| <!doctype html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="./support/testharness-helper.sub.js"></script> |
| <body></body> |
| <script> |
| function waitForViolation(el, policy, blocked_origin) { |
| return new Promise(resolve => { |
| el.addEventListener('securitypolicyviolation', e => { |
| if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin) |
| resolve(e); |
| }); |
| }); |
| } |
| |
| async_test(t => { |
| var i = document.createElement("iframe"); |
| var redirect = generateCrossOriginRedirectFrame(); |
| i.src = redirect.url; |
| |
| // Report-only policy should trigger a violation on the original request. |
| var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin) |
| // Report-only policy should trigger a violation on the redirected request. |
| var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin) |
| // Enforced policy should trigger a violation on the redirected request. |
| var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin) |
| |
| Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => { |
| t.done(); |
| })); |
| |
| document.body.appendChild(i); |
| }, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect"); |
| </script> |
| </html> |