<!DOCTYPE html>
<html>
<head>
<!-- Only allow same-origin frames, and frames from https://{{hosts[][www1]}}:{{ports[https][0]}} -->
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://{{hosts[][www1]}}:{{ports[https][0]}};">
<title>frame-src-cross-origin-load</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<p>
IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked
state. This means they appear to be normal cross-origin loads, thereby not leaking URL
information directly to JS.
</p>
<script>
promise_test(async t => {
return new Promise((resolve, reject) => {
let f = document.createElement('iframe');
f.src = "../support/postmessage-pass.html";
f.onload = resolve;
f.onerror = reject;
document.body.appendChild(f);
}, "Same-origin allowed frame fires a `load` event.");
});
promise_test(async t => {
return new Promise((resolve, reject) => {
let f = document.createElement('iframe');
f.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html";
f.onload = resolve;
f.onerror = reject;
document.body.appendChild(f);
}, "Cross-origin allowed frame fires a `load` event.");
});
promise_test(async t => {
return new Promise((resolve, reject) => {
let f = document.createElement('iframe');
f.src = "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-fail.html";
f.onload = resolve;
f.onerror = reject;
document.body.appendChild(f);
}, "Cross-origin blocked frame fires a `load` event.");
});
</script>
</body>
</html>
Codebase Browser
chromium