<!DOCTYPE HTML>
<html>
<head>
<!-- This tests a bug that can occur when content layer CSP is not told
about the CSP inherited from the parent document which leads to it not
applying it to content layer CSP checks (such as frame-src with
PlzNavigate on).
Also see crbug.com/778658. -->
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
<body>
<script>
var t = async_test("iframe still inherits correct CSP");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data, "frame-src");
});
function doDocWrite() {
x = document.getElementById('x');
x.location = "";
// While document.write is deprecated I did not find another way to reproduce
// the original exploit.
x.contentDocument.write(
'<script>window.addEventListener("securitypolicyviolation", function(e) {' +
' window.top.postMessage(e.violatedDirective, "*");' +
'});</scr' + 'ipt>' +
'<iframe src="../support/fail.html"></iframe>'
);
x.contentDocument.close();
var s = document.createElement('script');
s.async = true;
s.defer = true;
s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27';
document.lastChild.appendChild(s);
}
</script>
<iframe id="x" onload="doDocWrite()" srcdoc="<a href='about:blank'>123</a>"></iframe>
</body>
</html>
Codebase Browser
chromium