| <!DOCTYPE html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <!-- Tests that mutations inside a context that inherits a copy of the CSP list |
| does not affect the parent context --> |
| </head> |
| <body> |
| <script> |
| var t1 = async_test("Test that parent document image loads"); |
| var t2 = async_test("Test that embedded iframe document image does not load"); |
| var t3 = async_test("Test that spv event is fired"); |
| |
| window.onmessage = function(e) { |
| if (e.data.type == 'spv') { |
| t3.step(function() { |
| assert_equals(e.data.violatedDirective, "img-src"); |
| t3.done(); |
| }); |
| } else if (e.data.type == 'imgload') { |
| var img = document.createElement('img'); |
| img.src = "../support/pass.png"; |
| img.onload = function() { t1.done(); }; |
| img.onerror = t1.unreached_func('Should have loaded the image'); |
| document.body.appendChild(img); |
| |
| t2.step(function() { |
| assert_false(e.data.loaded, "Should not have loaded image inside the frame because of its CSP"); |
| t2.done(); |
| }); |
| } |
| } |
| |
| var srcdoc = ['<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">', |
| '<script>', |
| ' window.addEventListener("securitypolicyviolation", function(e) {', |
| ' window.top.postMessage({type: "spv", violatedDirective: e.violatedDirective}, "*");', |
| ' });', |
| '</scr' + 'ipt>', |
| '<img src="../support/fail.png"', |
| ' onload="window.top.postMessage({type: \'imgload\', loaded: true}, \'*\')"', |
| ' onerror="window.top.postMessage({type: \'imgload\', loaded: false}, \'*\')">'].join('\n'); |
| var i = document.createElement('iframe'); |
| i.srcdoc = srcdoc; |
| document.body.appendChild(i); |
| </script> |
| </body> |
| </html> |