1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
<!DOCTYPE html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<!-- Tests that mutations inside a context that inherits a copy of the CSP list
does not affect the parent context -->
</head>
<body>
<script>
var t1 = async_test("Test that parent document image loads");
var t2 = async_test("Test that embedded iframe document image does not load");
var t3 = async_test("Test that spv event is fired");
window.onmessage = function(e) {
if (e.data.type == 'spv') {
t3.step(function() {
assert_equals(e.data.violatedDirective, "img-src");
t3.done();
});
} else if (e.data.type == 'imgload') {
var img = document.createElement('img');
img.src = "../support/pass.png";
img.onload = function() { t1.done(); };
img.onerror = t1.unreached_func('Should have loaded the image');
document.body.appendChild(img);
t2.step(function() {
assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP");
t2.done();
});
}
}
var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">',
'<script>',
' window.addEventListener("securitypolicyviolation", function(e) {',
' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");',
' });',
'</scr' + 'ipt>',
'<img src="../support/fail.png"',
' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"',
' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n');
var i = document.createElement('iframe');
i.srcdoc = srcdoc;
document.body.appendChild(i);
</script>
</body>
</html>
|
