OLD | NEW |
---|---|
(Empty) | |
1 <html> | |
2 <head> | |
3 <script> | |
4 /* This test shows that cross-site documents are blocked by SiteIsolationPolicy | |
Charlie Reis
2013/08/22 18:23:30
Style nit: We don't tend to use /* */ comments for
dsjang
2013/08/22 19:05:55
Done.
| |
5 even if the Same Origin Policy is turned on in the renderer. The same origin | |
Charlie Reis
2013/08/22 18:23:30
nit: turned off
dsjang
2013/08/22 19:05:55
Done.
| |
6 policy can be circumvented when the renderer is compromised, but we have | |
7 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now | |
8 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but | |
9 our ultimate plan is to do that in the browser process. */ | |
10 | |
11 var xhrStatus = -1; | |
12 var pathPrefix = "http://bar.com/files/site_isolation/"; | |
13 | |
14 /* We only block cross-site documents with a blacklisted mime type(text/html, | |
15 text/xml, application/json), and correctly sniffed as the content type that they | |
Charlie Reis
2013/08/22 18:23:30
and -> that are
dsjang
2013/08/22 19:05:55
Done.
| |
16 claim to be. We also block text/plain documents when their body look like one of | |
Charlie Reis
2013/08/22 18:23:30
looks
dsjang
2013/08/22 19:05:55
Done.
| |
17 the blacklisted content types. */ | |
18 | |
19 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml', | |
20 'valid.json', 'html.txt', 'xml.txt', 'json.txt']; | |
21 | |
22 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json', | |
23 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html']; | |
24 | |
25 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls); | |
26 | |
27 var failed = false; | |
28 function sendRequest(resourceUrl) { | |
29 var xhr = new XMLHttpRequest(); | |
30 xhr.onreadystatechange = function() { | |
31 if (xhr.readyState == 4) { | |
32 var prefix = ""; | |
33 if ((blockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText != " ") || | |
Charlie Reis
2013/08/22 18:23:30
80 chars isn't required in HTML files, but it migh
dsjang
2013/08/22 19:05:55
Done.
| |
34 (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText == " ")) { | |
35 // Test failed. Either a resource that should have been blocked is not | |
36 // blocked, or a resource that should have not been blocked is blocked. | |
37 domAutomationController.setAutomationId(0); | |
38 //domAutomationController.send(0); | |
Charlie Reis
2013/08/22 18:23:30
Should this be uncommented?
dsjang
2013/08/22 19:05:55
Done.
| |
39 if (blockedResourceUrls.indexOf(resourceUrl) != -1) { | |
40 prefix = "[ERROR:resource to be blocked wasn't blocked]"; | |
41 } else { | |
42 prefix = "[ERROR:resource to be unblocked was blocked]"; | |
43 } | |
44 } | |
45 document.getElementById("response_body").value += | |
46 ("\n" + prefix + "response to " + resourceUrl + "(" + xhr.getResponseHea der("content-type") + ") " + (xhr.responseText == " " ? "blocked" : "not-blocked ")); | |
Charlie Reis
2013/08/22 18:23:30
nit: Please wrap this line.
dsjang
2013/08/22 19:05:55
Done.
| |
47 drive(); | |
48 } | |
49 } | |
50 xhr.open('GET', pathPrefix + resourceUrl); | |
51 xhr.send(); | |
52 } | |
53 | |
54 var cnt = 0; | |
55 function drive() { | |
56 if (cnt < resourceUrls.length) { | |
57 sendRequest(resourceUrls[cnt]); | |
58 ++cnt; | |
59 } else { | |
60 //all the test cases are successfully passed. | |
Charlie Reis
2013/08/22 18:23:30
nit: Capitalize All and put a space before it.
dsjang
2013/08/22 19:05:55
Done.
| |
61 domAutomationController.setAutomationId(0); | |
62 domAutomationController.send(1); | |
63 } | |
64 } | |
65 | |
66 window.onload = function() { | |
67 // The call to pushState with chrome-extension:// URL will succeed, since the | |
68 // test uses --disable-web-security. | |
69 history.pushState('', '', | |
70 'http://bar.com/files/main.html'); | |
Charlie Reis
2013/08/22 18:23:30
nit: This can all fit on one line.
dsjang
2013/08/22 19:05:55
Done.
| |
71 drive(); | |
72 } | |
73 </script> | |
74 </head> | |
75 <body> | |
76 <textarea rows=20 cols=50 id='response_body'></textarea> | |
77 </body> | |
78 </html> | |
OLD | NEW |