search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[refactor] More post-NSS WebCrypto cleanups (utility functions).
[chromium-blink-merge.git] / content / test / data / cross_site_document_request.html
blob5edea9d28c1d956e4cb6a10b26d7e1409a9eff0b
1 <html>
2 <head>
3 </head>
4 <body>
5
6 <p>This test does cross-site XHR fetches of documents with the Same Origin
7 Policy turned off in the renderer. The Same Origin Policy can be circumvented
8 when the renderer is compromised, but site isolation ought to block cross-site
9 documents at the IPC layer.</p>
10
11 <p>We only block cross-site documents with a blacklisted mime type (text/html,
12 text/xml, application/json), that are correctly sniffed as the content type that
13 they claim to be. We also block text/plain documents when their body looks like
14 one of the blacklisted content types.</p>
15
16 <script>
17 var pathPrefix = "http://bar.com/files/site_isolation/";
18
19 // To be called from the browsertest via ExecuteScriptAndExtractBool().
20 function sendRequest(resourceUrl) {
21 var xhr = new XMLHttpRequest();
22 xhr.onreadystatechange = function() {
23 if (xhr.readyState == 4) {
24 // At one point this test operated with an experimental flag to actually
25 // block requests in the render process -- in that case the blocked
26 // response was replaced with the literal string " ". That flag has been
27 // removed (circa June 2015), but when browser process document blocking
28 // is implemented, we may wish to update this test accordingly.
29 var wasBlocked = xhr.responseText == " ";
30 document.getElementById("response_body").value +=
31 ("\n" + "response to " + resourceUrl + "(" +
32 xhr.getResponseHeader("content-type") + ") " +
33 (wasBlocked ? "blocked" : "not-blocked"));
34
35 domAutomationController.setAutomationId(0);
36 domAutomationController.send(wasBlocked);
37 }
38 }
39 xhr.open('GET', pathPrefix + resourceUrl);
40 xhr.send();
41 }
42
43 window.onload = function() {
44 // The call to pushState with another domain will succeed, since the
45 // test uses --disable-web-security.
46 history.pushState('', '', 'http://bar.com/files/main.html');
47 }
48 </script>
49 <textarea rows=20 cols=50 id='response_body'></textarea>
50 </body>
51 </html>