blob-url-inherits-from-initiator.sub.html (1543B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>Blob URL inherits CSP from initiator.</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script> 7 let testCases = [ 8 { 9 initiator_origin: window.origin, 10 name: "Initiator is same-origin with target frame.", 11 }, 12 { 13 initiator_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}", 14 name: "Initiator is cross-origin with target frame.", 15 }, 16 ]; 17 18 testCases.forEach(test => { 19 async_test(t => { 20 // Create a popup. At the beginning, the popup has no CSPs. 21 let target = window.open(); 22 t.add_cleanup(() => target.close()); 23 24 // Create a child frame in the popup. The child frame has 25 // Content-Security-Policy: script-src 'unsafe-inline'. The child frame 26 // will navigate the popup to a blob URL, which will try if eval is 27 // allowed and message back. 28 let initiator = target.document.createElement('iframe'); 29 initiator.sandbox = "allow-scripts allow-same-origin allow-top-navigation"; 30 initiator.src = test.initiator_origin + 31 "/content-security-policy/inheritance/support/navigate-parent-to-blob.html"; 32 33 window.addEventListener("message", t.step_func(e => { 34 if (e.source !== target) return; 35 assert_equals(e.data, "eval blocked", 36 "Eval should be blocked by CSP in blob URL."); 37 t.done(); 38 })); 39 40 target.document.body.appendChild(initiator); 41 }, test.name); 42 }); 43 </script>