srcdoc-doesnt-bypass-script-src.sub.html (1269B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> 6 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'; connect-src 'self';"> 7 <title>srcdoc-doesnt-bypass-script-src</title> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script> 11 </head> 12 13 <body> 14 15 <script nonce='abc'> 16 window.onmessage = function(e) { 17 log(e.data); 18 } 19 20 var i = document.createElement('iframe'); 21 i.addEventListener('securitypolicyviolation', function(e) { 22 log("violated-directive=" + e.violatedDirective); 23 }); 24 25 i.srcdoc = "<sc" + "ript nonce='abc'>" + 26 "window.addEventListener('securitypolicyviolation', function(e) {" + 27 "window.parent.postMessage('violated-directive=' + e.violatedDirective, '*');});" + 28 "</scr" + "ipt>" + 29 "<scr" + "ipt>window.parent.log('FAIL')</scr" + "ipt>"; 30 document.body.appendChild(i); 31 </script> 32 <div id="log"></div> 33 </body> 34 35 </html>