This page should be sandboxed.
<script>
// We're not served with the extension default CSP, we can use inline script.
var sendResponse = function(msg) {
var mainWindow = window.opener || window.top;
mainWindow.postMessage(msg, '*');
};
var remote_frame_loaded = false;
window.addEventListener('securitypolicyviolation', function(e) {
if (remote_frame_loaded)
sendResponse('succeeded');
else
sendResponse('failed');
});
var loadFrameExpectResponse = function(iframe, url) {
var identifier = performance.now();
return new Promise(function(resolve, reject) {
window.addEventListener('message', function(e) {
var data = JSON.parse(e.data);
if (data[0] == 'local frame msg' && data[1] == identifier) {
resolve();
} else {
reject();
}
});
iframe.onerror = reject;
iframe.onload = function() {
iframe.contentWindow.postMessage(
JSON.stringify(['sandboxed frame msg', identifier]), '*');
};
iframe.src = url;
});
};
var runTestAndRespond = function(localUrl, remoteUrl) {
var iframe = document.createElement('iframe');
// First load local resource in |iframe|, expect the local frame to respond.
loadFrameExpectResponse(iframe, localUrl).then(function() {
// Then load remote resource in |iframe|, expect the navigation to be
// blocked by the Content-Security-Policy.
// Rely on the SecurityPolicyViolationEvent to detect that the frame has
// been blocked.
remote_frame_loaded = true;
iframe.src = remoteUrl;
});
document.body.appendChild(iframe);
};
onmessage = function(e) {
var command = JSON.parse(e.data);
if (command[0] == 'load') {
var localUrl = command[1];
var remoteUrl = command[2];
runTestAndRespond(localUrl, remoteUrl);
}
};
</script>