Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js |
new file mode 100644 |
index 0000000000000000000000000000000000000000..bc7caf81fd6a2a5f658125a4c89d73e343017462 |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js |
@@ -0,0 +1,49 @@ |
+var CROSS_ORIGIN_URL = "http://localhost:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php"; |
+var SAME_ORIGIN_URL = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php"; |
+ |
+var EXPECT_BLOCK = true; |
+var EXPECT_LOAD = false; |
+ |
+var CROSS_ORIGIN = true; |
+var SAME_ORIGIN = false; |
+ |
+function injectIframeWithCSP(url, shouldBlock, csp, t, urlId) { |
+ var i = document.createElement('iframe'); |
+ i.src = url + "&id=" + urlId; |
+ i.csp = csp; |
+ |
+ if (shouldBlock) { |
+ window.onmessage = t.unreached_func('No message should be sent from the frame.'); |
+ i.onload = iframeLoaded(shouldBlock, t); |
+ } else { |
+ document.addEventListener("securitypolicyviolation", |
+ t.unreached_func("There should not be any violations.")); |
+ window.onerror = t.unreached_func("Error should not be triggered."); |
Mike West
2016/10/17 14:54:28
Why `window.onerror`?
|
+ window.addEventListener('message', t.step_func(e => { |
+ if (e.source != i.contentWindow || e.data["loaded"] != true) |
+ return; |
+ assert_equals(urlId, e.data["id"]); |
+ t.done(); |
+ })); |
+ } |
+ document.body.appendChild(i); |
+} |
+ |
+function iframeLoaded(expectBlock, t) { |
+ return function(ev) { |
+ var blocked = true; |
+ try { |
+ console.log("IFrame load event fired: the IFrame's location is '" + ev.target.contentWindow.location.href + "'."); |
Mike West
2016/10/17 14:54:28
This is always going to throw for cross-origin fra
|
+ blocked = false; |
+ } catch (ex) { |
+ blocked = true; |
+ } |
+ assert_equals(expectBlock, blocked); |
+ t.done(); |
+ }; |
+} |
+ |
+function urlWithAlloCspFrom(useCrossOrigin, allowCspFrom) { |
Mike West
2016/10/17 14:54:28
Nit: Perhaps `generateUrlWith...` for clarity?
|
+ var url = useCrossOrigin ? CROSS_ORIGIN_URL : SAME_ORIGIN_URL; |
+ return url + "?allow_csp_from=" + allowCspFrom; |
+} |