| OLD | NEW |
|---|
| 1 <html> | 1 <html> |
| 2 <head> | 2 <head> |
| 3 </head> | 3 </head> |
| 4 <body> | 4 <body> |
| 5 | 5 |
| 6 <p>This test does cross-site XHR fetches of documents with the Same Origin | 6 <p>This test does cross-site XHR fetches of documents with the Same Origin |
| 7 Policy turned off in the renderer. The Same Origin Policy can be circumvented | 7 Policy turned off in the renderer. The Same Origin Policy can be circumvented |
| 8 when the renderer is compromised, but site isolation ought to block cross-site | 8 when the renderer is compromised, but site isolation ought to block cross-site |
| 9 documents at the IPC layer.</p> | 9 documents at the IPC layer.</p> |
| 10 | 10 |
| 11 <p>We only block cross-site documents with a blacklisted mime type (text/html, | 11 <p>We only block cross-site documents with a blacklisted mime type (text/html, |
| 12 text/xml, application/json), that are correctly sniffed as the content type that | 12 text/xml, application/json), that are correctly sniffed as the content type that |
| 13 they claim to be. We also block text/plain documents when their body looks like | 13 they claim to be. We also block text/plain documents when their body looks like |
| 14 one of the blacklisted content types.</p> | 14 one of the blacklisted content types.</p> |
| 15 | 15 |
| 16 <script> | 16 <script> |
| 17 var pathPrefix = "http://bar.com/files/site_isolation/"; | 17 var pathPrefix = "http://bar.com/site_isolation/"; |
| 18 | 18 |
| 19 // To be called from the browsertest via ExecuteScriptAndExtractBool(). | 19 // To be called from the browsertest via ExecuteScriptAndExtractBool(). |
| 20 function sendRequest(resourceUrl) { | 20 function sendRequest(resourceUrl) { |
| 21 var xhr = new XMLHttpRequest(); | 21 var xhr = new XMLHttpRequest(); |
| 22 xhr.onreadystatechange = function() { | 22 xhr.onreadystatechange = function() { |
| 23 if (xhr.readyState == 4) { | 23 if (xhr.readyState == 4) { |
| 24 // At one point this test operated with an experimental flag to actually | 24 // At one point this test operated with an experimental flag to actually |
| 25 // block requests in the render process -- in that case the blocked | 25 // block requests in the render process -- in that case the blocked |
| 26 // response was replaced with the literal string " ". That flag has been | 26 // response was replaced with the literal string " ". That flag has been |
| 27 // removed (circa June 2015), but when browser process document blocking | 27 // removed (circa June 2015), but when browser process document blocking |
| (...skipping 14 matching lines...) Expand all Loading... |
| 42 | 42 |
| 43 window.onload = function() { | 43 window.onload = function() { |
| 44 // The call to pushState with another domain will succeed, since the | 44 // The call to pushState with another domain will succeed, since the |
| 45 // test uses --disable-web-security. | 45 // test uses --disable-web-security. |
| 46 history.pushState('', '', 'http://bar.com/files/main.html'); | 46 history.pushState('', '', 'http://bar.com/files/main.html'); |
| 47 } | 47 } |
| 48 </script> | 48 </script> |
| 49 <textarea rows=20 cols=50 id='response_body'></textarea> | 49 <textarea rows=20 cols=50 id='response_body'></textarea> |
| 50 </body> | 50 </body> |
| 51 </html> | 51 </html> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1411073005:
Migrating tests to use EmbeddedTestServer (/content) (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master