1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head>
<body></body>
<script>
async_test(test => {
let count = 0;
window.addEventListener("message", test.step_func((event) => {
assert_equals(event.data, "PASS");
count++;
assert_less_than_equal(count, 2);
if (count == 2) {
// Use a timeout, to let some time for additional messages to show up
// before declaring this test as completed.
test.step_timeout(() => test.done(), 1000);
}
}));
}, "Two of the three iframe are expected to load.");
// IFrames blocked by CSP should generate a 'load', not 'error' event,
// regardless of blocked state. This means they appear to be normal
// cross-origin loads, thereby not leaking URL information directly to JS.
const runTest = (description, src) => {
async_test(test => {
const iframe = document.createElement("iframe");
iframe.src = src;
iframe.onload = () => test.done();
iframe.onerror = () => test.assert_unreached('unexpected onerror')
document.body.appendChild(iframe);
}, description);
};
runTest("Navigation in iframe allowed by child-src 'self'",
"/content-security-policy/support/postmessage-pass.html");
runTest("Navigation in iframe allowed by child-src explicit CSP source",
"http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html");
runTest("Navigation in iframe not allowed by child-src",
"http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html");
</script>
|
