CSP Suborigins

LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html

Index: LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html b/LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html
new file mode 100644
index 0000000000000000000000000000000000000000..bf5c2839cf9a58eb5f233a9eed8e8ae22998529e
--- /dev/null
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html
@@ -0,0 +1,22 @@
+<meta http-equiv="Content-Security-Policy" content="suborigin foobar">

[Mike West, 2014/10/23 12:59:18]

<!doctype html>
<html>
<head>
...
</head>
<body>
...
</body>
</html>

[Mike West, 2014/10/23 12:59:18]

As I've noted way down somewhere in the code, we shouldn't do this. I'm in the
process of extracting us from layout tests that rely on `<meta>` distribution of
sandbox and etc. We shouldn't let ourselves off the hook here.

[jww, 2015/03/20 22:50:02]

Done.

+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+function iframeLoaded() {
+    var iframe = document.getElementById('iframe');
+    try {
+        var secret = iframe.contentWindow.secret;
+        alert("PASS: Secret is '" + secret + "'.");
+    } catch(e) {
+        alert('FAIL: Prevented from accessing the content of the iframe in the same suborigin.');
+    }
+    testRunner.notifyDone();

[Mike West, 2014/10/23 12:59:18]

Please use testHarness.js instead to make these assertions. That will let you
drop the -expected.txt file entirely.

[jww, 2015/03/20 22:50:02]

Done.

+}
+</script>
+<p>
+This tests whether a frame in a can access secrets in a frame in the same suborigin.
+</p>
+<iframe onload="iframeLoaded();" id="iframe" src="resources/suborigin-frame.html"></iframe>