| <!DOCTYPE html> |
| |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| |
| <body> |
| <script> |
| var t = async_test("Test that the child iframe navigation is blocked"); |
| window.onmessage = t.step_func_done(function(e) { |
| assert_equals(e.data.result, 'fail'); |
| assert_equals(e.data.violatedDirective, 'navigate-to'); |
| }); |
| |
| // the iframe will navigate to: |
| // [www2]/..../redirect.py (which is not in the navigate-to source list) which will in turn navigate to |
| // [www2]/..../post_message_to_frame_owner.html which is also not in the list |
| // because of 'unsafe-allow-redirects' only the second one is checked since the first is a redirect |
| |
| var i = document.createElement('iframe'); |
| i.src = "../support/link_click_navigation.sub.html" + |
| "?csp=" + encodeURIComponent("navigate-to {{location[scheme]}}://{{domains[www1]}}:{{location[port]}} 'unsafe-allow-redirects'") + |
| "&target=" + encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/common/redirect.py?location=" + |
| encodeURIComponent("{{location[scheme]}}://{{domains[www2]}}:{{location[port]}}/content-security-policy/navigate-to/support/post_message_to_frame_owner.html")); |
| document.body.appendChild(i); |
| </script> |
| |
| </body> |