| OLD | NEW |
|---|
| 1 <?php |
| 2 header("Content-Security-Policy: sandbox allow-scripts; upgrade-insecure-req
uests"); |
| 3 ?> |
| 1 <!DOCTYPE html> | 4 <!DOCTYPE html> |
| 2 <title>Upgrade Insecure Requests: Basics.</title> | 5 <title>Upgrade Insecure Requests: Basics.</title> |
| 3 <script src="/resources/testharness.js"></script> | 6 <script src="/resources/testharness.js"></script> |
| 4 <script src="/resources/testharnessreport.js"></script> | 7 <script src="/resources/testharnessreport.js"></script> |
| 5 | |
| 6 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> | |
| 7 | |
| 8 <script> | 8 <script> |
| 9 // This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we | 9 // This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we |
| 10 // specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't | 10 // specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't |
| 11 // work, it won't load. | 11 // work, it won't load. |
| 12 var insecureImage = "http://127.0.0.1:8443/security/resources/abe.png"; | 12 var insecureImage = "http://127.0.0.1:8443/security/resources/abe.png"; |
| 13 | 13 |
| 14 (function() { | 14 (function() { |
| 15 var t = async_test("Verify that images are upgraded."); | 15 var t = async_test("Verify that images are upgraded."); |
| 16 t.step(function () { | 16 t.step(function () { |
| 17 var i = document.createElement('img'); | 17 var i = document.createElement('img'); |
| (...skipping 13 matching lines...) Expand all Loading... |
| 31 (function() { | 31 (function() { |
| 32 var t = async_test("Verify that images have correct cross-origin behavior.")
; | 32 var t = async_test("Verify that images have correct cross-origin behavior.")
; |
| 33 t.step(function () { | 33 t.step(function () { |
| 34 var i = document.createElement('img'); | 34 var i = document.createElement('img'); |
| 35 i.onload = t.step_func(function () { | 35 i.onload = t.step_func(function () { |
| 36 // Draw the image onto a canvas. | 36 // Draw the image onto a canvas. |
| 37 var canvas = document.createElement('canvas'); | 37 var canvas = document.createElement('canvas'); |
| 38 var ctx = canvas.getContext('2d'); | 38 var ctx = canvas.getContext('2d'); |
| 39 ctx.drawImage(i, 0, 0); | 39 ctx.drawImage(i, 0, 0); |
| 40 | 40 |
| 41 // Grab a pixel to verify that the image is same-origin: | 41 // Grab a pixel to verify that the image is cross-origin (because sa
ndbox): |
| 42 try { | 42 try { |
| 43 var pixel = ctx.getImageData(0, 0, 1, 1); | 43 var pixel = ctx.getImageData(0, 0, 1, 1); |
| 44 assert_unreached("The image should be cross-origin with this doc
ument."); |
| 45 } catch (e) { |
| 44 t.done(); | 46 t.done(); |
| 45 } catch (e) { | |
| 46 assert_unreached("The image should be same-origin with this docu
ment."); | |
| 47 } | 47 } |
| 48 }); | 48 }); |
| 49 i.onerror = t.step_func(function () { | 49 i.onerror = t.step_func(function () { |
| 50 assert_unreached("The image should load successfully."); | 50 assert_unreached("The image should load successfully."); |
| 51 }); | 51 }); |
| 52 | 52 |
| 53 i.src = insecureImage; | 53 i.src = insecureImage; |
| 54 }); | 54 }); |
| 55 }()); | 55 }()); |
| 56 </script> | 56 </script> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2295153004:
Fix a null-deref in Upgrade-Insecure-Request's handling of unique origins. (Closed)
