blob: caf2a5de41c3ed1260aa49edce8a59fdf606ae36 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<!-- iframe loading the blob url with null origin -->
<iframe id="blobFrame"></iframe>
<script>
// If the alert box is blocked correctly by the CSP then postMessage will
// send the message and test passes.
var alertScriptText = "data:text/html,<script>location=URL.createObjectURL(" +
"new Blob(['<script>alert(document.URL);parent.parent.postMessage(" +
"{\"test\": \"block_alert_test\", \"msg\": \"alert blocked by" +
" CSP\"}, \"*\");<\\/script>'], {type:\"text/html\"}));<\/script>";
document.getElementById("blobFrame").src=alertScriptText;
try {
var w = window.open("http://www.example.com","newwindow");
parent.postMessage({"test": "block_window_open_test",
"msg": "new window not blocked by CSP"},"*");
} catch(err) {
parent.postMessage({"test": "block_window_open_test",
"msg": "window blocked by CSP"},"*");
}
</script>
</body>
</html>
|