chromium/src/third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <html>
     <script src="../../js-test-resources/js-test.js"></script>
     <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 <body>
 <p id="description"></p>
 <div id="console"></div>

 <script>
 description('Tests that isolated worlds can have XHRs that the page\'s CSP wouldn\'t allow.');

 jsTestIsAsync = true;

 var tests = [
     function() {
         debug('XHR from main world');
         xhr(true);
     },
     function() {
         debug('XHR from isolated world with unchanged CSP');
         testRunner.setIsolatedWorldInfo(1, window.origin, null);
         runTestInWorld(1, 'xhr', 'true');
     },
     function() {
         debug('XHR from isolated world with looser CSP');
         testRunner.setIsolatedWorldInfo(2, window.origin, 'connect-src *');
         runTestInWorld(2, 'xhr', 'false');
     },
     function() {
         debug('XHR from main world is not affected by the isolated world origin or CSP');
         xhr(true);
     }
 ];
 var currentTest = 0;

 // This test is meaningless without testRunner.
 if (window.testRunner) {
     window.addEventListener(
         'message',
         function(event) {
             var message = JSON.parse(event.data);
             switch (message.type) {
                 case 'test-done':
                     currentTest++;
                     if (currentTest == tests.length) {
                         testRunner.setIsolatedWorldInfo(1, null, null);
                         testRunner.setIsolatedWorldInfo(2, null, null);
                         finishJSTest();
                     }
                     else
                         tests[currentTest]();
                     break;
                 case 'debug':
                     debug(message.message);
                     break;
                 default:
                     testFailed('Unknown message: ' + event.data);
                     break;
             }
         },
         false);

     tests[0]();
 } else {
     testFailed('Test depends on LayoutTestController and must be run by DRT');
 }

 function runTestInWorld(worldId, funcName, param)
 {
     testRunner.evaluateScriptInIsolatedWorld(
         worldId, String(eval(funcName)) + "\n" + funcName + "(" + param + ");");
 }

 function xhr(shouldBlock)
 {
     function debug(message) {
         window.postMessage(JSON.stringify({
                 'type': 'debug',
                 'message': message
             }),
             '*');
     }

     function signalComplete() {
         window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
     }

     var xhr = new XMLHttpRequest();
     try {
         xhr.open('GET', '/security/isolatedWorld/resources/empty.html', true);
         xhr.onload = function(response) {
             if (shouldBlock)
                 debug('FAIL: The request should have been disallowed');
             else
                 debug('PASS: The request succeeded');
             signalComplete();
         };
         xhr.onerror = function() {
             if (shouldBlock)
                 debug('PASS: The request was disallowed');
             else
                 debug('FAIL: The request should have been allowed');
             signalComplete();
         }

         xhr.send();
     } catch (e) {
         debug('FAIL: XHR.open/send should not have thrown an exception');
         signalComplete();
     }
 }

 </script>

 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<script src="../../js-test-resources/js-test.js"></script>
	<meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
	<body>
	<p id="description"></p>
	<div id="console"></div>

	<script>
	description('Tests that isolated worlds can have XHRs that the page\'s CSP wouldn\'t allow.');

	jsTestIsAsync = true;

	var tests = [
	function() {
	debug('XHR from main world');
	xhr(true);
	},
	function() {
	debug('XHR from isolated world with unchanged CSP');
	testRunner.setIsolatedWorldInfo(1, window.origin, null);
	runTestInWorld(1, 'xhr', 'true');
	},
	function() {
	debug('XHR from isolated world with looser CSP');
	testRunner.setIsolatedWorldInfo(2, window.origin, 'connect-src *');
	runTestInWorld(2, 'xhr', 'false');
	},
	function() {
	debug('XHR from main world is not affected by the isolated world origin or CSP');
	xhr(true);
	}
	];
	var currentTest = 0;

	// This test is meaningless without testRunner.
	if (window.testRunner) {
	window.addEventListener(
	'message',
	function(event) {
	var message = JSON.parse(event.data);
	switch (message.type) {
	case 'test-done':
	currentTest++;
	if (currentTest == tests.length) {
	testRunner.setIsolatedWorldInfo(1, null, null);
	testRunner.setIsolatedWorldInfo(2, null, null);
	finishJSTest();
	}
	else
	tests[currentTest]();
	break;
	case 'debug':
	debug(message.message);
	break;
	default:
	testFailed('Unknown message: ' + event.data);
	break;
	}
	},
	false);

	tests[0]();
	} else {
	testFailed('Test depends on LayoutTestController and must be run by DRT');
	}

	function runTestInWorld(worldId, funcName, param)
	{
	testRunner.evaluateScriptInIsolatedWorld(
	worldId, String(eval(funcName)) + "\n" + funcName + "(" + param + ");");
	}

	function xhr(shouldBlock)
	{
	function debug(message) {
	window.postMessage(JSON.stringify({
	'type': 'debug',
	'message': message
	}),
	'*');
	}

	function signalComplete() {
	window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
	}

	var xhr = new XMLHttpRequest();
	try {
	xhr.open('GET', '/security/isolatedWorld/resources/empty.html', true);
	xhr.onload = function(response) {
	if (shouldBlock)
	debug('FAIL: The request should have been disallowed');
	else
	debug('PASS: The request succeeded');
	signalComplete();
	};
	xhr.onerror = function() {
	if (shouldBlock)
	debug('PASS: The request was disallowed');
	else
	debug('FAIL: The request should have been allowed');
	signalComplete();
	}

	xhr.send();
	} catch (e) {
	debug('FAIL: XHR.open/send should not have thrown an exception');
	signalComplete();
	}
	}

	</script>

	</body>
	</html>