test_win_open_blocked.html (1816B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <!-- we have to allowlist the actual script that spawns the tests, 5 hence the nonce.--> 6 <meta http-equiv="Content-Security-Policy" content="default-src 'none'; 7 script-src 'nonce-foo'; style-src 'nonce-foo'"> 8 <script nonce="foo" src="/tests/SimpleTest/SimpleTest.js"> 9 </script> 10 <link nonce="foo" rel="stylesheet" type="text/css" 11 href="/tests/SimpleTest/test.css"/> 12 <!-- this script block with window.open and document.open will not 13 be executed, since default-src is none --> 14 <script> 15 let win = window.open('file_default_src_none_csp.html'); 16 document.open(); 17 document.write("<script type='application/javascript'>" + 18 " window.opener.postMessage('document-opened', '*');" + 19 "<\/script>"); 20 document.close(); 21 </script> 22 <script nonce="foo"> 23 SimpleTest.waitForExplicitFinish(); 24 SimpleTest.requestFlakyTimeout("have to test that opening a " + 25 "new window/document has not succeeded"); 26 window.addEventListener("message", receiveMessage); 27 let checkWindowStatus = false; 28 let checkDocumentStatus = false; 29 30 function receiveMessage(event) { 31 window.removeEventListener("message", receiveMessage); 32 if (event.data == "window-opened") { 33 checkWindowStatus = true; 34 win.close(); 35 } 36 if (event.data == "document-opened") { 37 checkDocumentStatus = true; 38 doc.close(); 39 } 40 } 41 setTimeout(function () { 42 is(checkWindowStatus, false, 43 "window shouldn't be opened"); 44 is(checkDocumentStatus, false, 45 "document shouldn't be opened"); 46 SimpleTest.finish(); 47 }, 1500); 48 </script> 49 </head> 50 <body> 51 </body> 52 </html>