sandbox-iframe.html (1725B)
1 <!DOCTYPE HTML> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" content="base-uri {{location[scheme]}}://{{domains[]}}:{{ports[http][0]}}/base/"> 6 7 <title>base-uri works correctly inside a sandboxed iframe.</title> 8 <script src='/resources/testharness.js'></script> 9 <script src='/resources/testharnessreport.js'></script> 10 </head> 11 12 <body> 13 <h1>self is derived correctly inside inside a sandboxed iframe.</h1> 14 <div id='log'></div> 15 16 <script> 17 window.addEventListener('securitypolicyviolation', function(e) { 18 assert_unreached('No CSP violation report should have been fired.'); 19 }); 20 21 async_test(function(t) { 22 var i = document.createElement('iframe'); 23 i.sandbox = 'allow-scripts'; 24 i.style.display = 'none'; 25 i.srcdoc = ` 26 <meta http-equiv="Content-Security-Policy" content="img-src 'self'"> 27 <body> 28 <script> 29 30 var img = document.createElement('img'); 31 img.src = '../support/fail.png'; 32 img.onerror = function() { 33 top.postMessage('FAIL', '*'); 34 }; 35 img.onload = function() { 36 top.postMessage('PASS', '*'); 37 }; 38 document.body.appendChild(img); 39 </sc` + `ript></body>`; 40 41 window.addEventListener('message', t.step_func(function(e) { 42 if (e.source === i.contentWindow) { 43 assert_equals(e.data, 'PASS'); 44 t.done(); 45 } 46 })); 47 48 document.body.appendChild(i); 49 }, 'img-src \'self\' works when specified in a meta tag.'); 50 </script> 51 52 </body> 53 54 </html>