content/test/data/cross_site_document_request.html - chromium/chromium - Git at Google

 <html>
 <head>
 </head>
 <body>
 This test shows that cross-site documents are blocked by SiteIsolationPolicy
 even if the Same Origin Policy is turned off in the renderer. The Same Origin
 Policy can be circumvented when the renderer is compromised, but we have
 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
 our ultimate plan is to do that in the browser process.

 <script>
 var xhrStatus = -1;
 var pathPrefix = "http://bar.com/files/site_isolation/";

 // We only block cross-site documents with a blacklisted mime type(text/html,
 // text/xml, application/json), that are correctly sniffed as the content type
 // that they claim to be. We also block text/plain documents when their body
 // looks like one of the blacklisted content types.

 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
 'valid.json', 'html.txt', 'xml.txt', 'json.txt'];

 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];

 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);

 var failed = false;
 function sendRequest(resourceUrl) {
   var xhr = new XMLHttpRequest();
   xhr.onreadystatechange = function() {
     if (xhr.readyState == 4) {
       var prefix = "";
       if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
            xhr.responseText != " ") ||
           (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
            xhr.responseText == " ")) {
         // Test failed. Either a resource that should have been blocked is not
         // blocked, or a resource that should have not been blocked is blocked.
         domAutomationController.setAutomationId(0);
         domAutomationController.send(0);
         if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
           prefix = "[ERROR:resource to be blocked wasn't blocked]";
         } else {
           prefix = "[ERROR:resource to be unblocked was blocked]";
         }
       }
       document.getElementById("response_body").value +=
           ("\n" + prefix + "response to " + resourceUrl + "(" +
            xhr.getResponseHeader("content-type") + ") " +
            (xhr.responseText == " " ? "blocked" : "not-blocked"));
       drive();
     }
   }
   xhr.open('GET', pathPrefix + resourceUrl);
   xhr.send();
 }

 var cnt = 0;
 function drive() {
   if (cnt < resourceUrls.length) {
     sendRequest(resourceUrls[cnt]);
     ++cnt;
   } else {
     // All the test cases are successfully passed.
     domAutomationController.setAutomationId(0);
     domAutomationController.send(1);
   }
 }

 window.onload = function() {
   // The call to pushState with another domain will succeed, since the
   // test uses --disable-web-security.
   history.pushState('', '', 'http://bar.com/files/main.html');
   drive();
 }
 </script>
 <textarea rows=20 cols=50 id='response_body'></textarea>
 </body>
 </html>
	<html>
	<head>
	</head>
	<body>
	This test shows that cross-site documents are blocked by SiteIsolationPolicy
	even if the Same Origin Policy is turned off in the renderer. The Same Origin
	Policy can be circumvented when the renderer is compromised, but we have
	SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
	cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
	our ultimate plan is to do that in the browser process.

	<script>
	var xhrStatus = -1;
	var pathPrefix = "http://bar.com/files/site_isolation/";

	// We only block cross-site documents with a blacklisted mime type(text/html,
	// text/xml, application/json), that are correctly sniffed as the content type
	// that they claim to be. We also block text/plain documents when their body
	// looks like one of the blacklisted content types.

	var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
	'valid.json', 'html.txt', 'xml.txt', 'json.txt'];

	var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
	'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];

	var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);

	var failed = false;
	function sendRequest(resourceUrl) {
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	if (xhr.readyState == 4) {
	var prefix = "";
	if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
	xhr.responseText != " ") \|\|
	(nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
	xhr.responseText == " ")) {
	// Test failed. Either a resource that should have been blocked is not
	// blocked, or a resource that should have not been blocked is blocked.
	domAutomationController.setAutomationId(0);
	domAutomationController.send(0);
	if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
	prefix = "[ERROR:resource to be blocked wasn't blocked]";
	} else {
	prefix = "[ERROR:resource to be unblocked was blocked]";
	}
	}
	document.getElementById("response_body").value +=
	("\n" + prefix + "response to " + resourceUrl + "(" +
	xhr.getResponseHeader("content-type") + ") " +
	(xhr.responseText == " " ? "blocked" : "not-blocked"));
	drive();
	}
	}
	xhr.open('GET', pathPrefix + resourceUrl);
	xhr.send();
	}

	var cnt = 0;
	function drive() {
	if (cnt < resourceUrls.length) {
	sendRequest(resourceUrls[cnt]);
	++cnt;
	} else {
	// All the test cases are successfully passed.
	domAutomationController.setAutomationId(0);
	domAutomationController.send(1);
	}
	}

	window.onload = function() {
	// The call to pushState with another domain will succeed, since the
	// test uses --disable-web-security.
	history.pushState('', '', 'http://bar.com/files/main.html');
	drive();
	}
	</script>
	<textarea rows=20 cols=50 id='response_body'></textarea>
	</body>
	</html>