| <html> |
| <head> |
| </head> |
| <body> |
| |
| <p>This test does cross-site XHR fetches of documents with the Same Origin |
| Policy turned off in the renderer. The Same Origin Policy can be circumvented |
| when the renderer is compromised, but site isolation ought to block cross-site |
| documents at the IPC layer.</p> |
| |
| <p>We only block cross-site documents with a blocklisted mime type (text/html, |
| text/xml, application/json), that are correctly sniffed as the content type that |
| they claim to be. We also block text/plain documents when their body looks like |
| one of the blocklisted content types.</p> |
| |
| <script> |
| // To be called from the browsertest via EvalJs(). |
| // |rangeHeader| is an optional parameter for specifying a range request header |
| // value (e.g., "bytes=10-20"). |
| function sendRequest(resourceUrl, rangeHeader) { |
| var xhr = new XMLHttpRequest(); |
| return new Promise(resolve => { |
| xhr.onreadystatechange = function() { |
| if (xhr.readyState == 4) { |
| // When a document is blocked, it will appear as the empty string. |
| var wasBlocked = xhr.responseText == ""; |
| document.getElementById("response_body").value += |
| ("\n" + "response to " + resourceUrl + "(" + |
| xhr.getResponseHeader("content-type") + ") " + |
| (wasBlocked ? "blocked" : "not-blocked")); |
| |
| resolve(wasBlocked); |
| } |
| } |
| xhr.open('GET', resourceUrl); |
| if (rangeHeader) { |
| xhr.setRequestHeader("Range", rangeHeader); |
| } |
| xhr.send(); |
| }); |
| } |
| </script> |
| <textarea rows=20 cols=50 id='response_body'></textarea> |
| </body> |
| </html> |
