object-allowed-schemas.sub.window.js (1337B)
1 async function test_uri(t, uri, expected) { 2 const object = document.createElement("object"); 3 const promise = new Promise((resolve, reject) => { 4 object.onerror = e => reject(e.type); 5 object.onload = () => resolve("success"); 6 object.data = uri; 7 document.body.append(object); 8 }); 9 10 if (expected === "success") { 11 await promise; 12 } else { 13 await promise_rejects_exactly(t, expected, promise); 14 } 15 16 object.remove(); 17 } 18 19 promise_test(async t => { 20 await test_uri(t, "about:blank", "success"); 21 }, "about: allowed in object"); 22 23 promise_test(async t => { 24 const blobParts = ['Hello, world!']; 25 const blob = new Blob(blobParts, { type: "text/html" }) 26 await test_uri(t, URL.createObjectURL(blob), "success"); 27 }, "blob: allowed in object"); 28 29 promise_test(async t => { 30 await test_uri(t, "data:,Hello%2C%20World%21", "success"); 31 }, "data: allowed in object"); 32 33 promise_test(async t => { 34 await test_uri(t, "https://{{domains[www]}}:{{ports[https][0]}}", "success"); 35 }, "https: allowed in object"); 36 37 promise_test(async t => { 38 await test_uri(t, "http://{{domains[www]}}:{{ports[http][0]}}", "success"); 39 }, "http: allowed in object"); 40 41 42 promise_test(async t => { 43 await test_uri(t, "javascript:'x'", "error"); 44 }, "javascript: scheme not allowed in object");