CMXSL.org/trisquel-icecat
2
0
Fork 0
Code Issues Pull requests Projects Releases 5 Packages Wiki Activity Actions
trisquel-icecat/icecat/testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked-path-matching.sub.html
Ark74 618c9f4145 icecat: add release 140.3.1-1gnu1
2025-10-06 02:35:48 -06:00

53 lines
2.2 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<!-- Make sure frame-src does path matching -->
<meta http-equiv="Content-Security-Policy" content="frame-src data: https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/;">
<title>frame-src-blocked-path-matching</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
async_test(t => {
let frame = document.createElement("iframe");
frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html";
window.addEventListener('message', t.step_func(e => {
if (e.source === frame.contentWindow) {
assert_equals(e.data, "PASS");
t.done();
}
}));
document.body.append(frame);
}, "Cross-origin frame with allowed path loads");
async_test(t => {
let frame = document.createElement("iframe");
frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/";
window.addEventListener('securitypolicyviolation', t.step_func_done(e => {
assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}");
assert_equals(e.effectiveDirective, "frame-src");
}), { once: true });
document.body.append(frame);
}, "Cross-origin frame with other path is blocked");
async_test(t => {
let frame = document.createElement("iframe");
frame.src = "data:text/html,<h1>Hello World</h1>"
frame.onload = t.step_func(() => {
frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/";
window.addEventListener('securitypolicyviolation', t.step_func_done(e => {
assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}");
assert_equals(e.effectiveDirective, "frame-src");
}), { once: true });
});
document.body.append(frame);
}, "Cross-origin frame with other path is blocked even after replacing the already loaded URL");
</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink