blob: 96bb4fb76d081fb6e40a36b7d01b6c8f8e276303 [file] [log] [blame]
frame "<!--frame1-->" - didStartProvisionalLoadForFrame
main frame - didFinishDocumentLoadForFrame
frame "<!--frame1-->" - didCommitLoadForFrame
CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
frame "<!--frame1-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
frame "<!--frame1-->" - didFinishDocumentLoadForFrame
main frame - didHandleOnloadEventsForFrame
frame "<!--frame1-->" - didFinishLoadForFrame
main frame - didFinishLoadForFrame
frame "<!--frame1-->" - didStartProvisionalLoadForFrame
frame "<!--frame1-->" - didCancelClientRedirectForFrame
frame "<!--frame1-->" - didCommitLoadForFrame
frame "<!--frame1-->" - didFinishDocumentLoadForFrame
frame "<!--frame1-->" - didHandleOnloadEventsForFrame
frame "<!--frame1-->" - didFinishLoadForFrame
This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block even though the child frame has a report only CSP block-all-mixed-content directive because an active network attacker can use CSS3 to breach the confidentiality of the HTTPS security origin.
--------
Frame: '<!--frame1-->'
--------
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_HOST: 127.0.0.1:8443
HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
=== POST DATA ===
{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","blocked-uri":"http://127.0.0.1:8000","status-code":0}}