OLD | NEW |
1 <?php | 1 <?php |
2 header("Content-Security-Policy-Report-Only: block-all-mixed-content"); | 2 header("Content-Security-Policy-Report-Only: block-all-mixed-content"); |
3 ?> | 3 ?> |
4 <!doctype html> | 4 <!doctype html> |
5 <script src="/resources/testharness.js"></script> | 5 <script src="/resources/testharness.js"></script> |
6 <script src="/resources/testharnessreport.js"></script> | 6 <script src="/resources/testharnessreport.js"></script> |
7 <body> | 7 <body> |
8 <script> | 8 <script> |
9 async_test(t => { | 9 function waitForEvent(t, el, name) { |
10 var i = document.createElement('img'); | 10 return new EventWatcher(t, el, [name]).wait_for(name); |
11 i.onerror = t.assert_unreached; | 11 } |
12 i.onload = t.step_func_done(_ => { | |
13 assert_equals(128, i.naturalWidth); | |
14 assert_equals(128, i.naturalHeight); | |
15 }); | |
16 i.src = "http://127.0.0.1:8080/security/resources/compass.jpg?t=1"; | |
17 }, "Mixed images are allowed in the presence of 'block-all-mixed-content' in
report-only mode."); | |
18 | 12 |
19 async_test(t => { | 13 async_test(t => { |
20 var i = document.createElement('img'); | 14 var i = document.createElement('img'); |
21 document.addEventListener('securitypolicyviolation', t.step_func_done(e
=> { | 15 i.onerror = t.unreached_func(); |
22 var expectations = { | 16 |
23 'documentURI': document.location.toString(), | 17 Promise.all([ |
24 'referrer': document.referrer, | 18 waitForEvent(t, i, 'load').then(_ => { |
25 'blockedURI': 'http://127.0.0.1:8080', | 19 assert_equals(128, i.naturalWidth); |
26 'violatedDirective': 'block-all-mixed-content', | 20 assert_equals(128, i.naturalHeight); |
27 'effectiveDirective': 'block-all-mixed-content', | 21 }), |
28 'originalPolicy': 'block-all-mixed-content', | 22 waitForEvent(t, document, 'securitypolicyviolation').then(e => { |
29 'sourceFile': '', | 23 var expectations = { |
30 'lineNumber': 0, | 24 'documentURI': document.location.toString(), |
31 'columnNumber': 0, | 25 'referrer': document.referrer, |
32 'statusCode': 0 | 26 'blockedURI': 'http://127.0.0.1:8080/security/resources/comp
ass.jpg?t=1', |
33 }; | 27 'violatedDirective': 'block-all-mixed-content', |
34 for (key in expectations) | 28 'effectiveDirective': 'block-all-mixed-content', |
35 assert_equals(expectations[key], e[key], key); | 29 'originalPolicy': 'block-all-mixed-content', |
36 })); | 30 'sourceFile': '', |
37 i.src = "http://127.0.0.1:8080/security/resources/compass.jpg?t=2"; | 31 'lineNumber': 0, |
38 }, "Mixed images generate CSP violation reports in the presence of 'block-al
l-mixed-content'."); | 32 'columnNumber': 0, |
| 33 'statusCode': 0 |
| 34 }; |
| 35 for (key in expectations) |
| 36 assert_equals(expectations[key], e[key], key); |
| 37 }) |
| 38 ]).then(t.step_func_done()); |
| 39 |
| 40 i.src = "http://127.0.0.1:8080/security/resources/compass.jpg?t=1"; |
| 41 }, "Mixed images are allowed and generate CSP violation reports in the prese
nce of 'block-all-mixed-content' in report-only mode."); |
39 </script> | 42 </script> |
OLD | NEW |