test_parent_location_js.html (1276B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1550414: Add CSP test for setting parent location to javascript:</title> 5 <script src="/tests/SimpleTest/SimpleTest.js"></script> 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 7 </head> 8 <body> 9 <iframe style="width:100%;" id="testframe"></iframe> 10 11 <script class="testbody" type="text/javascript"> 12 13 /** 14 * Description of the test: 15 * Load a document with a CSP of essentially script-src 'none' which includes a 16 * same origin iframe which tries to modify the parent.location using a javascript: 17 * URI -> make sure the javascript: URI is blocked correctly! 18 */ 19 20 SimpleTest.waitForExplicitFinish(); 21 22 function receiveMessage(event) { 23 window.removeEventListener("message", receiveMessage); 24 is(event.data.blockedURI, "inline", "blockedURI"); 25 is(event.data.violatedDirective, "script-src-elem", "violatedDirective") 26 is(event.data.originalPolicy, "script-src 'nonce-bug1550414'", "originalPolicy"); 27 SimpleTest.finish(); 28 } 29 30 // using a postMessage handler to report the result back from 31 // within the sandboxed iframe without 'allow-same-origin'. 32 window.addEventListener("message", receiveMessage); 33 34 document.getElementById("testframe").src = "file_parent_location_js.html"; 35 36 </script> 37 </body> 38 </html>