| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <meta http-equiv="Content-Security-Policy" content="frame-src 'self' http://localhost:8080"> |
| <script> |
| window.jsTestIsAsync = true; |
| |
| description("IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS."); |
| |
| function loadIFrameWithSrc(srcURL) |
| { |
| var iframe = document.createElement("iframe"); |
| iframe.onload = loadEvent(); |
| iframe.src = srcURL; |
| document.body.appendChild(iframe); |
| } |
| |
| var loads = 0; |
| function loadEvent() { |
| loads++; |
| testPassed("IFrame #" + loads + " generated a 'load' event."); |
| switch (loads) |
| { |
| case 1: |
| loadIFrameWithSrc("http://localhost:8080/security/contentSecurityPolicy/resources/alert-pass.html"); |
| break; |
| case 2: |
| loadIFrameWithSrc("https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html"); |
| break; |
| case 3: |
| setTimeout(finishJSTest, 0); |
| } |
| } |
| </script> |
| </head> |
| <body> |
| <iframe src="/security/contentSecurityPolicy/resources/alert-pass.html" onload="loadEvent()"></iframe> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |
