Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / content / test / data / cross_site_document_request.html
blob7bd949f9e5b63ea8d1595799ad9c031e76e601d5
1 <html>
2 <head>
3 </head>
4 <body>
5 This test shows that cross-site documents are blocked by SiteIsolationPolicy
6 even if the Same Origin Policy is turned off in the renderer. The Same Origin
7 Policy can be circumvented when the renderer is compromised, but we have
8 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
9 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
10 our ultimate plan is to do that in the browser process.
12 <script>
13 var xhrStatus = -1;
14 var pathPrefix = "http://bar.com/files/site_isolation/";
16 // We only block cross-site documents with a blacklisted mime type(text/html,
17 // text/xml, application/json), that are correctly sniffed as the content type
18 // that they claim to be. We also block text/plain documents when their body
19 // looks like one of the blacklisted content types.
21 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
22 'valid.json', 'html.txt', 'xml.txt', 'json.txt'];
24 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
25 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];
27 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);
29 var failed = false;
30 function sendRequest(resourceUrl) {
31 var xhr = new XMLHttpRequest();
32 xhr.onreadystatechange = function() {
33 if (xhr.readyState == 4) {
34 var prefix = "";
35 if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
36 xhr.responseText != " ") ||
37 (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
38 xhr.responseText == " ")) {
39 // Test failed. Either a resource that should have been blocked is not
40 // blocked, or a resource that should have not been blocked is blocked.
41 domAutomationController.setAutomationId(0);
42 domAutomationController.send(0);
43 if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
44 prefix = "[ERROR:resource to be blocked wasn't blocked]";
45 } else {
46 prefix = "[ERROR:resource to be unblocked was blocked]";
49 document.getElementById("response_body").value +=
50 ("\n" + prefix + "response to " + resourceUrl + "(" +
51 xhr.getResponseHeader("content-type") + ") " +
52 (xhr.responseText == " " ? "blocked" : "not-blocked"));
53 drive();
56 xhr.open('GET', pathPrefix + resourceUrl);
57 xhr.send();
60 var cnt = 0;
61 function drive() {
62 if (cnt < resourceUrls.length) {
63 sendRequest(resourceUrls[cnt]);
64 ++cnt;
65 } else {
66 // All the test cases are successfully passed.
67 domAutomationController.setAutomationId(0);
68 domAutomationController.send(1);
72 window.onload = function() {
73 // The call to pushState with another domain will succeed, since the
74 // test uses --disable-web-security.
75 history.pushState('', '', 'http://bar.com/files/main.html');
76 drive();
78 </script>
79 <textarea rows=20 cols=50 id='response_body'></textarea>
80 </body>
81 </html>