content/test/data/cross_site_document_request.html - chromium/src.git - Git at Google

 <html>
 <head>
 </head>
 <body>

 <p>This test does cross-site XHR fetches of documents with the Same Origin
 Policy turned off in the renderer. The Same Origin Policy can be circumvented
 when the renderer is compromised, but site isolation ought to block cross-site
 documents at the IPC layer.</p>

 <p>We only block cross-site documents with a blacklisted mime type (text/html,
 text/xml, application/json), that are correctly sniffed as the content type that
 they claim to be. We also block text/plain documents when their body looks like
 one of the blacklisted content types.</p>

 <script>
 var pathPrefix = "http://bar.com/site_isolation/";

 // To be called from the browsertest via ExecuteScriptAndExtractBool().
 function sendRequest(resourceUrl) {
   var xhr = new XMLHttpRequest();
   xhr.onreadystatechange = function() {
     if (xhr.readyState == 4) {
       // At one point this test operated with an experimental flag to actually
       // block requests in the render process -- in that case the blocked
       // response was replaced with the literal string " ". That flag has been
       // removed (circa June 2015), but when browser process document blocking
       // is implemented, we may wish to update this test accordingly.
       var wasBlocked = xhr.responseText == " ";
       document.getElementById("response_body").value +=
           ("\n" + "response to " + resourceUrl + "(" +
            xhr.getResponseHeader("content-type") + ") " +
            (wasBlocked ? "blocked" : "not-blocked"));

       domAutomationController.setAutomationId(0);
       domAutomationController.send(wasBlocked);
     }
   }
   xhr.open('GET', pathPrefix + resourceUrl);
   xhr.send();
 }

 window.onload = function() {
   // The call to pushState with another domain will succeed, since the
   // test uses --disable-web-security.
   history.pushState('', '', 'http://bar.com/files/main.html');
 }
 </script>
 <textarea rows=20 cols=50 id='response_body'></textarea>
 </body>
 </html>
	<html>
	<head>
	</head>
	<body>

	<p>This test does cross-site XHR fetches of documents with the Same Origin
	Policy turned off in the renderer. The Same Origin Policy can be circumvented
	when the renderer is compromised, but site isolation ought to block cross-site
	documents at the IPC layer.</p>

	<p>We only block cross-site documents with a blacklisted mime type (text/html,
	text/xml, application/json), that are correctly sniffed as the content type that
	they claim to be. We also block text/plain documents when their body looks like
	one of the blacklisted content types.</p>

	<script>
	var pathPrefix = "http://bar.com/site_isolation/";

	// To be called from the browsertest via ExecuteScriptAndExtractBool().
	function sendRequest(resourceUrl) {
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	if (xhr.readyState == 4) {
	// At one point this test operated with an experimental flag to actually
	// block requests in the render process -- in that case the blocked
	// response was replaced with the literal string " ". That flag has been
	// removed (circa June 2015), but when browser process document blocking
	// is implemented, we may wish to update this test accordingly.
	var wasBlocked = xhr.responseText == " ";
	document.getElementById("response_body").value +=
	("\n" + "response to " + resourceUrl + "(" +
	xhr.getResponseHeader("content-type") + ") " +
	(wasBlocked ? "blocked" : "not-blocked"));

	domAutomationController.setAutomationId(0);
	domAutomationController.send(wasBlocked);
	}
	}
	xhr.open('GET', pathPrefix + resourceUrl);
	xhr.send();
	}

	window.onload = function() {
	// The call to pushState with another domain will succeed, since the
	// test uses --disable-web-security.
	history.pushState('', '', 'http://bar.com/files/main.html');
	}
	</script>
	<textarea rows=20 cols=50 id='response_body'></textarea>
	</body>
	</html>