location-reload.html (4119B)
1 <!DOCTYPE html> 2 <script src="/resources/testharness.js"></script> 3 <script src="/resources/testharnessreport.js"></script> 4 5 <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> 6 <body> 7 <script> 8 let message_from = (w, starts_with) => { 9 return new Promise(resolve => { 10 window.addEventListener('message', msg => { 11 if (msg.source == w) { 12 if (!starts_with || msg.data.startsWith(starts_with)) 13 resolve(msg.data); 14 } 15 }); 16 }); 17 }; 18 19 const img_url = window.origin + "/content-security-policy/support/fail.png"; 20 const img_tag_string = ` 21 <img src="${img_url}" 22 onload="top.postMessage('img loaded', '*');" 23 onerror="top.postMessage('img blocked', '*');" 24 > 25 `; 26 27 const html_test_payload = ` 28 <!doctype html> 29 <div>${img_tag_string}</div> 30 `; 31 let blob_url = URL.createObjectURL( 32 new Blob([html_test_payload], { type: 'text/html' })); 33 34 let write_img_to_iframe = (iframe) => { 35 let div = iframe.contentDocument.createElement('div'); 36 div.innerHTML = img_tag_string; 37 iframe.contentDocument.body.appendChild(div); 38 }; 39 40 41 // Test location.reload() for "about:blank". 42 promise_test(async t => { 43 // Create an empty iframe. 44 window.iframe = document.createElement('iframe'); 45 document.body.appendChild(iframe); 46 47 // Add an img. 48 let message = message_from(iframe.contentWindow); 49 write_img_to_iframe(iframe); 50 51 // Check that the empty document inherits CSP from the initiator. 52 assert_equals(await message, "img blocked", 53 "Image should be blocked by CSP inherited from the parent."); 54 55 // Now perform a reload. 56 let message_2 = message_from(iframe.contentWindow); 57 let loaded = new Promise(resolve => iframe.onload = resolve); 58 iframe.contentWindow.location.reload(); 59 await loaded; 60 61 // Add an img. 62 write_img_to_iframe(iframe); 63 64 // Check that the empty document still has the right CSP after reload. 65 assert_equals(await message_2, "img blocked", 66 "Image should be blocked by CSP after reload."); 67 }, "location.reload() of empty iframe."); 68 69 70 // Test location.reload() for a blob URL. 71 promise_test(async t => { 72 // Create an iframe. 73 window.iframe = document.createElement('iframe'); 74 document.body.appendChild(iframe); 75 76 // Navigate to the blob URL. 77 let message = message_from(iframe.contentWindow); 78 iframe.contentWindow.location = blob_url; 79 80 // Check that the blob URL inherits CSP from the initiator. 81 assert_equals(await message, "img blocked", 82 "Image should be blocked by CSP inherited from navigation initiator."); 83 84 // Now perform a reload. 85 let message_2 = message_from(iframe.contentWindow); 86 let loaded = new Promise(resolve => iframe.onload = resolve); 87 iframe.contentWindow.location.reload(); 88 await loaded; 89 90 // Check that the blob URL document still has the right CSP after reload. 91 assert_equals(await message_2, "img blocked", 92 "Image should be blocked by CSP after reload."); 93 }, "location.reload() of blob URL iframe."); 94 95 96 // Test location.reload() for a srcdoc iframe. 97 promise_test(async t => { 98 // Create a srcdoc iframe. 99 window.iframe = document.createElement('iframe'); 100 document.body.appendChild(iframe); 101 102 let message = message_from(iframe.contentWindow); 103 iframe.srcdoc = `${html_test_payload}`; 104 105 // Check that the srcdoc iframe inherits from the parent. 106 assert_equals(await message, "img blocked", 107 "Image should be blocked by CSP inherited from navigation initiator."); 108 109 // Now perform a reload. 110 let message_2 = message_from(iframe.contentWindow); 111 let loaded = new Promise(resolve => iframe.onload = resolve); 112 iframe.contentWindow.location.reload(); 113 await loaded; 114 115 // Check that the srcdoc iframe still has the right CSP after reload. 116 assert_equals(await message_2, "img blocked", 117 "Image should be blocked by CSP after reload."); 118 }, "location.reload() of srcdoc iframe."); 119 </script> 120 </body>