javascript-url-srcdoc-cross-origin-iframe-inheritance.html (1116B)
1 <!DOCTYPE html> 2 <head> 3 <meta charset="utf-8"> 4 <title>Content Security Policy: nested inheritance</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 </head> 8 <body> 9 <script> 10 // This test creates a page with CSP: frame-src 'self'. The page is 11 // navigated to a javascript URL creating a cross-origin iframe inside a 12 // srcdoc iframe. If everything works correctly, the cross-origin iframe 13 // should be blocked. 14 // 15 // Note that most of the logic is performed by the iframe. This file is only 16 // for managing testharness assertions. 17 async_test(t => { 18 window.addEventListener("message", t.step_func(function(e) { 19 if (e.data === "frame allowed") { 20 assert_unreached("Frame should have been blocked."); 21 } else if (e.data === "frame blocked") { 22 t.done(); 23 } 24 })); 25 }, "Nested cross-origin iframe should be blocked by frame-src 'self'."); 26 </script> 27 <iframe src="./support/javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html"></iframe> 28 </body>