Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/external/wpt/content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html 

<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>

<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<title>about:blank in popup inherits CSPs from the navigation initiator</title>
<body>

<script>
  const message_from = (source_token, w) => {
    return new Promise(resolve => {
      window.addEventListener('message', msg => {
        if (msg.data.token === source_token)
          resolve(msg.data.msg);
      });
    });
  };

  const testCases = [
    {
      previous_origin: window.origin,
      name: "Popup being navigated to about:blank was same-origin.",
    },
    {
      previous_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
      name: "Popup being navigated to about:blank was cross-origin.",
    },
  ];

  testCases.forEach(testCase => {
    promise_test(async t => {
      // Create a popup and navigate it.
      const popup_token = token();
      // const popup = window.open("about:blank", testCase.name);
      const loaded = message_from(popup_token);
      const popup = window.open(
        testCase.previous_origin +
          "/content-security-policy/inheritance/support" +
          `/postmessage-opener.html?token=${popup_token}`,
        testCase.name);
      t.add_cleanup(() => popup.close());

      assert_equals(await loaded, "ready");

      // Navigate the popup to "about:blank".
      window.open("about:blank", testCase.name);
      await t.step_wait(
        condition = () => {
          try {
            return popup.location.href == "about:blank";
          } catch {}
          return false;
        },
        description = "Wait for the popup to navigate.",
        timeout=3000,
        interval=50);

      // Now create an img in the popup and check if it is blocked by CSPs.
      const script = popup.document.createElement('script');
      script.innerText = `
        function messageBack(msg) {
          opener.postMessage(msg ,"*");
        }
      `;
      popup.document.head.appendChild(script);
      const div = popup.document.createElement('div');

      const img_token = token();
      const img_url = window.origin + "/content-security-policy/support/fail.png";
      div.innerHTML = `
        <img src="${img_url}"
             onload="messageBack({msg: 'img loaded', token: '${img_token}'});"
             onerror="messageBack({msg: 'img blocked', token: '${img_token}'});"
        >
      `;

      const msg = message_from(img_token);
      popup.document.body.appendChild(div);
      assert_equals(await msg, "img blocked");
    }, testCase.name);
  });
</script>