1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
<!DOCTYPE html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<title>document.open() does not change Content Security Policies</title>
</head>
<body>
<script>
let message_from = (w) => {
return new Promise(resolve => {
let listener = msg => {
if (msg.source != w)
return;
window.removeEventListener('message', listener);
resolve(msg.data);
};
window.addEventListener('message', listener);
});
};
var documentBody = function(should_load) {
let image = should_load ? "pass.png" : "fail.png";
return `
<script>
function loaded() {
window.top.postMessage("loaded", '*');
};
window.addEventListener('securitypolicyviolation', function(e) {
window.top.postMessage("blocked", '*');
});
</scr`+`ipt>
<img src='/content-security-policy/support/${image}' onload='loaded()'>`;
};
promise_test(async () => {
let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
let msg = message_from(iframe.contentWindow);
let doc = iframe.contentWindow.document;
doc.open();
doc.write("<html><body>" + documentBody(false) + "</body></html>");
doc.close();
assert_equals(await msg, "blocked");
}, "document.open() keeps inherited CSPs on empty iframe.");
promise_test(async () => {
let iframe = document.createElement('iframe');
let loaded = new Promise(resolve => iframe.onload = resolve);
iframe.src = "/common/blank.html";
document.body.appendChild(iframe);
await loaded;
let msg = message_from(iframe.contentWindow);
let doc = iframe.contentWindow.document;
doc.open();
doc.write("<html><body>" + documentBody(true) + "</body></html>");
doc.close();
assert_equals(await msg, "loaded");
}, "document.open() does not change delivered CSPs.");
</script>
</body>
</html>
|
