| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'"> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.waitUntilDone(); |
| } |
| |
| tests = 4; |
| window.addEventListener("message", function(message) { |
| tests -= 1; |
| test(); |
| }, false); |
| |
| function test() { |
| function setImgSrc(isolated) { |
| var img = document.createElement('img'); |
| document.body.appendChild(img); |
| img.onload = function () { |
| alert('LOADED in ' + (isolated ? "isolated world" : "main world")); |
| window.postMessage("next", "*"); |
| }; |
| img.onerror = function () { |
| alert('BLOCKED in ' + (isolated ? "isolated world" : "main world")); |
| window.postMessage("next", "*"); |
| }; |
| img.src = "../resources/abe.png"; |
| } |
| |
| function callEval(isolated) { |
| try { |
| eval("true"); |
| alert('Called eval() in ' + (isolated ? "isolated world" : "main world")); |
| window.postMessage("next", "*"); |
| } catch (error) { |
| console.log(error); |
| alert('BLOCKED eval() in ' + (isolated ? "isolated world" : "main world")); |
| window.postMessage("next", "*"); |
| } |
| } |
| |
| switch (tests) { |
| case 4: |
| setImgSrc(false); |
| break; |
| case 3: |
| testRunner.evaluateScriptInIsolatedWorld(1, String(setImgSrc) + "\nsetImgSrc(true);"); |
| break; |
| case 2: |
| callEval(false); |
| break; |
| case 1: |
| testRunner.evaluateScriptInIsolatedWorld(1, String(callEval) + "\ncallEval(true);"); |
| break; |
| case 0: |
| testRunner.notifyDone(); |
| break; |
| } |
| } |
| </script> |
| </head> |
| <body onload='test();'> |
| <p> |
| This test ensures that scripts run in isolated worlds are affected |
| by the page's content security policy. Extensions, for example, should |
| not be able to load any resource they like. |
| </p> |
| </body> |
| </html> |
