OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 |
| 4 <head> |
| 5 <title>frame-src-self-unique-origin</title> |
| 6 <script src="/resources/testharness.js"></script> |
| 7 <script src="/resources/testharnessreport.js"></script> |
| 8 </head> |
| 9 |
| 10 <body> |
| 11 <p> |
| 12 The origin of an URL is called "unique" when it is considered to be |
| 13 different from every origin, including itself. The origin of a |
| 14 data-url is unique. When the current origin is unique, the CSP source |
| 15 'self' must not match any URL. |
| 16 </p> |
| 17 <script> |
| 18 var iframe = document.createElement("iframe"); |
| 19 iframe.src = encodeURI(`data:text/html, |
| 20 <script> |
| 21 /* Add the CSP: frame-src: 'self'. */ |
| 22 var meta = document.createElement('meta'); |
| 23 meta.httpEquiv = 'Content-Security-Policy'; |
| 24 meta.content = "frame-src 'self'"; |
| 25 document.getElementsByTagName('head')[0].appendChild(meta); |
| 26 |
| 27 /* Notify the parent the iframe has been blocked. */ |
| 28 window.addEventListener('securitypolicyviolation', e => { |
| 29 if (e.originalPolicy == "frame-src 'self'") |
| 30 window.parent.postMessage('Test PASS', '*'); |
| 31 }); |
| 32 </scr`+`ipt> |
| 33 |
| 34 This iframe should be blocked by CSP: |
| 35 <iframe src='data:text/html,blocked_iframe'></iframe> |
| 36 `); |
| 37 if (window.async_test) { |
| 38 async_test(t => { |
| 39 window.addEventListener("message", e => { |
| 40 if (e.data == "Test PASS") |
| 41 t.done(); |
| 42 }); |
| 43 }, "Iframe's url must not match with 'self'. It must be blocked."); |
| 44 } |
| 45 document.body.appendChild(iframe); |
| 46 </script> |
| 47 </body> |
| 48 |
| 49 </html> |
OLD | NEW |