fetch_from_data_url_iframe_test(
'../resources/top.txt',
'acao-omitted',
'rejected',
'fetching "top.txt" without ACAO should be rejected.'
);
fetch_from_data_url_iframe_test(
'../resources/top.txt',
'null-origin',
'allowed',
'fetching "top.txt" with CORS allowing null origin should be allowed.'
);
fetch_from_data_url_iframe_test(
'data:text/plain, top',
'acao-omitted',
'allowed',
'fetching data url script should be allowed.'
);
</script>
|
