Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/inheritance/window-open-local-after-network-scheme.sub.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<title>about:blank in popup inherits CSPs from the navigation initiator</title>
<body>
<script>
const message_from = (source_token, w) => {
return new Promise(resolve => {
window.addEventListener('message', msg => {
if (msg.data.token === source_token)
resolve(msg.data.msg);
});
});
};
const testCases = [
{
previous_origin: window.origin,
name: "Popup being navigated to about:blank was same-origin.",
},
{
name: "Popup being navigated to about:blank was cross-origin.",
},
];
testCases.forEach(testCase => {
promise_test(async t => {
// Create a popup and navigate it.
const popup_token = token();
// const popup = window.open("about:blank", testCase.name);
const loaded = message_from(popup_token);
const popup = window.open(
testCase.previous_origin +
"/content-security-policy/inheritance/support" +
`/postmessage-opener.html?token=${popup_token}`,
testCase.name);
t.add_cleanup(() => popup.close());
assert_equals(await loaded, "ready");
// Navigate the popup to "about:blank".
window.open("about:blank", testCase.name);
await t.step_wait(
condition = () => {
try {
return popup.location.href == "about:blank";
} catch {}
return false;
},
description = "Wait for the popup to navigate.",
timeout=3000,
interval=50);
// Now create an img in the popup and check if it is blocked by CSPs.
const script = popup.document.createElement('script');
script.innerText = `
function messageBack(msg) {
opener.postMessage(msg ,"*");
}
`;
popup.document.head.appendChild(script);
const div = popup.document.createElement('div');
const img_token = token();
const img_url = window.origin + "/content-security-policy/support/fail.png";
div.innerHTML = `
<img src="${img_url}"
onload="messageBack({msg: 'img loaded', token: '${img_token}'});"
onerror="messageBack({msg: 'img blocked', token: '${img_token}'});"
>
`;
const msg = message_from(img_token);
popup.document.body.appendChild(div);
assert_equals(await msg, "img blocked");
}, testCase.name);
});
</script>