child-src-cross-origin-load.sub.html (1758B)
1 <script src="/resources/testharness.js"></script> 2 <script src="/resources/testharnessreport.js"></script> 3 <meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head> 4 <body></body> 5 6 <script> 7 async_test(test => { 8 let count = 0; 9 window.addEventListener("message", test.step_func((event) => { 10 assert_equals(event.data, "PASS"); 11 count++; 12 assert_less_than_equal(count, 2); 13 if (count == 2) { 14 // Use a timeout, to let some time for additional messages to show up 15 // before declaring this test as completed. 16 test.step_timeout(() => test.done(), 1000); 17 } 18 })); 19 }, "Two of the three iframe are expected to load."); 20 21 // IFrames blocked by CSP should generate a 'load', not 'error' event, 22 // regardless of blocked state. This means they appear to be normal 23 // cross-origin loads, thereby not leaking URL information directly to JS. 24 const runTest = (description, src) => { 25 async_test(test => { 26 const iframe = document.createElement("iframe"); 27 iframe.src = src; 28 iframe.onload = () => test.done(); 29 iframe.onerror = () => test.assert_unreached('unexpected onerror') 30 document.body.appendChild(iframe); 31 }, description); 32 }; 33 34 runTest("Navigation in iframe allowed by child-src 'self'", 35 "/content-security-policy/support/postmessage-pass.html"); 36 37 runTest("Navigation in iframe allowed by child-src explicit CSP source", 38 "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html"); 39 40 runTest("Navigation in iframe not allowed by child-src", 41 "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html"); 42 </script>