diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html new file mode 100644 index 0000000000..72d59325d1 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub.html @@ -0,0 +1,43 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>Blob URL inherits CSP from initiator.</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script> + let testCases = [ + { + initiator_origin: window.origin, + name: "Initiator is same-origin with target frame.", + }, + { + initiator_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}", + name: "Initiator is cross-origin with target frame.", + }, + ]; + + testCases.forEach(test => { + async_test(t => { + // Create a popup. At the beginning, the popup has no CSPs. + let target = window.open(); + t.add_cleanup(() => target.close()); + + // Create a child frame in the popup. The child frame has + // Content-Security-Policy: script-src 'unsafe-inline'. The child frame + // will navigate the popup to a blob URL, which will try if eval is + // allowed and message back. + let initiator = target.document.createElement('iframe'); + initiator.sandbox = "allow-scripts allow-same-origin allow-top-navigation"; + initiator.src = test.initiator_origin + + "/content-security-policy/inheritance/support/navigate-parent-to-blob.html"; + + window.addEventListener("message", t.step_func(e => { + if (e.source !== target) return; + assert_equals(e.data, "eval blocked", + "Eval should be blocked by CSP in blob URL."); + t.done(); + })); + + target.document.body.appendChild(initiator); + }, test.name); + }); +</script> |