Index: content/test/data/cross_site_document_request.html |
diff --git a/content/test/data/cross_site_document_request.html b/content/test/data/cross_site_document_request.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..17cceda238163ee9c3be56a044a2858cc5676503 |
--- /dev/null |
+++ b/content/test/data/cross_site_document_request.html |
@@ -0,0 +1,78 @@ |
+<html> |
+<head> |
+<script> |
+/* This test shows that cross-site documents are blocked by SiteIsolationPolicy |
Charlie Reis
2013/08/22 18:23:30
Style nit: We don't tend to use /* */ comments for
dsjang
2013/08/22 19:05:55
Done.
|
+even if the Same Origin Policy is turned on in the renderer. The same origin |
Charlie Reis
2013/08/22 18:23:30
nit: turned off
dsjang
2013/08/22 19:05:55
Done.
|
+policy can be circumvented when the renderer is compromised, but we have |
+SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now |
+cross-site document blocking by SiteIsolationPolicy is done in the renderer, but |
+our ultimate plan is to do that in the browser process. */ |
+ |
+var xhrStatus = -1; |
+var pathPrefix = "http://bar.com/files/site_isolation/"; |
+ |
+/* We only block cross-site documents with a blacklisted mime type(text/html, |
+text/xml, application/json), and correctly sniffed as the content type that they |
Charlie Reis
2013/08/22 18:23:30
and -> that are
dsjang
2013/08/22 19:05:55
Done.
|
+claim to be. We also block text/plain documents when their body look like one of |
Charlie Reis
2013/08/22 18:23:30
looks
dsjang
2013/08/22 19:05:55
Done.
|
+the blacklisted content types. */ |
+ |
+var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml', |
+'valid.json', 'html.txt', 'xml.txt', 'json.txt']; |
+ |
+var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json', |
+'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html']; |
+ |
+var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls); |
+ |
+var failed = false; |
+function sendRequest(resourceUrl) { |
+ var xhr = new XMLHttpRequest(); |
+ xhr.onreadystatechange = function() { |
+ if (xhr.readyState == 4) { |
+ var prefix = ""; |
+ if ((blockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText != " ") || |
Charlie Reis
2013/08/22 18:23:30
80 chars isn't required in HTML files, but it migh
dsjang
2013/08/22 19:05:55
Done.
|
+ (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText == " ")) { |
+ // Test failed. Either a resource that should have been blocked is not |
+ // blocked, or a resource that should have not been blocked is blocked. |
+ domAutomationController.setAutomationId(0); |
+ //domAutomationController.send(0); |
Charlie Reis
2013/08/22 18:23:30
Should this be uncommented?
dsjang
2013/08/22 19:05:55
Done.
|
+ if (blockedResourceUrls.indexOf(resourceUrl) != -1) { |
+ prefix = "[ERROR:resource to be blocked wasn't blocked]"; |
+ } else { |
+ prefix = "[ERROR:resource to be unblocked was blocked]"; |
+ } |
+ } |
+ document.getElementById("response_body").value += |
+ ("\n" + prefix + "response to " + resourceUrl + "(" + xhr.getResponseHeader("content-type") + ") " + (xhr.responseText == " " ? "blocked" : "not-blocked")); |
Charlie Reis
2013/08/22 18:23:30
nit: Please wrap this line.
dsjang
2013/08/22 19:05:55
Done.
|
+ drive(); |
+ } |
+ } |
+ xhr.open('GET', pathPrefix + resourceUrl); |
+ xhr.send(); |
+} |
+ |
+var cnt = 0; |
+function drive() { |
+ if (cnt < resourceUrls.length) { |
+ sendRequest(resourceUrls[cnt]); |
+ ++cnt; |
+ } else { |
+ //all the test cases are successfully passed. |
Charlie Reis
2013/08/22 18:23:30
nit: Capitalize All and put a space before it.
dsjang
2013/08/22 19:05:55
Done.
|
+ domAutomationController.setAutomationId(0); |
+ domAutomationController.send(1); |
+ } |
+} |
+ |
+window.onload = function() { |
+ // The call to pushState with chrome-extension:// URL will succeed, since the |
+ // test uses --disable-web-security. |
+ history.pushState('', '', |
+ 'http://bar.com/files/main.html'); |
Charlie Reis
2013/08/22 18:23:30
nit: This can all fit on one line.
dsjang
2013/08/22 19:05:55
Done.
|
+ drive(); |
+} |
+</script> |
+</head> |
+<body> |
+<textarea rows=20 cols=50 id='response_body'></textarea> |
+</body> |
+</html> |