iframe-upgrade-request-to-cross-origin.sub.html (1174B)
1 <!DOCTYPE html> 2 <link rel="author" title="Dominic Farolino" href="dom@chromium.org"> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <!-- We need to set the CSP via the <meta> tag. If we were to use the HTTP 6 header, we'd have to specify the absolute HTTPS URL of the test harness and 7 reporter, but then this file is not recognized as a test harness test, and 8 will not run --> 9 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> 10 <body> 11 <iframe id="iframe"></iframe> 12 <script> 13 async_test(t => { 14 const iframe = document.querySelector('iframe'); 15 iframe.src = 16 'http://{{domains[www]}}:{{ports[https][0]}}/referrer-policy/generic/resources/referrer.py'; 17 18 addEventListener('message', t.step_func_done(msg => { 19 const referrer = msg.data; 20 assert_equals(referrer, new URL(location.href).origin + '/', 21 "The referrer header sent for the iframe request should be redacted"); 22 })); 23 }, "If an insecure iframe request is upgraded to https to be cross-origin, " + 24 "referrer policies that consider same-origin-ness should be applied correctly"); 25 </script> 26 </body>