file_independent_iframe_csp.html (1503B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1419222 - iFrame CSP should not affect parent document CSP</title> 5 <meta charset="utf-8"> 6 <meta http-equiv="Content-Security-Policy" content="connect-src *; style-src * 'unsafe-inline'; "/> 7 </head> 8 <body> 9 <script> 10 var getCspObj = function(doc) { 11 var contentDoc = SpecialPowers.wrap(doc); 12 var cspJSON = contentDoc.cspJSON; 13 var cspOBJ = JSON.parse(cspJSON); 14 return cspOBJ; 15 } 16 17 // Add an iFrame, add an additional CSP directive to that iFrame, and 18 // return the CSP object of that iFrame. 19 var addIFrame = function() { 20 var frame = document.createElement("iframe"); 21 frame.id = "nestedframe"; 22 document.body.appendChild(frame); 23 var metaTag = document.createElement("meta"); 24 metaTag.setAttribute("http-equiv", "Content-Security-Policy"); 25 metaTag.setAttribute("content", "img-src 'self' data:;"); 26 frame.contentDocument.head.appendChild(metaTag); 27 return getCspObj(frame.contentDocument); 28 } 29 30 // Get the CSP objects of the parent document before and after adding the 31 // iFrame, as well as of the iFram itself. 32 var parentBeginCspObj = getCspObj(document); 33 var iFrameCspObj = addIFrame(); 34 var parentEndCspObj = getCspObj(document); 35 36 // Post a message containing the three CSP objects to the test context. 37 window.parent.postMessage( 38 {result: [parentBeginCspObj, iFrameCspObj, parentEndCspObj]}, 39 "*" 40 ); 41 </script> 42 </body> 43 </html>