| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script> |
| <meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8000 http://example.test:8000"> |
| </head> |
| <body> |
| <script> |
| async_test(t => { |
| assert_allowed_image_in_document(t, document, "http://127.0.0.1:8000/resources/square.png?top-level"); |
| assert_allowed_image_in_document(t, document, "http://example.test:8000/resources/square.png?top-level"); |
| }, "Policy applied in top-level."); |
| |
| async_test(t => { |
| var w = window.open(); |
| w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>"; |
| assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blank-frame"); |
| assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blank-frame"); |
| }, "Image loaded via about:blank window blocked."); |
| |
| async_test(t => { |
| var b = new Blob([], {type: "text/html"}); |
| var w = window.open(URL.createObjectURL(b)); |
| w.onload = _ => { |
| w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>"; |
| assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blob-frame"); |
| assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blob-frame"); |
| }; |
| }, "Image loaded via 'blob:' window blocked."); |
| |
| // filesystem URLs can no longer be window.open'ed. |
| </script> |
| </body> |
| </html> |