blob: 72d59325d196a816544a3a82c466e2e688484c3c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
<!DOCTYPE html>
<meta charset="utf-8">
<title>Blob URL inherits CSP from initiator.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
let testCases = [
{
initiator_origin: window.origin,
name: "Initiator is same-origin with target frame.",
},
{
initiator_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
name: "Initiator is cross-origin with target frame.",
},
];
testCases.forEach(test => {
async_test(t => {
// Create a popup. At the beginning, the popup has no CSPs.
let target = window.open();
t.add_cleanup(() => target.close());
// Create a child frame in the popup. The child frame has
// Content-Security-Policy: script-src 'unsafe-inline'. The child frame
// will navigate the popup to a blob URL, which will try if eval is
// allowed and message back.
let initiator = target.document.createElement('iframe');
initiator.sandbox = "allow-scripts allow-same-origin allow-top-navigation";
initiator.src = test.initiator_origin +
"/content-security-policy/inheritance/support/navigate-parent-to-blob.html";
window.addEventListener("message", t.step_func(e => {
if (e.source !== target) return;
assert_equals(e.data, "eval blocked",
"Eval should be blocked by CSP in blob URL.");
t.done();
}));
target.document.body.appendChild(initiator);
}, test.name);
});
</script>
|