child-src-conflicting-frame-src.sub.html (2284B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>child-src-blocked</title> 5 <meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <script src='../support/logTest.sub.js?logs=["PASS IFrame %231 generated a load event.", "violated-directive=frame-src"]'></script> 9 <script> 10 window.addEventListener("message", function(event) { 11 alert_assert(event.data); 12 }, false); 13 14 window.addEventListener("securitypolicyviolation", function(e) { 15 log("violated-directive=" + e.violatedDirective); 16 }); 17 18 function alert_assert(msg) { 19 t_log.step(function() { 20 if (msg.match(/^FAIL/i)) { 21 assert_unreached(msg); 22 t_log.done(); 23 } 24 for (var i = 0; i < expected_alerts.length; i++) { 25 if (expected_alerts[i] == msg) { 26 assert_equals(expected_alerts[i], msg); 27 expected_alerts.splice(i, 1); 28 if (expected_alerts.length == 0) { 29 t_log.done(); 30 } 31 return; 32 } 33 } 34 assert_unreached('unexpected alert: ' + msg); 35 t_log.done(); 36 }); 37 } 38 39 </script> 40 <!-- enforcing policy: 41 frame-src 'none'; child-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; 42 --> 43 <p> 44 A more permissive child-src should not relax restrictions from a less- 45 permissive frame-src. Directives still combine for least privilege, even when 46 one obsoletes another. 47 </p> 48 <script> 49 window.wasPostTestScriptParsed = true; 50 var loads = 0; 51 52 function loadEvent() { 53 loads++; 54 log("PASS " + "IFrame #" + loads + " generated a load event."); 55 } 56 57 </script> 58 </head> 59 60 <body> 61 <iframe src="/content-security-policy/support/postmessage-fail.html" onload="loadEvent()" onerror="log('FAIL')"></iframe> 62 <div id="log"></div> 63 </body> 64 65 </html>