<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script>
<meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8000 http://example.test:8000">
</head>
<body>
<script>
async_test(t => {
assert_allowed_image_in_document(t, document, "http://example.test:8000/resources/square.png?img-in-top-level");
}, "Image loaded in top-level blocked.");
async_test(t => {
var frame = document.createElement("iframe");
window.addEventListener("message", t.step_func(e => {
if (e.source != frame.contentWindow)
return;
assert_equals(e.data, "blocked");
t.done();
}));
frame.src = "data:text/html," +
"<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>" +
"<script>" +
" var i = document.createElement('img');" +
" i.onload = _ => top.postMessage('loaded', '*');" +
" i.onerror = _ => top.postMessage('blocked', '*');" +
" i.src = 'http://example.test:8000/resources/square.png?data-frame'" +
"</scr" + "ipt>";
document.body.appendChild(frame);
}, "Image loaded via data: frame blocked.");
</script>
</body>
</html>
Codebase Browser
chromium