CONSOLE MESSAGE: Testing main world. Javascript url should be blocked by mainworld CSP.
CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
CONSOLE MESSAGE: Testing isolated world with no csp. Javascript url should be blocked by main world CSP.
CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
CONSOLE MESSAGE: Testing isolated world with permissive csp.
ALERT: iframe javascript: src running
CONSOLE MESSAGE: PASS: Javascript url worked as expected
CONSOLE MESSAGE: Testing isolated world with strict csp.
CONSOLE ERROR: Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
CONSOLE MESSAGE: PASS: Javascript url blocked as expected.
This tests the isolated world CSP and its implications on changing the window location to Javascript urls.
Codebase Browser
chromium