| This page should be sandboxed. |
| |
| <script> |
| // We're not served with the extension default CSP, we can use inline script. |
| |
| var sendResponse = function(msg) { |
| var mainWindow = window.opener || window.top; |
| mainWindow.postMessage(msg, '*'); |
| }; |
| |
| var remote_frame_loaded = false; |
| window.addEventListener('securitypolicyviolation', function(e) { |
| if (remote_frame_loaded) |
| sendResponse('succeeded'); |
| else |
| sendResponse('failed'); |
| }); |
| |
| var loadFrameExpectResponse = function(iframe, url) { |
| var identifier = performance.now(); |
| return new Promise(function(resolve, reject) { |
| window.addEventListener('message', function(e) { |
| var data = JSON.parse(e.data); |
| if (data[0] == 'local frame msg' && data[1] == identifier) { |
| resolve(); |
| } else { |
| reject(); |
| } |
| }); |
| iframe.onerror = reject; |
| iframe.onload = function() { |
| iframe.contentWindow.postMessage( |
| JSON.stringify(['sandboxed frame msg', identifier]), '*'); |
| }; |
| iframe.src = url; |
| }); |
| }; |
| |
| var runTestAndRespond = function(localUrl, remoteUrl) { |
| var iframe = document.createElement('iframe'); |
| |
| // First load local resource in |iframe|, expect the local frame to respond. |
| loadFrameExpectResponse(iframe, localUrl).then(function() { |
| // Then load remote resource in |iframe|, expect the navigation to be |
| // blocked by the Content-Security-Policy. |
| // Rely on the SecurityPolicyViolationEvent to detect that the frame has |
| // been blocked. |
| remote_frame_loaded = true; |
| iframe.src = remoteUrl; |
| }); |
| document.body.appendChild(iframe); |
| }; |
| |
| onmessage = function(e) { |
| var command = JSON.parse(e.data); |
| if (command[0] == 'load') { |
| var localUrl = command[1]; |
| var remoteUrl = command[2]; |
| runTestAndRespond(localUrl, remoteUrl); |
| } |
| }; |
| |
| </script> |