<!doctype html> <meta charset=utf-8> <script src="/resources/testharness.js"></script> <script src="/resources/testharnessreport.js"></script> <script src="/common/get-host-info.sub.js"></script> <script src="/common/utils.js"></script> <div id=log></div> <script> const origins = get_host_info(); [ { "origin": origins.HTTPS_ORIGIN, "crossOrigin": origins.HTTPS_REMOTE_ORIGIN }, { "origin": origins.HTTPS_REMOTE_ORIGIN, "crossOrigin": origins.HTTPS_NOTSAMESITE_ORIGIN }, { "origin": origins.HTTPS_NOTSAMESITE_ORIGIN, "crossOrigin": origins.HTTPS_ORIGIN } ].forEach(({ origin, crossOrigin }) => { ["subframe", "navigate", "popup"].forEach(variant => { async_test(t => { const id = token(); const frame = document.createElement("iframe"); t.add_cleanup(() => { frame.remove(); }); const path = new URL("resources/blob-url-factory.html", window.location).pathname; frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`; window.addEventListener("message", t.step_func(({ data }) => { if (data.id !== id) { return; } assert_equals(data.origin, origin); assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed"); assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail"); t.done(); })); document.body.append(frame); }, `Cross-Origin-Embedder-Policy and blob: URL from ${origin} in subframe via ${variant}`); }); }); </script>