OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE html> | |
2 <html> | |
3 <head> | |
4 <script src="/resources/testharness.js"></script> | |
5 <script src="/resources/testharnessreport.js"></script> | |
6 <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></sc ript> | |
7 <meta http-equiv="content-security-policy" content="img-src 'none'"> | |
8 </head> | |
9 <body> | |
10 <script> | |
11 async_test(t => { | |
12 assert_blocked_image_in_document(t, document, "http://example.test:8000/reso urces/square.png?img-in-top-level"); | |
13 }, "Image loaded in top-level blocked."); | |
14 | |
15 async_test(t => { | |
16 var frame = document.createElement("iframe"); | |
17 | |
18 window.addEventListener("message", t.step_func(e => { | |
19 if (e.source != frame.contentWindow) | |
20 return; | |
21 | |
22 assert_equals(e.data, "blocked"); | |
23 t.done(); | |
24 })); | |
25 | |
26 frame.src = "data:text/html,<script>" + | |
27 " var i = document.createElement('img');" + | |
dcheng
2016/11/21 10:14:24
A fun hack I've seen is to define the JS as a func
Mike West
2016/11/29 10:16:28
*sigh* JavaScript is SO WEIRD.
| |
28 " i.onload = _ => top.postMessage('loaded', '*');" + | |
29 " i.onerror = _ => top.postMessage('blocked', '*');" + | |
30 " i.src = 'http://example.test:8000/resources/square.png?data-f rame'" + | |
31 "</scr" + "ipt>"; | |
32 document.body.appendChild(frame); | |
33 }, "Image loaded via data: frame blocked."); | |
34 </script> | |
35 </body> | |
36 </html> | |
OLD | NEW |