LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html - WebKit - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
     <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
     <script src="/js-test-resources/js-test-pre.js"></script>
 </head>
 <body>
     <script>
         window.jsTestIsAsync = true;

         var haveReportedXhrError = false;
         var haveReportedBlockedURI = false;

         // Expect the blocked URI to be the requested origin, not the redirect target.
         document.addEventListener('securitypolicyviolation', e => {
             document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
             haveReportedBlockedURI = true;
             if (haveReportedXhrError)
                 finishJSTest();
         });

         var xhr = new XMLHttpRequest;
         try {
             xhr.open("GET", "resources/redir.py?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py", true);
         } catch(e) {
             testFailed("XMLHttpRequest.open() should not throw an exception.");
         }

         xhr.onload = function () {
             testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
             finishJSTest();
         };

         xhr.onerror = function () {
             testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
             haveReportedXhrError = true;
             if (haveReportedBlockedURI)
                 finishJSTest();
         };

         xhr.send();
     </script>
 </script>
 <script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
	<script src="/js-test-resources/js-test-pre.js"></script>
	</head>
	<body>
	<script>
	window.jsTestIsAsync = true;

	var haveReportedXhrError = false;
	var haveReportedBlockedURI = false;

	// Expect the blocked URI to be the requested origin, not the redirect target.
	document.addEventListener('securitypolicyviolation', e => {
	document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
	haveReportedBlockedURI = true;
	if (haveReportedXhrError)
	finishJSTest();
	});

	var xhr = new XMLHttpRequest;
	try {
	xhr.open("GET", "resources/redir.py?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py", true);
	} catch(e) {
	testFailed("XMLHttpRequest.open() should not throw an exception.");
	}

	xhr.onload = function () {
	testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
	finishJSTest();
	};

	xhr.onerror = function () {
	testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
	haveReportedXhrError = true;
	if (haveReportedBlockedURI)
	finishJSTest();
	};

	xhr.send();
	</script>
	</script>
	<script src="/js-test-resources/js-test-post.js"></script>
	</body>
	</html>