<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443">
<script>
async_test(t => {
var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
watcher
.wait_for('securitypolicyviolation')
.then(t.step_func(e => {
assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");
assert_equals(e.lineNumber, 0, "The script line number shouldn't be reported.");
t.done();
}));
window.onmessage = t.unreached_func('No message should be sent from the frame.');
window.onload = _ => {
// The test verifies that Content-Security-Policy from the main frame
// restricts child frame's location even when the location is changed
// as a result of a navigation trigerred from within the child frame
// (which might reside in another renderer process due to --site-per-process).
var url = "https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html";
var i = document.createElement('iframe');
i.src = url;
document.body.appendChild(i);
};
}, "The frame's navigation is blocked.");
</script>
Codebase Browser
chromium