diff options
Diffstat (limited to '')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html b/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html new file mode 100644 index 0000000000..c473b3f426 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <!-- Tests that mutations inside a context that inherits a copy of the CSP list + does not affect the parent context --> +</head> +<body> + <script> + var t1 = async_test("Test that parent document image loads"); + var t2 = async_test("Test that embedded iframe document image does not load"); + var t3 = async_test("Test that spv event is fired"); + + window.onmessage = function(e) { + if (e.data.type == 'spv') { + t3.step(function() { + assert_equals(e.data.violatedDirective, "img-src"); + t3.done(); + }); + } else if (e.data.type == 'imgload') { + var img = document.createElement('img'); + img.src = "../support/pass.png"; + img.onload = function() { t1.done(); }; + img.onerror = t1.unreached_func('Should have loaded the image'); + document.body.appendChild(img); + + t2.step(function() { + assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP"); + t2.done(); + }); + } + } + + var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">', + '<script>', + ' window.addEventListener("securitypolicyviolation", function(e) {', + ' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");', + ' });', + '</scr' + 'ipt>', + '<img src="../support/fail.png"', + ' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"', + ' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n'); + var i = document.createElement('iframe'); + i.srcdoc = srcdoc; + document.body.appendChild(i); + </script> +</body> +</html> |