Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(29)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html

Issue 2472333003: CSP: "local schemes" should inherit policy when embedded. (Closed)
Patch Set: browser_test Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/test/data/extensions/api_test/webrequest/test_types.js ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-with-own-policy.html » ('j') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html
new file mode 100644
index 0000000000000000000000000000000000000000..6e43fd44f04c72e9ce4421a8f391769fbb5544d9
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script>
+ <meta http-equiv="content-security-policy" content="img-src 'none'">
+</head>
+<body>
+<script>
+ async_test(t => {
+ assert_blocked_image_in_document(t, document, "http://example.test:8000/resources/square.png?img-in-top-level");
+ }, "Image loaded in top-level blocked.");
+
+ async_test(t => {
+ var frame = document.createElement("iframe");
+
+ window.addEventListener("message", t.step_func(e => {
+ if (e.source != frame.contentWindow)
+ return;
+
+ assert_equals(e.data, "blocked");
+ t.done();
+ }));
+
+ frame.src = "data:text/html,<script>" +
+ " var i = document.createElement('img');" +
dcheng 2016/11/21 10:14:24 A fun hack I've seen is to define the JS as a func
Mike West 2016/11/29 10:16:28 *sigh* JavaScript is SO WEIRD.
+ " i.onload = _ => top.postMessage('loaded', '*');" +
+ " i.onerror = _ => top.postMessage('blocked', '*');" +
+ " i.src = 'http://example.test:8000/resources/square.png?data-frame'" +
+ "</scr" + "ipt>";
+ document.body.appendChild(frame);
+ }, "Image loaded via data: frame blocked.");
+</script>
+</body>
+</html>
« no previous file with comments | « chrome/test/data/extensions/api_test/webrequest/test_types.js ('k') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-with-own-policy.html » ('j') | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt » ('J')

Powered by Google App Engine
This is Rietveld 408576698