| <!DOCTYPE html> |
| <html> |
| <head> |
| <script> |
| if (window.testRunner) { |
| testRunner.dumpAsText(); |
| testRunner.dumpChildFramesAsText(); |
| testRunner.dumpFrameLoadCallbacks(); |
| |
| // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?). |
| // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call |
| // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone(). |
| } |
| </script> |
| </head> |
| <body> |
| <p>This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe. |
| We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content |
| and a JavaScript URL executes in the same origin as its embedding document.</p> |
| <iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html" width="100%" height="300"></iframe> |
| </body> |
| </html> |
