chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html - chromium/src - Git at Google

 This page should be sandboxed.

 <script>
 // We're not served with the extension default CSP, we can use inline script.

 var sendResponse = function(msg) {
   var mainWindow = window.opener || window.top;
   mainWindow.postMessage(msg, '*');
 };

 var remote_frame_loaded = false;
 window.addEventListener('securitypolicyviolation', function(e) {
   if (remote_frame_loaded)
     sendResponse('succeeded');
   else
     sendResponse('failed');
 });

 var loadFrameExpectResponse = function(iframe, url) {
   var identifier = performance.now();
   return new Promise(function(resolve, reject) {
     window.addEventListener('message', function(e) {
       var data = JSON.parse(e.data);
       if (data[0] == 'local frame msg' && data[1] == identifier) {
         resolve();
       } else {
         reject();
       }
     });
     iframe.onerror = reject;
     iframe.onload = function() {
       iframe.contentWindow.postMessage(
           JSON.stringify(['sandboxed frame msg', identifier]), '*');
     };
     iframe.src = url;
   });
 };

 var runTestAndRespond = function(localUrl, remoteUrl) {
   var iframe = document.createElement('iframe');

   // First load local resource in |iframe|, expect the local frame to respond.
   loadFrameExpectResponse(iframe, localUrl).then(function() {
     // Then load remote resource in |iframe|, expect the navigation to be
     // blocked by the Content-Security-Policy.
     // Rely on the SecurityPolicyViolationEvent to detect that the frame has
     // been blocked.
     remote_frame_loaded = true;
     iframe.src = remoteUrl;
   });
   document.body.appendChild(iframe);
 };

 onmessage = function(e) {
   var command = JSON.parse(e.data);
   if (command[0] == 'load') {
     var localUrl = command[1];
     var remoteUrl = command[2];
     runTestAndRespond(localUrl, remoteUrl);
   }
 };

 </script>
	This page should be sandboxed.

	<script>
	// We're not served with the extension default CSP, we can use inline script.

	var sendResponse = function(msg) {
	var mainWindow = window.opener \|\| window.top;
	mainWindow.postMessage(msg, '*');
	};

	var remote_frame_loaded = false;
	window.addEventListener('securitypolicyviolation', function(e) {
	if (remote_frame_loaded)
	sendResponse('succeeded');
	else
	sendResponse('failed');
	});

	var loadFrameExpectResponse = function(iframe, url) {
	var identifier = performance.now();
	return new Promise(function(resolve, reject) {
	window.addEventListener('message', function(e) {
	var data = JSON.parse(e.data);
	if (data[0] == 'local frame msg' && data[1] == identifier) {
	resolve();
	} else {
	reject();
	}
	});
	iframe.onerror = reject;
	iframe.onload = function() {
	iframe.contentWindow.postMessage(
	JSON.stringify(['sandboxed frame msg', identifier]), '*');
	};
	iframe.src = url;
	});
	};

	var runTestAndRespond = function(localUrl, remoteUrl) {
	var iframe = document.createElement('iframe');

	// First load local resource in \|iframe\|, expect the local frame to respond.
	loadFrameExpectResponse(iframe, localUrl).then(function() {
	// Then load remote resource in \|iframe\|, expect the navigation to be
	// blocked by the Content-Security-Policy.
	// Rely on the SecurityPolicyViolationEvent to detect that the frame has
	// been blocked.
	remote_frame_loaded = true;
	iframe.src = remoteUrl;
	});
	document.body.appendChild(iframe);
	};

	onmessage = function(e) {
	var command = JSON.parse(e.data);
	if (command[0] == 'load') {
	var localUrl = command[1];
	var remoteUrl = command[2];
	runTestAndRespond(localUrl, remoteUrl);
	}
	};

	</script>