OLD | NEW |
---|---|
(Empty) | |
1 var CROSS_ORIGIN_URL = "http://localhost:8000/security/contentSecurityPolicy/res ources/respond-with-allow-csp-from-header.php"; | |
2 var SAME_ORIGIN_URL = "http://127.0.0.1:8000/security/contentSecurityPolicy/reso urces/respond-with-allow-csp-from-header.php"; | |
3 | |
4 var EXPECT_BLOCK = true; | |
5 var EXPECT_LOAD = false; | |
6 | |
7 var CROSS_ORIGIN = true; | |
8 var SAME_ORIGIN = false; | |
9 | |
10 function injectIframeWithCSP(url, shouldBlock, csp, t, urlId) { | |
11 var i = document.createElement('iframe'); | |
12 i.src = url + "&id=" + urlId; | |
13 i.csp = csp; | |
14 | |
15 if (shouldBlock) { | |
16 window.onmessage = t.unreached_func('No message should be sent from the frame.'); | |
17 i.onload = iframeLoaded(shouldBlock, t); | |
18 } else { | |
19 document.addEventListener("securitypolicyviolation", | |
20 t.unreached_func("There should not be any violations.")); | |
21 window.onerror = t.unreached_func("Error should not be triggered."); | |
Mike West
2016/10/17 14:54:28
Why `window.onerror`?
| |
22 window.addEventListener('message', t.step_func(e => { | |
23 if (e.source != i.contentWindow || e.data["loaded"] != true) | |
24 return; | |
25 assert_equals(urlId, e.data["id"]); | |
26 t.done(); | |
27 })); | |
28 } | |
29 document.body.appendChild(i); | |
30 } | |
31 | |
32 function iframeLoaded(expectBlock, t) { | |
33 return function(ev) { | |
34 var blocked = true; | |
35 try { | |
36 console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'."); | |
Mike West
2016/10/17 14:54:28
This is always going to throw for cross-origin fra
| |
37 blocked = false; | |
38 } catch (ex) { | |
39 blocked = true; | |
40 } | |
41 assert_equals(expectBlock, blocked); | |
42 t.done(); | |
43 }; | |
44 } | |
45 | |
46 function urlWithAlloCspFrom(useCrossOrigin, allowCspFrom) { | |
Mike West
2016/10/17 14:54:28
Nit: Perhaps `generateUrlWith...` for clarity?
| |
47 var url = useCrossOrigin ? CROSS_ORIGIN_URL : SAME_ORIGIN_URL; | |
48 return url + "?allow_csp_from=" + allowCspFrom; | |
49 } | |
OLD | NEW |