<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
tests = 4;
window.addEventListener("message", function(message) {
tests -= 1;
test();
}, false);
function setup() {
// This is needed because isolated worlds are not reset between test
// runs and a previous test's CSP may interfere with this test. See
// https://crbug.com/415845.
testRunner.setIsolatedWorldInfo(1, null, null);
var img = document.getElementById('testimg');
img.onload = function () {
alert('LOADED');
window.postMessage("next", "*");
};
img.onerror = function () {
alert('BLOCKED');
window.postMessage("next", "*");
};
test();
}
function test() {
function setImgSrc(num) {
var img = document.getElementById('testimg');
img.src = "../resources/abe.png?" + num;
}
alert("Running test #" + tests + "\n");
switch (tests) {
case 4:
alert("Test in main world.");
setImgSrc(4);
break;
case 3:
alert("Test in isolated world without a CSP.");
testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(3);");
break;
case 2:
alert("Test in isolated world with lax CSP");
testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', 'img-src *');
testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(2);");
break;
case 1:
alert("Test in isolated world with restrictive CSP");
testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', "img-src 'self'");
testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(0);");
break;
case 0:
testRunner.setIsolatedWorldInfo(1, null, null);
testRunner.notifyDone();
break;
}
}
</script>
</head>
<body onload='setup();'>
<p>
<img id="testimg">
This test ensures that img-src checks respect the isolated world CSP
when the IsolatedWorldCSP feature is enabled and bypass the main world
CSP checks otherwise.
</p>
</body>
</html>
Codebase Browser
chromium