third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html - Issue 2472333003: CSP: "local schemes" should inherit policy when embedded.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html

Issue 2472333003: CSP: "local schemes" should inherit policy when embedded. (Closed)

Patch Set: browser_test Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « chrome/test/data/extensions/api_test/webrequest/test_types.js ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-with-own-policy.html » ('j') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE html>

	2 <html>

	3 <head>

	4 <script src="/resources/testharness.js"></script>

	5 <script src="/resources/testharnessreport.js"></script>

	6 <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></sc ript>

	7 <meta http-equiv="content-security-policy" content="img-src 'none'">

	8 </head>

	9 <body>

	10 <script>

	11 async_test(t => {

	12 assert_blocked_image_in_document(t, document, "http://example.test:8000/reso urces/square.png?img-in-top-level");

	13 }, "Image loaded in top-level blocked.");

	14

	15 async_test(t => {

	16 var frame = document.createElement("iframe");

	17

	18 window.addEventListener("message", t.step_func(e => {

	19 if (e.source != frame.contentWindow)

	20 return;

	21

	22 assert_equals(e.data, "blocked");

	23 t.done();

	24 }));

	25

	26 frame.src = "data:text/html,<script>" +

	27 " var i = document.createElement('img');" +
	dcheng 2016/11/21 10:14:24 A fun hack I've seen is to define the JS as a func A fun hack I've seen is to define the JS as a function and interpolate it like this: "data:text/html,<script>(" + function () { var i = ...; } + ")();"</scr" + "ipt>"; Which is kind of nice, because you get actual syntax highlighting (and escaping is easier). Not really important here, but thought I'd mention it! Mike West 2016/11/29 10:16:28 sigh JavaScript is SO WEIRD. Show quoted text On 2016/11/21 at 10:14:24, dcheng wrote: > A fun hack I've seen is to define the JS as a function and interpolate it like this: > > "data:text/html,<script>(" + > function () { > var i = ...; > } + > ")();"</scr" + "ipt>"; > > Which is kind of nice, because you get actual syntax highlighting (and escaping is easier). Not really important here, but thought I'd mention it! sigh JavaScript is SO WEIRD.
	28 " i.onload = _ => top.postMessage('loaded', '*');" +

	29 " i.onerror = _ => top.postMessage('blocked', '*');" +

	30 " i.src = 'http://example.test:8000/resources/square.png?data-f rame'" +

	31 "</scr" + "ipt>";

	32 document.body.appendChild(frame);

	33 }, "Image loaded via data: frame blocked.");

	34 </script>

	35 </body>

	36 </html>

OLD	NEW