diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html b/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html new file mode 100644 index 0000000000..0cdc03ce92 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html @@ -0,0 +1,83 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/common/utils.js"></script> + +<meta http-equiv="Content-Security-Policy" content="img-src 'none'"> +<title>about:blank in popup inherits CSPs from the navigation initiator</title> +<body> + +<script> + const message_from = (source_token, w) => { + return new Promise(resolve => { + window.addEventListener('message', msg => { + if (msg.data.token === source_token) + resolve(msg.data.msg); + }); + }); + }; + + const testCases = [ + { + previous_origin: window.origin, + name: "Popup being navigated to about:blank was same-origin.", + }, + { + previous_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}", + name: "Popup being navigated to about:blank was cross-origin.", + }, + ]; + + testCases.forEach(testCase => { + promise_test(async t => { + // Create a popup and navigate it. + const popup_token = token(); + // const popup = window.open("about:blank", testCase.name); + const loaded = message_from(popup_token); + const popup = window.open( + testCase.previous_origin + + "/content-security-policy/inheritance/support" + + `/postmessage-opener.html?token=${popup_token}`, + testCase.name); + t.add_cleanup(() => popup.close()); + + assert_equals(await loaded, "ready"); + + // Navigate the popup to "about:blank". + window.open("about:blank", testCase.name); + await t.step_wait( + condition = () => { + try { + return popup.location.href == "about:blank"; + } catch {} + return false; + }, + description = "Wait for the popup to navigate.", + timeout=3000, + interval=50); + + // Now create an img in the popup and check if it is blocked by CSPs. + const script = popup.document.createElement('script'); + script.innerText = ` + function messageBack(msg) { + opener.postMessage(msg ,"*"); + } + `; + popup.document.head.appendChild(script); + const div = popup.document.createElement('div'); + + const img_token = token(); + const img_url = window.origin + "/content-security-policy/support/fail.png"; + div.innerHTML = ` + <img src="${img_url}" + onload="messageBack({msg: 'img loaded', token: '${img_token}'});" + onerror="messageBack({msg: 'img blocked', token: '${img_token}'});" + > + `; + + const msg = message_from(img_token); + popup.document.body.appendChild(div); + assert_equals(await msg, "img blocked"); + }, testCase.name); + }); +</script> |