window-open-local-after-network-scheme.sub.html (2680B)
1 <!DOCTYPE html> 2 <script src="/resources/testharness.js"></script> 3 <script src="/resources/testharnessreport.js"></script> 4 <script src="/common/utils.js"></script> 5 6 <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> 7 <title>about:blank in popup inherits CSPs from the navigation initiator</title> 8 <body> 9 10 <script> 11 const message_from = (source_token, w) => { 12 return new Promise(resolve => { 13 window.addEventListener('message', msg => { 14 if (msg.data.token === source_token) 15 resolve(msg.data.msg); 16 }); 17 }); 18 }; 19 20 const testCases = [ 21 { 22 previous_origin: window.origin, 23 name: "Popup being navigated to about:blank was same-origin.", 24 }, 25 { 26 previous_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}", 27 name: "Popup being navigated to about:blank was cross-origin.", 28 }, 29 ]; 30 31 testCases.forEach(testCase => { 32 promise_test(async t => { 33 // Create a popup and navigate it. 34 const popup_token = token(); 35 // const popup = window.open("about:blank", testCase.name); 36 const loaded = message_from(popup_token); 37 const popup = window.open( 38 testCase.previous_origin + 39 "/content-security-policy/inheritance/support" + 40 `/postmessage-opener.html?token=${popup_token}`, 41 testCase.name); 42 t.add_cleanup(() => popup.close()); 43 44 assert_equals(await loaded, "ready"); 45 46 // Navigate the popup to "about:blank". 47 window.open("about:blank", testCase.name); 48 await t.step_wait( 49 condition = () => { 50 try { 51 return popup.location.href == "about:blank"; 52 } catch {} 53 return false; 54 }, 55 description = "Wait for the popup to navigate.", 56 timeout=3000, 57 interval=50); 58 59 // Now create an img in the popup and check if it is blocked by CSPs. 60 const script = popup.document.createElement('script'); 61 script.innerText = ` 62 function messageBack(msg) { 63 opener.postMessage(msg ,"*"); 64 } 65 `; 66 popup.document.head.appendChild(script); 67 const div = popup.document.createElement('div'); 68 69 const img_token = token(); 70 const img_url = window.origin + "/content-security-policy/support/fail.png"; 71 div.innerHTML = ` 72 <img src="${img_url}" 73 onload="messageBack({msg: 'img loaded', token: '${img_token}'});" 74 onerror="messageBack({msg: 'img blocked', token: '${img_token}'});" 75 > 76 `; 77 78 const msg = message_from(img_token); 79 popup.document.body.appendChild(div); 80 assert_equals(await msg, "img blocked"); 81 }, testCase.name); 82 }); 83 </script>