Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test has a WPT meta file that expects 1 subtest issues.
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/frame-src/frame-src-redirect.html - WPT Dashboard Interop Dashboard
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="./support/testharness-helper.sub.js"></script>
<body></body>
<script>
function waitForViolation(el, policy, blocked_origin) {
return new Promise(resolve => {
el.addEventListener('securitypolicyviolation', e => {
if (e.originalPolicy == policy && (new URL(e.blockedURI)).origin == blocked_origin)
resolve(e);
});
});
}
async_test(t => {
var i = document.createElement("iframe");
var redirect = generateCrossOriginRedirectFrame();
i.src = redirect.url;
// Report-only policy should trigger a violation on the original request.
var original_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(i.src)).origin)
// Report-only policy should trigger a violation on the redirected request.
var redirect_report_only = waitForViolation(window, "frame-src http://foo.test", (new URL(redirect.target)).origin)
// Enforced policy should trigger a violation on the redirected request.
var redirect_enforced = waitForViolation(window, "frame-src 'self'", (new URL(redirect.target)).origin)
Promise.all([original_report_only, redirect_report_only, redirect_enforced]).then(t.step_func(_ => {
t.done();
}));
document.body.appendChild(i);
}, "Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect");
</script>
</html>