chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html - Issue 2655463006: PlzNavigate: Enforce 'frame-src' CSP on the browser.

Side by Side Diff: chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html

Issue 2655463006: PlzNavigate: Enforce 'frame-src' CSP on the browser. (Closed)

Patch Set: Rebase. Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 This page should be sandboxed.	1 This page should be sandboxed.

2	2

3 <script>	3 <script>

4 // We're not served with the extension default CSP, we can use inline script.	4 // We're not served with the extension default CSP, we can use inline script.

5	5

	6 var sendResponse = function(msg) {

	7 var mainWindow = window.opener \|\| window.top;

	8 mainWindow.postMessage(msg, '*');

	9 };

	10

	11 var remote_frame_loaded = false;

	12 window.addEventListener('securitypolicyviolation', function(e) {

	13 if (remote_frame_loaded)

	14 sendResponse('succeeded');

	15 else

	16 sendResponse('failed');

	17 });

	18

6 var loadFrameExpectResponse = function(iframe, url) {	19 var loadFrameExpectResponse = function(iframe, url) {

7 var identifier = performance.now();	20 var identifier = performance.now();

8 return new Promise(function(resolve, reject) {	21 return new Promise(function(resolve, reject) {

9 window.addEventListener('message', function(e) {	22 window.addEventListener('message', function(e) {

10 var data = JSON.parse(e.data);	23 var data = JSON.parse(e.data);

11 if (data[0] == 'local frame msg' && data[1] == identifier) {	24 if (data[0] == 'local frame msg' && data[1] == identifier) {

12 resolve();	25 resolve();

13 } else {	26 } else {

14 reject();	27 reject();

15 }	28 }

16 });	29 });

17 iframe.onerror = reject;	30 iframe.onerror = reject;

18 iframe.onload = function() {	31 iframe.onload = function() {

19 iframe.contentWindow.postMessage(	32 iframe.contentWindow.postMessage(

20 JSON.stringify(['sandboxed frame msg', identifier]), '*');	33 JSON.stringify(['sandboxed frame msg', identifier]), '*');

21 };	34 };

22 iframe.src = url;	35 iframe.src = url;

23 });	36 });

24 };	37 };

25	38

26 var runTestAndRespond = function(localUrl, remoteUrl) {	39 var runTestAndRespond = function(localUrl, remoteUrl) {

27 var iframe = document.createElement('iframe');	40 var iframe = document.createElement('iframe');

28 var sendResponse = function(msg) {

29 var mainWindow = window.opener \|\| window.top;

30 mainWindow.postMessage(msg, '*');

31 };

32	41

33 // First load local resource in \|iframe\|, expect the local frame to respond.	42 // First load local resource in \|iframe\|, expect the local frame to respond.

34 loadFrameExpectResponse(iframe, localUrl).then(function() {	43 loadFrameExpectResponse(iframe, localUrl).then(function() {

35 // Then try to load remote resource on the same iframe element. The remote	44 // Then try to load remote resource on the same iframe element. The remote

36 // resource will fail to load but we'd get an iframe.onload event and the	45 // resource will fail to load but we'd get an iframe.onload event and the

37 // local frame will still be there. Therefore, expect the local frame to	46 // local frame will still be there. Therefore, expect the local frame to

38 // respond again.	47 // respond again.

	48 // PlzNavigate: The first local frame has been replaced by an error page.
	alexmos 2017/02/24 06:40:27 nit: s/has been/will be/ Alternatively, we could nit: s/has been/will be/ Alternatively, we could just remove "the local frame will still be there. Therefore, expect the local frame to respond again." and this sentence. Since the eventual goal is to always go to the error page in both modes, and we will probably forget to go back and update this comment once we do that. Just saying that we rely on the SecurityPolicyViolationEvent to detect that the frame has been blocked might be good enough. arthursonzogni 2017/02/24 16:13:29 Done. Show quoted text On 2017/02/24 06:40:27, alexmos wrote: > nit: s/has been/will be/ > > Alternatively, we could just remove "the local frame will still be there. > Therefore, expect the local frame to respond again." and this sentence. Since > the eventual goal is to always go to the error page in both modes, and we will > probably forget to go back and update this comment once we do that. Just saying > that we rely on the SecurityPolicyViolationEvent to detect that the frame has > been blocked might be good enough. Done.
	49 // Instead, rely on the SecurityPolicyViolationEvent to detect that the

	50 // frame has been blocked.

	51 remote_frame_loaded = true;

39 return loadFrameExpectResponse(iframe, remoteUrl);	52 return loadFrameExpectResponse(iframe, remoteUrl);

40 }).then(function() {	53 }).then(function() {

41 sendResponse('succeeded');	54 sendResponse('succeeded');

42 }).catch(function(err) {	55 }).catch(function(err) {

43 sendResponse('failed');	56 sendResponse('failed');

44 });	57 });

45 document.body.appendChild(iframe);	58 document.body.appendChild(iframe);

46 };	59 };

47	60

48 onmessage = function(e) {	61 onmessage = function(e) {

49 var command = JSON.parse(e.data);	62 var command = JSON.parse(e.data);

50 if (command[0] == 'load') {	63 if (command[0] == 'load') {

51 var localUrl = command[1];	64 var localUrl = command[1];

52 var remoteUrl = command[2];	65 var remoteUrl = command[2];

53 runTestAndRespond(localUrl, remoteUrl);	66 runTestAndRespond(localUrl, remoteUrl);

54 }	67 }

55 };	68 };

56	69

57 </script>	70 </script>

OLD	NEW

« no previous file with comments | « no previous file | content/browser/BUILD.gn » ('j') | content/browser/BUILD.gn » ('J')