| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php"> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| </script> |
| </head> |
| <body> |
| <p>This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).</p> |
| <pre id="result"></pre> |
| <script> |
| window.onmessage = function (event) |
| { |
| document.getElementById("result").textContent = event.data; |
| if (window.testRunner) |
| testRunner.notifyDone(); |
| } |
| |
| function runTest() |
| { |
| var worker; |
| try { |
| worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js"); |
| worker.onerror = function () { |
| window.postMessage("PASS worker failed to load script URL.", "*"); |
| } |
| } catch (exception) { |
| window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*"); |
| } |
| } |
| |
| if (window.testRunner) |
| testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();"); |
| </script> |
| </body> |
| </html> |