img-src-self-unique-origin.html (2003B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <title>img-src-self-unique-origin</title> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 </head> 9 10 <body> 11 <p> 12 The origin of an URL is called "unique" when it is considered to be 13 different from every origin, including itself. The origin of a 14 data-url is unique. When the current origin is unique, the CSP source 15 'self' must not match any URL. 16 </p> 17 <script> 18 var iframe = document.createElement("iframe"); 19 iframe.src = encodeURI(`data:text/html, 20 <script> 21 /* Add the CSP: frame-src: 'self'. */ 22 var meta = document.createElement('meta'); 23 meta.httpEquiv = 'Content-Security-Policy'; 24 meta.content = "img-src 'self'"; 25 document.getElementsByTagName('head')[0].appendChild(meta); 26 27 /* Notify the parent the image has been blocked. */ 28 window.addEventListener('securitypolicyviolation', e => { 29 if (e.originalPolicy == "img-src 'self'") 30 window.parent.postMessage('Test PASS', '*'); 31 }); 32 </scr`+`ipt> 33 34 This image should be blocked by CSP: 35 <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img> 36 `); 37 if (window.async_test) { 38 async_test(t => { 39 window.addEventListener("message", e => { 40 if (e.data == "Test PASS") 41 t.done(); 42 }); 43 }, "Image's url must not match with 'self'. Image must be blocked."); 44 } 45 document.body.appendChild(iframe); 46 </script> 47 </body> 48 49 </html>