third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-invalid-options.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
 <meta charset="utf-8">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 </head>
 <body>
 <script>
 var test_suborigin_options = [
   [ 'foobar \'', 'Single quote as option' ],
   [ 'foobar \'unsafe-postmessage-send\';', 'Character after single policy' ],
   [ 'foobar \'unsafe-postmessage-send\'; \'unsafe-cookies\';',
     'Charecters after multiple policies' ],
   [ 'foobar; \'unsafe-postmessage-send\'', 'Character before policy' ],
   [ 'foobar \'b@d character$\'', 'Bad characters in option' ],
 ];

 var tests = [];

 function run_next_test() {
   if (tests.length) {
     tests.shift()();
   }
 }

 function generate_test_case(option) {
   var test = async_test(test_suborigin_options[option][1]);
   var iframe;
   window.addEventListener('message', test.step_func(event => {
     if (event.source != iframe.contentWindow)
       return;

     assert_equals(event.data, 'I am a secret');
     setTimeout(run_next_test, 0);
     test.done();
   }));
   iframe = document.createElement('iframe');
   iframe.setAttribute('src', 'resources/reach-into-iframe.php?childsuborigin=' +
                                  test_suborigin_options[option][0]);
   return () => { document.body.appendChild(iframe) };
 }

 for (option in test_suborigin_options) {
   tests.push(generate_test_case(option));
 }

 run_next_test();
 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="utf-8">
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	</head>
	<body>
	<script>
	var test_suborigin_options = [
	[ 'foobar \'', 'Single quote as option' ],
	[ 'foobar \'unsafe-postmessage-send\';', 'Character after single policy' ],
	[ 'foobar \'unsafe-postmessage-send\'; \'unsafe-cookies\';',
	'Charecters after multiple policies' ],
	[ 'foobar; \'unsafe-postmessage-send\'', 'Character before policy' ],
	[ 'foobar \'b@d character$\'', 'Bad characters in option' ],
	];

	var tests = [];

	function run_next_test() {
	if (tests.length) {
	tests.shift()();
	}
	}

	function generate_test_case(option) {
	var test = async_test(test_suborigin_options[option][1]);
	var iframe;
	window.addEventListener('message', test.step_func(event => {
	if (event.source != iframe.contentWindow)
	return;

	assert_equals(event.data, 'I am a secret');
	setTimeout(run_next_test, 0);
	test.done();
	}));
	iframe = document.createElement('iframe');
	iframe.setAttribute('src', 'resources/reach-into-iframe.php?childsuborigin=' +
	test_suborigin_options[option][0]);
	return () => { document.body.appendChild(iframe) };
	}

	for (option in test_suborigin_options) {
	tests.push(generate_test_case(option));
	}

	run_next_test();
	</script>
	</body>
	</html>