script-html-via-cross-origin-blob-url.sub.html (1439B)
1 <!DOCTYPE html> 2 <!-- Test verifies that cross-origin blob URIs are blocked both with and 3 without CORB. 4 --> 5 <meta charset="utf-8"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <div id=log></div> 9 <script> 10 async_test(function(t) { 11 function step1_createSubframe() { 12 addEventListener("message", function(e) { 13 t.step(function() { step2_processSubframeMsg(e.data); }) 14 }); 15 var subframe = document.createElement("iframe") 16 // www1 is cross-origin, to ensure that the received blob will be cross-origin. 17 subframe.src = 'http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/subframe-that-posts-html-containing-blob-url-to-parent.html'; 18 document.body.appendChild(subframe); 19 } 20 21 function step2_processSubframeMsg(msg) { 22 assert_false(msg.hasOwnProperty('error'), 'unexpected property found: "error"'); 23 assert_equals(msg.blob_type, 'text/html'); 24 assert_equals(msg.blob_size, 147); 25 26 // With and without CORB loading of a cross-origin blob should be blocked 27 // (this is verified by expecting |script.onerror|, but not |script.onload| 28 // below). 29 var script = document.createElement("script") 30 script.src = msg.blob_url; 31 script.onerror = t.step_func_done(function(){}) 32 script.onload = t.unreached_func("Unexpected load event") 33 document.body.appendChild(script) 34 } 35 36 step1_createSubframe(); 37 }); 38 </script>