Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(159)

Unified Diff: LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html

Issue 47923008: Block execution of failed 'crossorigin' <script>s. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebased Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html
diff --git a/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html b/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html
new file mode 100644
index 0000000000000000000000000000000000000000..f2b1b74e669efcafd7d93d24b305f9cef24e972c
--- /dev/null
+++ b/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html
@@ -0,0 +1,44 @@
+<body>
+<p>This test passes if the inserted script fails to load due to CORS.</p>
+<pre></pre>
+<script>
+var result = 'PASS';
+</script>
+<!-- Non-CORS enabled script load, supplying credentials.
+ Will execute as per-normal. -->
+<script src="http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL"></script>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+// Reset the 'result' set by above external script.
+result = 'PASS';
+
+function finish() {
+ document.querySelector("pre").innerHTML = result;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+// Create new script of same cross-origin script as above,
+// but this time loaded following CORS.
+//
+// The response is missing a Access-Control-Access-Origin: header,
+// hence the CORS check must fail & error reported.
+var script = document.createElement("script");
+script.crossOrigin = "use-credentials";
+script.src = "http://localhost:8000/security/resources/cors-script.php?cors=false&credentials=true&value=FAIL";
+
+script.onload = function() {
+ result += " (loaded)";
+ finish();
+}
+
+script.onerror = function() {
+ result = "PASS (expected error reported)";
+ finish();
+}
+document.body.appendChild(script);
+</script>

Powered by Google App Engine
This is Rietveld 408576698