<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' http://localhost:8080">
<script>
async_test(t => {
let test_urls = [
"https://localhost:8443/security/contentSecurityPolicy/resources/post-message-fail.html",
"/security/contentSecurityPolicy/resources/post-message-pass.html",
"http://localhost:8080/security/contentSecurityPolicy/resources/post-message-pass.html"
];
let num_messages = 0;
let num_loads = 0;
function maybe_finish() {
if (num_messages == 2 && num_loads == 3) {
t.done();
}
};
function run_url(url) {
let iframe = document.createElement('iframe');
iframe.src = url;
iframe.addEventListener('load', iframe_load);
document.body.appendChild(iframe);
};
function iframe_load(e) {
num_loads++;
maybe_finish();
if (test_urls.length > 0) {
run_url(test_urls.shift());
}
};
// We will only receive messages from content that actually loaded, which does
// not include any blocked content. The messages are asynchronous, so there's
// no way to know when we've waited "long enough" for a failure. This test is
// best-effort, in that it loads the failure case first; so if we receive
// "pass" messages for the subsequent iframes without receiving a "fail"
// message, we can have high confidence that the blocked content didn't load.
addEventListener('message', t.step_func(e => {
num_messages++;
assert_equals(e.data, 'PASS', 'Content from blocked frame should not load');
maybe_finish();
}));
onload = () => { run_url(test_urls.shift()) };
}, "IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.");
</script>
Codebase Browser
chromium