| <!doctype html> |
| <title>Tests that portals respect the frame-src</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| </body> |
| <script> |
| async_test(function(t) { |
| assert_implements("HTMLPortalElement" in self); |
| var w = window.open("resources/frame-src.sub.html?frame_src_policy=%27none%27"); |
| w.onload = function() { |
| w.document.addEventListener("securitypolicyviolation", |
| t.step_func_done(function(e) { |
| assert_equals("frame-src", e.violatedDirective); |
| })); |
| var portal = w.document.createElement("portal"); |
| portal.src = new URL("/portals/resources/simple-portal.html", location.href); |
| portal.onmessage = t.unreached_func("Portal should not load."); |
| w.document.body.appendChild(portal); |
| } |
| }, "Tests that a portal can't be loaded when it violates frame-src"); |
| |
| async_test(function(t) { |
| assert_implements("HTMLPortalElement" in self); |
| var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`); |
| w.onload = function() { |
| w.document.onsecuritypolicyviolation = t.unreached_func("Portal should load."); |
| var portal = w.document.createElement("portal"); |
| portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); |
| portal.onmessage = t.step_func_done(); |
| w.document.body.appendChild(portal); |
| } |
| }, "Tests that a portal can be loaded when the origin matches the frame-src CSP header."); |
| async_test(function(t) { |
| assert_implements("HTMLPortalElement" in self); |
| var w = window.open(`resources/frame-src.sub.html?frame_src_policy=http://{{hosts[][www]}}:{{ports[http][0]}}`); |
| w.onload = function() { |
| var portal = w.document.createElement("portal"); |
| portal.src = new URL("http://{{hosts[alt][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); |
| w.document.onsecuritypolicyviolation = t.step_func(function(e) { |
| w.document.onsecuritypolicyviolation = null; |
| assert_equals("frame-src", e.violatedDirective); |
| portal.src = new URL("http://{{hosts[][www]}}:{{ports[http][0]}}/portals/resources/simple-portal.html", location.href); |
| portal.onmessage = t.step_func_done(); |
| }); |
| w.document.body.appendChild(portal); |
| } |
| }, "Tests that a portal will fail to load on an origin different than the one specified in the frame-src CSP, but that it can be loaded when the origin matches the frame-src CSP."); |
| </script> |