Source code

Revision control

Copy as Markdown

Other Tools

Test Info:

<!DOCTYPE html>
<meta charset="utf-8">
<title>Blob URL inherits CSP from initiator.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
let testCases = [
initiator_origin: window.origin,
name: "Initiator is same-origin with target frame.",
name: "Initiator is cross-origin with target frame.",
testCases.forEach(test => {
async_test(t => {
// Create a popup. At the beginning, the popup has no CSPs.
let target =;
t.add_cleanup(() => target.close());
// Create a child frame in the popup. The child frame has
// Content-Security-Policy: script-src 'unsafe-inline'. The child frame
// will navigate the popup to a blob URL, which will try if eval is
// allowed and message back.
let initiator = target.document.createElement('iframe');
initiator.sandbox = "allow-scripts allow-same-origin allow-top-navigation";
initiator.src = test.initiator_origin +
window.addEventListener("message", t.step_func(e => {
if (e.source !== target) return;
assert_equals(, "eval blocked",
"Eval should be blocked by CSP in blob URL.");