inherited-csp-list-modifications-are-local.html (2030B)
1 <!DOCTYPE html> 2 <head> 3 <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'"> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <!-- Tests that mutations inside a context that inherits a copy of the CSP list 7 does not affect the parent context --> 8 </head> 9 <body> 10 <script> 11 var t1 = async_test("Test that parent document image loads"); 12 var t2 = async_test("Test that embedded iframe document image does not load"); 13 var t3 = async_test("Test that spv event is fired"); 14 15 window.onmessage = function(e) { 16 if (e.data.type == 'spv') { 17 t3.step(function() { 18 assert_equals(e.data.violatedDirective, "img-src"); 19 t3.done(); 20 }); 21 } else if (e.data.type == 'imgload') { 22 var img = document.createElement('img'); 23 img.src = "../support/pass.png"; 24 img.onload = function() { t1.done(); }; 25 img.onerror = t1.unreached_func('Should have loaded the image'); 26 document.body.appendChild(img); 27 28 t2.step(function() { 29 assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP"); 30 t2.done(); 31 }); 32 } 33 } 34 35 var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">', 36 '<script>', 37 ' window.addEventListener("securitypolicyviolation", function(e) {', 38 ' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");', 39 ' });', 40 '</scr' + 'ipt>', 41 '<img src="../support/fail.png"', 42 ' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"', 43 ' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n'); 44 var i = document.createElement('iframe'); 45 i.srcdoc = srcdoc; 46 document.body.appendChild(i); 47 </script> 48 </body> 49 </html>