Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test has a WPT meta file that expects 2 subtest issues.
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/inheritance/document-write-iframe.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<title>document.open() does not change Content Security Policies</title>
</head>
<body>
<script>
let message_from = (w) => {
return new Promise(resolve => {
let listener = msg => {
if (msg.source != w)
return;
window.removeEventListener('message', listener);
resolve(msg.data);
};
window.addEventListener('message', listener);
});
};
var documentBody = function(should_load) {
let image = should_load ? "pass.png" : "fail.png";
return `
<script>
function loaded() {
window.top.postMessage("loaded", '*');
};
window.addEventListener('securitypolicyviolation', function(e) {
window.top.postMessage("blocked", '*');
});
</scr`+`ipt>
<img src='/content-security-policy/support/${image}' onload='loaded()'>`;
};
promise_test(async () => {
let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
let msg = message_from(iframe.contentWindow);
let doc = iframe.contentWindow.document;
doc.open();
doc.write("<html><body>" + documentBody(false) + "</body></html>");
doc.close();
assert_equals(await msg, "blocked");
}, "document.open() keeps inherited CSPs on empty iframe.");
promise_test(async () => {
let iframe = document.createElement('iframe');
let loaded = new Promise(resolve => iframe.onload = resolve);
iframe.src = "/common/blank.html";
document.body.appendChild(iframe);
await loaded;
let msg = message_from(iframe.contentWindow);
let doc = iframe.contentWindow.document;
doc.open();
doc.write("<html><body>" + documentBody(true) + "</body></html>");
doc.close();
assert_equals(await msg, "loaded");
}, "document.open() does not change delivered CSPs.");
</script>
</body>
</html>