| Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..b5f08743674e416ddb188ce2e1bd9e76011fa3db
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/same-origin-with-own-policy-window-open.html
|
| @@ -0,0 +1,61 @@
|
| +<!DOCTYPE html>
|
| +<html>
|
| +<head>
|
| + <script src="/resources/testharness.js"></script>
|
| + <script src="/resources/testharnessreport.js"></script>
|
| + <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script>
|
| + <meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8000 http://example.test:8000">
|
| +</head>
|
| +<body>
|
| +<script>
|
| + // The filesystem test takes some nesting to setup:
|
| + setup({explicit_done: true});
|
| +
|
| + async_test(t => {
|
| + assert_allowed_image_in_document(t, document, "http://127.0.0.1:8000/resources/square.png?top-level");
|
| + assert_allowed_image_in_document(t, document, "http://example.test:8000/resources/square.png?top-level");
|
| + }, "Policy applied in top-level.");
|
| +
|
| + async_test(t => {
|
| + var w = window.open();
|
| + w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>";
|
| + assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blank-frame");
|
| + assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blank-frame");
|
| + }, "Image loaded via about:blank window blocked.");
|
| +
|
| + async_test(t => {
|
| + var b = new Blob([], {type: "text/html"});
|
| + var w = window.open(URL.createObjectURL(b));
|
| + w.onload = _ => {
|
| + w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>";
|
| + assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blob-frame");
|
| + assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blob-frame");
|
| + };
|
| + }, "Image loaded via 'blob:' window blocked.");
|
| +
|
| + async_test(t => {
|
| + window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, fs => {
|
| + fs.root.getFile('worker.js', { create: true }, entry => {
|
| + entry.createWriter(w => {
|
| + w.onwriteend = _ => {
|
| + var w = window.open(entry.toURL());
|
| + w.onload = _ => {
|
| + w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>";
|
| + assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?filesystem-frame");
|
| + assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?filesystem-frame");
|
| + };
|
| +
|
| + // explicit_done: yay.
|
| + done();
|
| + };
|
| + w.onerror = t.unreached_func();
|
| +
|
| + var b = new Blob([], {type: "text/html"});
|
| + w.write(b);
|
| + });
|
| + });
|
| + });
|
| + }, "Image loaded via 'filesystem:' window blocked.");
|
| +</script>
|
| +</body>
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 2530343006:
CSP: "local schemes" should inherit policy when window.opened. (Closed)
