1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<html>
<body></body>
<script>
promise_test(async test => {
// 1. Load an iframe (not blocked).
let iframe = document.createElement("iframe");
{
iframe.name = "theiframe";
iframe.src =
"http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?0";
let iframeLoaded = new Promise(resolve => { iframe.onload = resolve });
document.body.appendChild(iframe);
await iframeLoaded;
}
// 2. Start blocking iframes using CSP frame-src 'none'.
{
let meta = document.createElement('meta');
meta.httpEquiv = "Content-Security-Policy";
meta.content = "frame-src 'none'";
document.getElementsByTagName('head')[0].appendChild(meta);
}
// 3. Blocked same-document navigation using iframe.src.
{
let violation = new Promise(resolve => {
window.addEventListener('securitypolicyviolation', () => resolve());
});
iframe.src =
"http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?1";
await violation;
}
// 4. Blocked same-document navigation using window.open.
{
let violation = new Promise(resolve => {
window.addEventListener('securitypolicyviolation', resolve);
});
window.open(
"http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/frame-src/support/frame.html?2",
"theiframe");
await violation;
}
// 5. Regression test for https://crbug.com/1018385. The browser should
// not crash while displaying the error page.
await new Promise(resolve => window.setTimeout(resolve, 1000));
}, "Same-document navigations in an iframe blocked by CSP frame-src dynamically using the <meta> tag");
</script>
</html>
|
