third_party/WebKit/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html

   1 <!DOCTYPE html>
   2 <html>
   3 <head>
   4 <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
   5 <script>
   6     if (window.testRunner) {
   7         testRunner.dumpAsText();
   8         testRunner.waitUntilDone();
   9     }
  10
  11     tests = 6;
  12     window.addEventListener("message", function(message) {
  13         tests -= 1;
  14         test();
  15     }, false);
  16
  17     function setup() {
  18         // This is needed because isolated worlds are not reset between test
  19         // runs and a previous test's CSP may interfere with this test. See
  20         // https://crbug.com/415845.
  21         testRunner.setIsolatedWorldContentSecurityPolicy(1, '');
  22         var img = document.getElementById('testimg');
  23         img.onload = function () {
  24             alert('LOADED');
  25             window.postMessage("next", "*");
  26         };
  27         img.onerror = function () {
  28             alert('BLOCKED');
  29             window.postMessage("next", "*");
  30         };
  31         test();
  32     }
  33
  34     function test() {
  35         function setImgSrc(isolated, num) {
  36             var img = document.getElementById('testimg');
  37             img.src = "../resources/abe.png?" + num;
  38         }
  39
  40         alert("Running test #" + tests + "\n");
  41         switch (tests) {
  42             case 6:
  43                 setImgSrc(false, 6);
  44                 break;
  45             case 5:
  46                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true, 5);");
  47                 break;
  48             case 4:
  49                 alert("Starting to bypass main world's CSP:");
  50                 testRunner.setIsolatedWorldContentSecurityPolicy(1, 'img-src *');
  51                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true, 4);");
  52                 break;
  53             case 3:
  54                 // Main world, then isolated world -> should load
  55                 setImgSrc(false, 3);
  56                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true, 3);");
  57                 break;
  58             case 2:
  59                 // Isolated world, then main world -> should block
  60                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true, 2);");
  61                 setImgSrc(false, 2);
  62                 break;
  63             case 1:
  64                 setImgSrc(false, 1);
  65                 break;
  66             case 0:
  67                 testRunner.setIsolatedWorldContentSecurityPolicy(1, '');
  68                 testRunner.notifyDone();
  69                 break;
  70         }
  71     }
  72 </script>
  73 </head>
  74 <body onload='setup();'>
  75     <p>
  76         <img id="testimg">
  77         This test ensures that scripts run in isolated worlds marked with their
  78         own Content Security Policy aren't affected by the page's content
  79         security policy. Extensions, for example, should be able to load any
  80         resource they like.
  81     </p>
  82 </body>
  83 </html>