report-only-cross-origin-frame.sub.html (1673B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Cross origin iframes have their URI censored</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <!-- CSP headers 8 Content-Security-Policy: script-src 'self' 'unsafe-inline' 9 Content-Security-Policy-Report-Only: frame-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID=$id 10 --> 11 </head> 12 <body> 13 <script> 14 let iframe = document.createElement('iframe'); 15 iframe.src = "http://{{domains[www1]}}:{{ports[http][0]}}" + 16 "/content-security-policy/support/postmessage-pass.html"; 17 18 let test_load_event = async_test("The load event triggers"); 19 iframe.onload = test_load_event.step_func_done(); 20 21 let test_iframe_allowed = async_test("The iframe is allowed to load."); 22 window.addEventListener("message", test_iframe_allowed.step_func(event => { 23 if (event.source === iframe.contentWindow) { 24 assert_equals(event.data, "PASS"); 25 test_iframe_allowed.done(); 26 } 27 })); 28 29 let test_spv = async_test("The securitypolicyviolation is triggered."); 30 window.addEventListener("securitypolicyviolation", 31 test_spv.step_func_done(e => { 32 assert_equals(e.blockedURI, 33 "http://{{domains[www1]}}:{{ports[http][0]}}"); 34 })); 35 36 document.body.appendChild(iframe); 37 </script> 38 39 <!-- Ensure that we get the censored URI (without the full path) here: --> 40 <script async defer src='../support/checkReport.sub.js?reportField=blocked-uri&reportValue=http://{{domains[www1]}}:{{ports[http][0]}}'></script> 41 </body> 42 </html>