<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
async_test(t => {
assert_equals(location.protocol, "https:");
var f = document.createElement("iframe");
window.addEventListener("message", t.step_func(e => {
if (e.source !== f.contentWindow)
return;
assert_equals(e.data, "PASS");
t.done();
}));
var otherDataUrl = "data:text/html," + encodeURIComponent(`
<script src="BLOB_URL_HERE"
onerror="parent.postMessage('PASS', '*');"
onload="parent.postMessage('FAIL: onload was fired', '*');">
<\/script>
`);
f.src = "data:text/html," + encodeURIComponent(`
<script>
var url = URL.createObjectURL(new Blob(["parent.postMessage('FAIL: This external blob:-script should have been blocked', '*');"]));
// Navigate to another data-URL, which has a new origin.
location.href = "${otherDataUrl}".replace("BLOB_URL_HERE", url);
<\/script>
`);
document.body.appendChild(f);
}, "'data:' URL frames cannot load 'blob:' resources originating from another data:-URL.");
</script>
</body>
Codebase Browser
chromium