third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-in-meta-disallowed.html

   1 <!DOCTYPE html>
   2 <html>
   3     <head>
   4         <meta http-equiv="Content-Security-Policy" content="suborigin foobar">
   5         <title>The &lt;meta&gt; tag does not allow a page to enter a suborigin.</title>
   6         <script src="/resources/testharness.js"></script>
   7         <script src="/resources/testharnessreport.js"></script>
   8     </head>
   9     <script>
  10     window.onmessage = function(event) {
  11         var secret;
  12         try {
  13             secret = document.getElementById('iframe').contentWindow.secret;
  14         } catch(e) {
  15             secret = '' + e;
  16         }
  17         assert_equals(secret, 'SecurityError: Blocked a frame with origin \"http://127.0.0.1:8000\" from accessing a cross-origin frame.');
  18         done();
  19     };
  20     </script>
  21     <iframe id="iframe" src="resources/post-to-parent.php?suborigin=foobar"></iframe>
  22 </html>