| <!DOCTYPE html> |
| <!-- |
| TODO(mkwst, arthursonzogni). This test fails. See https://crbug.com/700964 |
| --> |
| <html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000"> |
| </head> |
| <body> |
| <form |
| action="/resources/redirection-response.php?host=localhost:8000&status=302&target=/security/resources/post-done-to-opener.html" |
| target="namedWindow" |
| method="post"> |
| <input type='submit' id='submit'> |
| </form> |
| |
| <script> |
| async_test(t => { |
| // #1 Open a new window with the name matching the form.target attribute |
| // above. |
| var namedWindow = window.open('/security/resources/empty.html', 'namedWindow') |
| |
| // #2 Wait the window to be loaded. It prevents the document url to still |
| // be about:blank and to have inherited from its opener's CSP. |
| t.step_timeout(function() { |
| window.addEventListener('message', t.step_func(e => { |
| if (e.source == namedWindow && e.data == "done") |
| assert_unreached("The form submission wasn't blocked."); |
| })); |
| |
| // The navigation should be blocked, either in the current window 1) or |
| // in the new window 2). |
| |
| // 1) The navigation is blocked in the current window. |
| window.addEventListener('securitypolicyviolation', t.step_func(e => { |
| assert_equals(e.effectiveDirective, "form-action"); |
| assert_equals(e.blockedURI, "localhost:8000/resources/post-done-to-opener.html"); |
| namedWindow.close(); |
| t.done(); |
| })); |
| |
| // 2) The navigation is blocked in the new window. |
| t.step_timeout(t.step_func(() => { |
| namedWindow.close(); |
| t.done(); |
| }), 1000); |
| |
| // #3 Make a form submission with a redirect. It should be blocked by |
| // the form-action directive after the redirect. |
| document.getElementById('submit').click(); |
| |
| }, 1000); |
| }, "The form resubmission should be blocked after the redirect"); |
| |
| </script> |
| </body> |
| </html> |