javascript-url-srcdoc-cross-origin-iframe-inheritance-helper.sub.html (911B)
1 <!DOCTYPE html> 2 <head> 3 <meta charset="utf-8"> 4 <meta http-equiv="Content-Security-Policy" content="frame-src 'self'"> 5 <script> 6 // The following is the content of a srcdoc iframe. It contains: 7 // - a script that catches the frame-src securitypolicyviolation event and 8 // forwards the information to the parent, 9 // - a cross-origin iframe. 10 let doc = ` 11 <script> 12 window.addEventListener("securitypolicyviolation", e => { 13 if (e.violatedDirective === "frame-src") { 14 window.top.postMessage("frame blocked", "*"); 15 } 16 }); 17 </scr` + `ipt> 18 <iframe src="http://{{hosts[alt][]}}:{{ports[http][0]}}/content-security-policy/inheritance/support/postmessage-top.html"></iframe>`; 19 doc = doc.replaceAll('"', "\\\'"); 20 21 const js_url = "javascript:'<iframe srcdoc=\""+ doc +"\">'"; 22 window.open(js_url, "_self"); 23 </script> 24 </head>