| OLD | NEW |
|---|
| (Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <script src="/resources/testharness.js"></script> |
| 5 <script src="/resources/testharnessreport.js"></script> |
| 6 <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></sc
ript> |
| 7 <meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8
000 http://example.test:8000"> |
| 8 </head> |
| 9 <body> |
| 10 <script> |
| 11 // The filesystem test takes some nesting to setup: |
| 12 setup({explicit_done: true}); |
| 13 |
| 14 async_test(t => { |
| 15 assert_allowed_image_in_document(t, document, "http://127.0.0.1:8000/resourc
es/square.png?top-level"); |
| 16 assert_allowed_image_in_document(t, document, "http://example.test:8000/reso
urces/square.png?top-level"); |
| 17 }, "Policy applied in top-level."); |
| 18 |
| 19 async_test(t => { |
| 20 var frame = document.createElement("iframe"); |
| 21 frame.onload = _ => { |
| 22 frame.contentDocument.head.innerHTML = "<meta http-equiv='content-security
-policy' content='img-src http://127.0.0.1:8000'>"; |
| 23 assert_allowed_image_in_document(t, frame.contentDocument, "http://127.0.0
.1:8000/resources/square.png?blank-frame"); |
| 24 assert_blocked_image_in_document(t, frame.contentDocument, "http://example
.test:8000/resources/square.png?blank-frame"); |
| 25 }; |
| 26 document.body.appendChild(frame); |
| 27 }, "Image loaded via about:blank frame blocked."); |
| 28 |
| 29 async_test(t => { |
| 30 var frame = document.createElement("iframe"); |
| 31 frame.setAttribute("srcdoc", ""); |
| 32 frame.onload = _ => { |
| 33 frame.contentDocument.head.innerHTML = "<meta http-equiv='content-security
-policy' content='img-src http://127.0.0.1:8000'>"; |
| 34 assert_allowed_image_in_document(t, frame.contentDocument, "http://127.0.0
.1:8000/resources/square.png?blank-frame"); |
| 35 assert_blocked_image_in_document(t, frame.contentDocument, "http://example
.test:8000/resources/square.png?blank-frame"); |
| 36 }; |
| 37 document.body.appendChild(frame); |
| 38 }, "Image loaded via srcdoc frame blocked."); |
| 39 |
| 40 async_test(t => { |
| 41 var b = new Blob([], {type: "text/html"}); |
| 42 |
| 43 var frame = document.createElement("iframe"); |
| 44 frame.src = URL.createObjectURL(b); |
| 45 frame.onload = _ => { |
| 46 frame.contentDocument.head.innerHTML = "<meta http-equiv='content-security
-policy' content='img-src http://127.0.0.1:8000'>"; |
| 47 assert_allowed_image_in_document(t, frame.contentDocument, "http://127.0.0
.1:8000/resources/square.png?blob-frame"); |
| 48 assert_blocked_image_in_document(t, frame.contentDocument, "http://example
.test:8000/resources/square.png?blob-frame"); |
| 49 }; |
| 50 document.body.appendChild(frame); |
| 51 }, "Image loaded via 'blob:' frame blocked."); |
| 52 |
| 53 async_test(t => { |
| 54 window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, fs => { |
| 55 fs.root.getFile('worker.js', { create: true }, entry => { |
| 56 entry.createWriter(w => { |
| 57 w.onwriteend = _ => { |
| 58 var u = entry.toURL(); |
| 59 |
| 60 var frame = document.createElement("iframe"); |
| 61 frame.src = URL.createObjectURL(b); |
| 62 frame.onload = _ => { |
| 63 frame.contentDocument.head.innerHTML = "<meta http-equiv='content-
security-policy' content='img-src http://127.0.0.1:8000'>"; |
| 64 assert_allowed_image_in_document(t, frame.contentDocument, "http:/
/127.0.0.1:8000/resources/square.png?filesystem-frame"); |
| 65 assert_blocked_image_in_document(t, frame.contentDocument, "http:/
/example.test:8000/resources/square.png?filesystem-frame"); |
| 66 }; |
| 67 document.body.appendChild(frame); |
| 68 |
| 69 // explicit_done: yay. |
| 70 done(); |
| 71 }; |
| 72 w.onerror = t.unreached_func(); |
| 73 |
| 74 var b = new Blob([], {type: "text/html"}); |
| 75 w.write(b); |
| 76 }); |
| 77 }); |
| 78 }); |
| 79 }, "Image loaded via 'filesystem:' frame blocked."); |
| 80 </script> |
| 81 </body> |
| 82 </html> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2472333003:
CSP: "local schemes" should inherit policy when embedded. (Closed)
