Source code

Revision control

Copy as Markdown

Other Tools

Test Info:

<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
The origin of an URL is called "unique" when it is considered to be
different from every origin, including itself. The origin of a
data-url is unique. When the current origin is unique, the CSP source
'self' must not match any URL.
var iframe = document.createElement("iframe");
iframe.src = encodeURI(`data:text/html,
/* Add the CSP: frame-src: 'self'. */
var meta = document.createElement('meta');
meta.httpEquiv = 'Content-Security-Policy';
meta.content = "frame-src 'self'";
/* Notify the parent the iframe has been blocked. */
window.addEventListener('securitypolicyviolation', e => {
if (e.originalPolicy == "frame-src 'self'")
window.parent.postMessage('Test PASS', '*');
This iframe should be blocked by CSP:
<iframe src='data:text/html,blocked_iframe'></iframe>
if (window.async_test) {
async_test(t => {
window.addEventListener("message", e => {
if ( == "Test PASS")
}, "Iframe's url must not match with 'self'. It must be blocked.");