<script type="module">
// TODO(https://github.com/web-platform-tests/wpt/issues/4880): Move this tests
// into the WPT repository.
// Check HSTS does not bypass MIX.
// Dump into expectation console messages. We are expecting this message:
// CONSOLE ERROR: [...] Mixed Content: The page at [...] was loaded over
// HTTPS, but requested an insecure frame [...]. This request has been
// blocked; the content must be served over HTTPS.
testRunner.waitUntilDone();
testRunner.dumpAsText();
await fetch("https://hsts-example.test:8443/security/resources/hsts.php?as-fetch");
// Note: HTTP, not HTTPS:
const iframe = document.createElement('iframe');
iframe.src = "http://hsts-example.test:8443/security/resources/hsts.php";
onmessage = () => console.log("Error: message received from the frame.");
// Wait for the iframe to navigate and commit the error page. Purposefully,
// there are no APIs to know when an error happens, as it would otherwise
// reveals whether the user is logged in a cross-origin website.
document.body.appendChild(iframe);
await new Promise(r => setTimeout(r, 3000));
testRunner.notifyDone();
</script>
Codebase Browser
chromium