Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(197)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html

Issue 2563843002: Restrict app sandbox's CSP to disallow loading web content in them. (Closed)
Patch Set: more commetns Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/test/data/extensions/api_test/sandboxed_pages_csp/remote_frame.js ('K') | « chrome/test/data/extensions/api_test/sandboxed_pages_csp/remote_frame.js ('k') | extensions/common/csp_validator.h » ('j') | extensions/common/csp_validator.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
diff --git a/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
new file mode 100644
index 0000000000000000000000000000000000000000..13a2ab28a17444e043ecfe212e9b9169b7a47ab2
--- /dev/null
+++ b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
@@ -0,0 +1,56 @@
+This page should be sandboxed.
+
+<script>
+// We're not served with the extension default CSP, we can use inline script.
+
+var loadFrameExpectResponse = function(iframe, url) {
+ var identifier = +new Date;
+ return new Promise(function(resolve, reject) {
+ window.addEventListener('message', function(e) {
+ var data = JSON.parse(e.data);
+ if (data[0] == 'pong' && data[1] == identifier) {
Devlin 2016/12/22 17:04:32 all these pings and pongs are getting hard to keep
lazyboy 2016/12/22 22:57:06 Changed to sandboxed frame msg <-> local/remote fr
+ resolve();
+ } else {
+ reject();
+ }
+ });
+ iframe.onerror = reject;
+ iframe.onload = function() {
+ iframe.contentWindow.postMessage(
+ JSON.stringify(['ping', identifier]), '*');
+ };
+ iframe.src = url;
+ });
+};
+
+var runTestAndRespond = function(localUrl, remoteUrl) {
+ var iframe = document.createElement('iframe');
+ var sendResponse = function(msg) {
+ var mainWindow = window.opener || window.top;
+ mainWindow.postMessage(msg, '*');
+ };
+
+ // First load local resource in |iframe|, expect the local frame to respond.
+ loadFrameExpectResponse(iframe, localUrl).then(function() {
+ // Then try to load remote resource on the same iframe element. Since the
+ // remote resource will fail to load, expect the local frame to respond
Devlin 2016/12/22 17:04:32 I don't quite follow. So in trying to commit an i
lazyboy 2016/12/22 22:57:06 We keep the current url and resource as is, but if
+ // again.
+ return loadFrameExpectResponse(iframe, remoteUrl);
+ }).then(function() {
+ sendResponse('succeeded');
+ }).catch(function(err) {
+ sendResponse('failed');
+ });
+ document.body.appendChild(iframe);
+};
+
+onmessage = function(e) {
+ var command = JSON.parse(e.data);
+ if (command[0] == 'load') {
+ var localUrl = command[1];
+ var remoteUrl = command[2];
+ runTestAndRespond(localUrl, remoteUrl);
+ }
+};
+
+</script>
« chrome/test/data/extensions/api_test/sandboxed_pages_csp/remote_frame.js ('K') | « chrome/test/data/extensions/api_test/sandboxed_pages_csp/remote_frame.js ('k') | extensions/common/csp_validator.h » ('j') | extensions/common/csp_validator.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698