testing/web-platform/tests/content-security-policy/frame-src/frame-src-same-document.sub.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<html>
<body></body>
<script>
    let crossOriginUrl =
      "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html";

    promise_test(async test => {
      let iframe = document.createElement("iframe");
      document.body.appendChild(iframe);

      for(let hash of ["#0", "#1"]) {
        let violation = new Promise(resolve => {
          window.addEventListener('securitypolicyviolation', resolve);
        });
        iframe.src = crossOriginUrl + hash;
        await violation;
      }
    }, "Same-document navigation in an iframe blocked by CSP frame-src");
</script>
</html>