| <!DOCTYPE html> |
| <!-- Test verifies that cross-origin blob URIs are blocked both with and |
| without CORB. |
| --> |
| <meta charset="utf-8"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <div id=log></div> |
| <script> |
| async_test(function(t) { |
| function step1_createSubframe() { |
| addEventListener("message", function(e) { |
| t.step(function() { step2_processSubframeMsg(e.data); }) |
| }); |
| var subframe = document.createElement("iframe") |
| // www1 is cross-origin, to ensure that the received blob will be cross-origin. |
| subframe.src = 'http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/subframe-that-posts-html-containing-blob-url-to-parent.html'; |
| document.body.appendChild(subframe); |
| } |
| |
| function step2_processSubframeMsg(msg) { |
| assert_false(msg.hasOwnProperty('error'), 'unexpected property found: "error"'); |
| assert_equals(msg.blob_type, 'text/html'); |
| assert_equals(msg.blob_size, 147); |
| |
| // With and without CORB loading of a cross-origin blob should be blocked |
| // (this is verified by expecting |script.onerror|, but not |script.onload| |
| // below). |
| var script = document.createElement("script") |
| script.src = msg.blob_url; |
| script.onerror = t.step_func_done(function(){}) |
| script.onload = t.unreached_func("Unexpected load event") |
| document.body.appendChild(script) |
| } |
| |
| step1_createSubframe(); |
| }); |
| </script> |