Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(119)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html

Issue 76303002: CSP: Check <param> element values against the document's CSP before loading. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Event. Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt » ('j') | LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html
new file mode 100644
index 0000000000000000000000000000000000000000..5b107cc21842bd804386dad81f760974a5088ea8
--- /dev/null
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+</head>
+<body>
+This test passes if there is are four console messages saying the plugins were blocked.
+<script>
+ var names = ['src', 'movie', 'code', 'url'];
Tom Sepez 2013/11/19 17:54:22 nit: maybe a link to the section of the spec that
Mike West 2013/11/19 18:35:06 This is non-standard behavior, based (I think) on
+
+ var errorsSeen = 0;
+ for (var i = 0; i < names.length; i++) {
+ var o = document.createElement('object');
+ o.setAttribute('type', 'application/x-webkit-test-netscape');
+ o.addEventListener('error', function () {
+ console.log('PASS: Error occurred, so load was correctly blocked.');
+ errorsSeen++;
+ if (errorsSeen === names.length && window.testRunner)
+ testRunner.notifyDone();
+ });
+
Tom Sepez 2013/11/19 17:54:22 Can we also use an onload handler to keep track of
Mike West 2013/11/19 18:35:06 Sure. It's probably worth rewriting all the object
+ var p = document.createElement('param');
+ p.setAttribute('value', 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?' + names[i]);
+ p.setAttribute('name', names[i]);
+
+ o.appendChild(p);
+
+ document.body.appendChild(o);
+ }
+</script>
+</body>
+</html>
« no previous file with comments | « no previous file | LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt » ('j') | LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-blocked-expected.txt » ('J')

Powered by Google App Engine
This is Rietveld 408576698