<!DOCTYPE html>
<!--
TODO(mkwst, arthursonzogni). This test fails. See https://crbug.com/700964
-->
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
</head>
<body>
<form
action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html"
target="namedWindow"
method="post">
<input type='submit' id='submit'>
</form>
<script>
async_test(t => {
// #1 Open a new window with the name matching the form.target attribute
// above.
var namedWindow = window.open('/security/resources/empty.html', 'namedWindow')
// #2 Wait the window to be loaded. It prevents the document url to still
// be about:blank and to have inherited from its opener's CSP.
t.step_timeout(function() {
window.addEventListener('message', t.step_func(e => {
if (e.source == namedWindow && e.data == "done")
assert_unreached("The form submission wasn't blocked.");
}));
// The navigation should be blocked, either in the current window 1) or
// in the new window 2).
// 1) The navigation is blocked in the current window.
window.addEventListener('securitypolicyviolation', t.step_func(e => {
assert_equals(e.effectiveDirective, "form-action");
assert_equals(e.blockedURI, "http://127.0.0.1:8000/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html");
namedWindow.close();
t.done();
}));
// 2) The navigation is blocked in the new window.
t.step_timeout(t.step_func(() => {
namedWindow.close();
t.done();
}), 1000);
// #3 Make a form submission with a redirect. It should be blocked by
// the form-action directive after the redirect.
document.getElementById('submit').click();
}, 1000);
}, "The form resubmission should be blocked after the redirect");
</script>
</body>
</html>
Codebase Browser
chromium