OLD | NEW |
1 <body> | 1 <body> |
2 This tests an isolated script's ability to XHR a blob that is in its security or
igin, which is not the same as the document's security origin.<br> | 2 This tests an isolated script's ability to XHR a blob that is in its security or
igin, which is not the same as the document's security origin.<br> |
3 We pass if there are no console errors. | 3 We pass if there are no console errors. |
4 <script> | 4 <script> |
5 if (!window.testRunner) { | 5 if (!window.testRunner) { |
6 document.body.appendChild(document.createTextNode("This test requires window
.testRunner")); | 6 document.body.appendChild(document.createTextNode("This test requires window
.testRunner")); |
7 } else { | 7 } else { |
8 testRunner.dumpAsText(); | 8 testRunner.dumpAsText(); |
9 testRunner.setIsolatedWorldSecurityOrigin(1, "chrome-extension://123"); | 9 // We're using a fake HTTP URL instead of chrome-extension: URL which is |
10 testRunner.evaluateScriptInIsolatedWorld(1, "var xhr = new XMLHttpRequest();
xhr.open('GET', 'blob:chrome-extension://123/456789', false); xhr.send();"); | 10 // the most common use case of isolated world. This is because the |
| 11 // ResourceDispatcherHostImpl validates Origin headers received from a |
| 12 // renderer by consulting the ChildProcessSecurityPolicyImpl, and it |
| 13 // doesn't allow the chrome-extension scheme in the content_shell. Instead |
| 14 // of adding more test infrastructure for allowing the scheme, we chose to |
| 15 // use the safe HTTP scheme as it's sufficient for the purpose of this test |
| 16 // case. |
| 17 testRunner.setIsolatedWorldSecurityOrigin(1, "http://123"); |
| 18 testRunner.evaluateScriptInIsolatedWorld(1, "var xhr = new XMLHttpRequest();
xhr.open('GET', 'blob:http://123/456789', false); xhr.send();"); |
11 } | 19 } |
12 </script> | 20 </script> |
13 </body> | 21 </body> |
OLD | NEW |