Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html - WPT Dashboard Interop Dashboard
<!DOCTYPE HTML>
<html>
<head>
<!-- This tests a bug that can occur when content layer CSP is not told
about the CSP inherited from the parent document which leads to it not
applying it to content layer CSP checks (such as frame-src with
PlzNavigate on).
Also see crbug.com/778658. -->
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
<body>
<script>
var t = async_test("iframe still inherits correct CSP");
window.onmessage = t.step_func_done(function(e) {
assert_equals(e.data, "frame-src");
});
function doDocWrite() {
x = document.getElementById('x');
x.location = "";
// While document.write is deprecated I did not find another way to reproduce
// the original exploit.
x.contentDocument.write(
'<script>window.addEventListener("securitypolicyviolation", function(e) {' +
' window.top.postMessage(e.violatedDirective, "*");' +
'});</scr' + 'ipt>' +
'<iframe src="../support/fail.html"></iframe>'
);
x.contentDocument.close();
var s = document.createElement('script');
s.async = true;
s.defer = true;
s.src = '../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-src%20%27none%27';
document.lastChild.appendChild(s);
}
</script>
<iframe id="x" onload="doDocWrite()" srcdoc="<a href='about:blank'>123</a>"></iframe>
</body>
</html>