iframe_script_crossdomain.html

Enable keyboard shortcuts

<!DOCTYPE HTML>

<!-- Any copyright is dedicated to the Public Domain.

     http://creativecommons.org/publicdomain/zero/1.0/ -->

<html>

<head>

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>

</head>

<body>

<p id="display"></p>

<div id="content" style="display: none">

</div>

<pre id="test">

</pre>

<script type="application/javascript">

  SimpleTest.waitForExplicitFinish();

  window.hasCORSLoaded = false;

  window.hasNonCORSLoaded = false;

  function good_nonsriLoaded() {

    ok(true, "Non-eligible non-SRI resource was loaded correctly.");

  function bad_nonsriBlocked() {

    ok(false, "Non-eligible non-SRI resources should be loaded!");

  function good_nonCORSInvalidBlocked() {

    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");

  function bad_nonCORSInvalidLoaded() {

    ok(false, "Non-CORS resources with invalid metadata should be blocked!");

  window.onerrorCalled = false;

  window.onloadCalled = false;

  function bad_onloadCalled() {

    window.onloadCalled = true;

  function good_onerrorCalled() {

    window.onerrorCalled = true;

  function good_incorrect301Blocked() {

    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");

  function bad_incorrect301Loaded() {

    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");

  function good_correct301Blocked() {

    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");

  function bad_correct301Loaded() {

    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");

  function good_correctDataLoaded() {

    ok(true, "Since data: URLs are same-origin, they should be loaded.");

  function bad_correctDataBlocked() {

    todo(false, "We should not block scripts in data: URIs!");

  function good_correctDataCORSLoaded() {

    ok(true, "A data: URL with a CORS load was loaded correctly.");

  function bad_correctDataCORSBlocked() {

    ok(false, "We should not BLOCK scripts!");

  window.onload = function() {

    SimpleTest.finish()

</script>

<!-- cors-enabled. should be loaded -->

<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"

        crossorigin=""

        integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>

<!-- not cors-enabled. should be blocked -->

<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"

        crossorigin="anonymous"

        integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="

        onload="bad_onloadCalled()"

        onerror="good_onerrorCalled()"></script>

<!-- non-cors but not actually using SRI. should trigger onload -->

<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"

        integrity="    "

        onload="good_nonsriLoaded()"

        onerror="bad_nonsriBlocked()"></script>

<!-- non-cors with invalid metadata -->

<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"

        integrity="sha256-bogus"

        onload="bad_nonCORSInvalidLoaded()"

        onerror="good_nonCORSInvalidBlocked()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->

<script src="script_301.js"

        integrity="sha384-invalid"

        onerror="good_incorrect301Blocked()"

        onload="bad_incorrect301Loaded()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->

<script src="script_301.js"

        integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"

        onerror="good_correct301Blocked()"

        onload="bad_correct301Loaded()"></script>

<!-- data: URLs are same-origin -->

<script src="data:,console.log('data:valid');"

        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="

        onerror="bad_correctDataBlocked()"

        onload="good_correctDataLoaded()"></script>

<!-- not cors-enabled with data: URLs. should trigger onload -->

<script src="data:,console.log('data:valid');"

        crossorigin="anonymous"

        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="

        onerror="bad_correctDataCORSBlocked()"

        onload="good_correctDataCORSLoaded()"></script>

<script>

  ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");

  ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");

  ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");

  ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");

</script>

</body>

</html>