data-url-iframe.html (1650B)
1 <!DOCTYPE html> 2 <html> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <body></body> 6 <script> 7 8 const createDataUrlIframe = (url, cors) => { 9 const iframe = document.createElement("iframe"); 10 const fetchURL = new URL(url, location.href) + 11 `${cors === 'null-origin' 12 ? '?pipe=header(Access-Control-Allow-Origin, null)' : ''}`; 13 const tag_name = 'script'; 14 iframe.src = 15 `data:text/html, <${tag_name}>` + 16 `async function test() {` + 17 ` let allowed = true;` + 18 ` try {` + 19 ` await fetch('${fetchURL}');` + 20 ` } catch (e) {` + 21 ` allowed = false;` + 22 ` }` + 23 ` parent.postMessage({allowed}, '*');` + 24 `}` + 25 `test(); </${tag_name}>`; 26 return iframe; 27 }; 28 29 const fetch_from_data_url_iframe_test = 30 (url, cors, expectation, description) => { 31 promise_test(async () => { 32 const iframe = createDataUrlIframe(url, cors); 33 document.body.appendChild(iframe); 34 const msgEvent = await new Promise(resolve => window.onmessage = resolve); 35 assert_equals(msgEvent.data.allowed ? 'allowed' : 'rejected', expectation); 36 }, description); 37 }; 38 39 fetch_from_data_url_iframe_test( 40 '../resources/top.txt', 41 'acao-omitted', 42 'rejected', 43 'fetching "top.txt" without ACAO should be rejected.' 44 ); 45 fetch_from_data_url_iframe_test( 46 '../resources/top.txt', 47 'null-origin', 48 'allowed', 49 'fetching "top.txt" with CORS allowing null origin should be allowed.' 50 ); 51 fetch_from_data_url_iframe_test( 52 'data:text/plain, top', 53 'acao-omitted', 54 'allowed', 55 'fetching data url script should be allowed.' 56 ); 57 58 </script>