content/test/data/cross_site_document_request.html

   1 <html>
   2 <head>
   3 </head>
   4 <body>
   5 This test shows that cross-site documents are blocked by SiteIsolationPolicy
   6 even if the Same Origin Policy is turned off in the renderer. The Same Origin
   7 Policy can be circumvented when the renderer is compromised, but we have
   8 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
   9 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
  10 our ultimate plan is to do that in the browser process.
  11
  12 <script>
  13 var xhrStatus = -1;
  14 var pathPrefix = "http://bar.com/files/site_isolation/";
  15
  16 // We only block cross-site documents with a blacklisted mime type(text/html,
  17 // text/xml, application/json), that are correctly sniffed as the content type
  18 // that they claim to be. We also block text/plain documents when their body
  19 // looks like one of the blacklisted content types.
  20
  21 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
  22 'valid.json', 'html.txt', 'xml.txt', 'json.txt'];
  23
  24 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
  25 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];
  26
  27 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);
  28
  29 var failed = false;
  30 function sendRequest(resourceUrl) {
  31   var xhr = new XMLHttpRequest();
  32   xhr.onreadystatechange = function() {
  33     if (xhr.readyState == 4) {
  34       var prefix = "";
  35       if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
  36            xhr.responseText != " ") ||
  37           (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
  38            xhr.responseText == " ")) {
  39         // Test failed. Either a resource that should have been blocked is not
  40         // blocked, or a resource that should have not been blocked is blocked.
  41         domAutomationController.setAutomationId(0);
  42         domAutomationController.send(0);
  43         if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
  44           prefix = "[ERROR:resource to be blocked wasn't blocked]";
  45         } else {
  46           prefix = "[ERROR:resource to be unblocked was blocked]";
  47         }
  48       }
  49       document.getElementById("response_body").value +=
  50           ("\n" + prefix + "response to " + resourceUrl + "(" +
  51            xhr.getResponseHeader("content-type") + ") " +
  52            (xhr.responseText == " " ? "blocked" : "not-blocked"));
  53       drive();
  54     }
  55   }
  56   xhr.open('GET', pathPrefix + resourceUrl);
  57   xhr.send();
  58 }
  59
  60 var cnt = 0;
  61 function drive() {
  62   if (cnt < resourceUrls.length) {
  63     sendRequest(resourceUrls[cnt]);
  64     ++cnt;
  65   } else {
  66     // All the test cases are successfully passed.
  67     domAutomationController.setAutomationId(0);
  68     domAutomationController.send(1);
  69   }
  70 }
  71
  72 window.onload = function() {
  73   // The call to pushState with another domain will succeed, since the
  74   // test uses --disable-web-security.
  75   history.pushState('', '', 'http://bar.com/files/main.html');
  76   drive();
  77 }
  78 </script>
  79 <textarea rows=20 cols=50 id='response_body'></textarea>
  80 </body>
  81 </html>