mirror of
https://github.com/servo/servo.git
synced 2025-07-13 02:13:40 +01:00
69 lines
2.8 KiB
HTML
69 lines
2.8 KiB
HTML
<!DOCTYPE html>
|
|
<head>
|
|
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
|
|
</head>
|
|
<body>
|
|
<script>
|
|
var t0 = async_test("Image loaded in srcdoc iframe using document.write is blocked");
|
|
var t1 = async_test("Image loaded in normal iframe using document.write is blocked");
|
|
var t2 = async_test("Image loaded directly in simple srcdoc iframe is blocked");
|
|
|
|
window.onmessage = function(e) {
|
|
var current_test;
|
|
if (e.data.type == "spv0") {
|
|
current_test = t0;
|
|
} else if (e.data.type == "spv1") {
|
|
current_test = t1;
|
|
} else if (e.data.type == "spv2") {
|
|
current_test = t2;
|
|
} else {
|
|
t0.step(function() {assert_true(false, "Unexpected message received from child frames")});
|
|
t1.step(function() {assert_true(false, "Unexpected message received from child frames")});
|
|
t2.step(function() {assert_true(false, "Unexpected message received from child frames")});
|
|
}
|
|
|
|
current_test.step(function() {
|
|
assert_equals(e.data.violatedDirective, 'img-src');
|
|
current_test.done();
|
|
});
|
|
}
|
|
</script>
|
|
|
|
<!--As discovered thanks to crbug.com/920531, there is a bug in CSP where the
|
|
CSP is not inherited when using document.open/document.write to edit a
|
|
document's contents. -->
|
|
<iframe id="frame1" srcdoc=""></iframe>
|
|
|
|
<!-- This is speculatively correct https://github.com/whatwg/html/issues/4510 -->
|
|
<iframe id="frame2" src="/content-security-policy/common/blank.html"></iframe>
|
|
|
|
<!--<script>
|
|
window.addEventListener('securitypolicyviolation', function(e) {
|
|
window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*');
|
|
});
|
|
</script>
|
|
<img src='/content-security-policy/support/fail.png'>
|
|
-->
|
|
<iframe srcdoc="<script>window.addEventListener('securitypolicyviolation', function(e) {window.top.postMessage({type: 'spv2', violatedDirective: e.violatedDirective}, '*');});</script><img src='/content-security-policy/support/fail.png'>"></iframe>
|
|
<script>
|
|
var frames = ['frame1', 'frame2'];
|
|
for (var i = 0; i < frames.length; i++) {
|
|
var body_text = ['<script>',
|
|
' window.addEventListener("securitypolicyviolation", function(e) {',
|
|
' window.top.postMessage({type: "spv'+ i + '", violatedDirective: e.violatedDirective}, "*");',
|
|
' });',
|
|
'</scr' + 'ipt>',
|
|
'<img src="/content-security-policy/support/fail.png">'].join('\n');
|
|
|
|
var e = document.getElementById(frames[i]);
|
|
var n = e.contentWindow.document;
|
|
n.open();
|
|
n.write("<html><body>" + body_text + "</body></html>");
|
|
n.close();
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|