Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-iframes.html 

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
<script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function waitForIframeLoad() {
        return new Promise(resolve => {
            document.getElementById('testiframe').onload = resolve;
        });
    }

    function waitForMessage() {
        return new Promise(resolve => {
            window.onmessage = (message) => {
                alert(message.data);
                resolve();
            }
        });
    }

    async function test() {
        function setIframeSrc(isolated, num) {
            var iframe = document.getElementById('testiframe');
            iframe.src = "resources/iframe.php?test=" + num;
        }

        let tests = 0;
        alert("Running test #" + (++tests) + "\n");
        setIframeSrc(false, tests);
        await waitForIframeLoad();

        alert("Running test #" + (++tests) + "\n");
        // Clear any existing isolated world CSP or security origin to
        // prevent side-effects from other tests.
        testRunner.setIsolatedWorldInfo(1, null, null);
        testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setIframeSrc")) + "\nsetIframeSrc(true, " + tests + ");");
        await waitForIframeLoad();

        alert("Running test #" + (++tests) + "\n");
        alert("Starting to bypass main world's CSP:");
        testRunner.setIsolatedWorldInfo(1, "chrome-extension://123", "frame-src 'none'");
        testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setIframeSrc")) + "\nsetIframeSrc(true, " + tests + ");");
        await waitForMessage();

        alert("Running test #" + (++tests) + "\n");
        // Main world, then isolated world -> should load
        setIframeSrc(false, tests);
        testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setIframeSrc")) + "\nsetIframeSrc(true, " + tests + ".5);");
        await waitForMessage();

        alert("Running test #" + (++tests) + "\n");
        // Isolated world, then main world -> should block
        testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setIframeSrc")) + "\nsetIframeSrc(true, " + tests + ");");
        setIframeSrc(false, tests + 0.5);
        await waitForIframeLoad();

        alert("Running test #" + (++tests) + "\n");
        setIframeSrc(false, tests);
        await waitForIframeLoad();

        alert("Running test #" + (++tests) + "\n");
        testRunner.setIsolatedWorldInfo(1, null, null);
        testRunner.notifyDone();
    }
</script>
</head>
<body onload='test();'>
    <p>
        <iframe id="testiframe"></iframe>
        This test ensures that iframes loaded from isolated worlds marked with
        their own Content Security Policy aren't affected by the page's content
        security policy. Extensions, for example, should be able to load any
        resource they like.
    </p>
</body>
</html>