file_blob_uri_blocks_modals.html (1029B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 </head> 6 <body> 7 <!-- iframe loading the blob url with null origin --> 8 <iframe id="blobFrame"></iframe> 9 <script> 10 // If the alert box is blocked correctly by the CSP then postMessage will 11 // send the message and test passes. 12 var alertScriptText = "data:text/html,<script>location=URL.createObjectURL(" + 13 "new Blob(['<script>alert(document.URL);parent.parent.postMessage(" + 14 "{\"test\": \"block_alert_test\", \"msg\": \"alert blocked by" + 15 " CSP\"}, \"*\");<\\/script>'], {type:\"text/html\"}));<\/script>"; 16 document.getElementById("blobFrame").src=alertScriptText; 17 try { 18 var w = window.open("http://www.example.com","newwindow"); 19 parent.postMessage({"test": "block_window_open_test", 20 "msg": "new window not blocked by CSP"},"*"); 21 } catch(err) { 22 parent.postMessage({"test": "block_window_open_test", 23 "msg": "window blocked by CSP"},"*"); 24 } 25 </script> 26 </body> 27 </html>