OLD | NEW |
(Empty) | |
| 1 <html> |
| 2 <head> |
| 3 </head> |
| 4 <body> |
| 5 This test shows that cross-site documents are blocked by SiteIsolationPolicy |
| 6 even if the Same Origin Policy is turned off in the renderer. The Same Origin |
| 7 Policy can be circumvented when the renderer is compromised, but we have |
| 8 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now |
| 9 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but |
| 10 our ultimate plan is to do that in the browser process. |
| 11 |
| 12 <script> |
| 13 var xhrStatus = -1; |
| 14 var pathPrefix = "http://bar.com/files/site_isolation/"; |
| 15 |
| 16 // We only block cross-site documents with a blacklisted mime type(text/html, |
| 17 // text/xml, application/json), that are correctly sniffed as the content type |
| 18 // that they claim to be. We also block text/plain documents when their body |
| 19 // looks like one of the blacklisted content types. |
| 20 |
| 21 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml', |
| 22 'valid.json', 'html.txt', 'xml.txt', 'json.txt']; |
| 23 |
| 24 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json', |
| 25 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html']; |
| 26 |
| 27 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls); |
| 28 |
| 29 var failed = false; |
| 30 function sendRequest(resourceUrl) { |
| 31 var xhr = new XMLHttpRequest(); |
| 32 xhr.onreadystatechange = function() { |
| 33 if (xhr.readyState == 4) { |
| 34 var prefix = ""; |
| 35 if ((blockedResourceUrls.indexOf(resourceUrl) != -1 && |
| 36 xhr.responseText != " ") || |
| 37 (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 && |
| 38 xhr.responseText == " ")) { |
| 39 // Test failed. Either a resource that should have been blocked is not |
| 40 // blocked, or a resource that should have not been blocked is blocked. |
| 41 domAutomationController.setAutomationId(0); |
| 42 domAutomationController.send(0); |
| 43 if (blockedResourceUrls.indexOf(resourceUrl) != -1) { |
| 44 prefix = "[ERROR:resource to be blocked wasn't blocked]"; |
| 45 } else { |
| 46 prefix = "[ERROR:resource to be unblocked was blocked]"; |
| 47 } |
| 48 } |
| 49 document.getElementById("response_body").value += |
| 50 ("\n" + prefix + "response to " + resourceUrl + "(" + |
| 51 xhr.getResponseHeader("content-type") + ") " + |
| 52 (xhr.responseText == " " ? "blocked" : "not-blocked")); |
| 53 drive(); |
| 54 } |
| 55 } |
| 56 xhr.open('GET', pathPrefix + resourceUrl); |
| 57 xhr.send(); |
| 58 } |
| 59 |
| 60 var cnt = 0; |
| 61 function drive() { |
| 62 if (cnt < resourceUrls.length) { |
| 63 sendRequest(resourceUrls[cnt]); |
| 64 ++cnt; |
| 65 } else { |
| 66 // All the test cases are successfully passed. |
| 67 domAutomationController.setAutomationId(0); |
| 68 domAutomationController.send(1); |
| 69 } |
| 70 } |
| 71 |
| 72 window.onload = function() { |
| 73 // The call to pushState with another domain will succeed, since the |
| 74 // test uses --disable-web-security. |
| 75 history.pushState('', '', 'http://bar.com/files/main.html'); |
| 76 drive(); |
| 77 } |
| 78 </script> |
| 79 <textarea rows=20 cols=50 id='response_body'></textarea> |
| 80 </body> |
| 81 </html> |
OLD | NEW |