| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script> |
| <meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8000 http://example.test:8000"> |
| </head> |
| <body> |
| <script> |
| async_test(t => { |
| assert_allowed_image_in_document(t, document, "http://example.test:8000/resources/square.png?img-in-top-level"); |
| }, "Image loaded in top-level blocked."); |
| |
| async_test(t => { |
| window.addEventListener("message", t.step_func(e => { |
| assert_equals(e.data, "blocked"); |
| t.done(); |
| })); |
| |
| var win = window.open("about:blank"); |
| win.document.write( |
| "<meta http-equiv='content-security-policy'" + |
| " content='img-src http://127.0.0.1:8000'>" + |
| "<script>" + |
| " var i = document.createElement('img');" + |
| " i.onload = _ => opener.postMessage('loaded', '*');" + |
| " i.onerror = _ => opener.postMessage('blocked', '*');" + |
| " i.src = 'http://example.test:8000/resources/square.png?data-frame'" + |
| "</scr" + "ipt>"); |
| }, "Image loaded via data: frame blocked."); |
| </script> |
| </body> |
| </html> |