frame-src-cross-origin-load.sub.html (1945B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <!-- Only allow same-origin frames, and frames from https://{{hosts[][www1]}}:{{ports[https][0]}} --> 5 <meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://{{hosts[][www1]}}:{{ports[https][0]}};"> 6 <title>frame-src-cross-origin-load</title> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 </head> 10 <body> 11 <p> 12 IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked 13 state. This means they appear to be normal cross-origin loads, thereby not leaking URL 14 information directly to JS. 15 </p> 16 <script> 17 promise_test(async t => { 18 return new Promise((resolve, reject) => { 19 let f = document.createElement('iframe'); 20 f.src = "../support/postmessage-pass.html"; 21 f.onload = resolve; 22 f.onerror = reject; 23 document.body.appendChild(f); 24 }, "Same-origin allowed frame fires a `load` event."); 25 }); 26 27 promise_test(async t => { 28 return new Promise((resolve, reject) => { 29 let f = document.createElement('iframe'); 30 f.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html"; 31 f.onload = resolve; 32 f.onerror = reject; 33 document.body.appendChild(f); 34 }, "Cross-origin allowed frame fires a `load` event."); 35 }); 36 37 promise_test(async t => { 38 return new Promise((resolve, reject) => { 39 let f = document.createElement('iframe'); 40 f.src = "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-fail.html"; 41 f.onload = resolve; 42 f.onerror = reject; 43 document.body.appendChild(f); 44 }, "Cross-origin blocked frame fires a `load` event."); 45 }); 46 </script> 47 </body> 48 </html>