| <!doctype html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443"> |
| <script> |
| async_test(t => { |
| var watcher = new EventWatcher(t, document, ['securitypolicyviolation']); |
| watcher |
| .wait_for('securitypolicyviolation') |
| .then(t.step_func(e => { |
| assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped."); |
| assert_equals(e.lineNumber, 7, "This shouldn't actually be 7, since it happens in a cross-origin frame. :/"); |
| t.done(); |
| })); |
| |
| window.onmessage = t.unreached_func('No message should be sent from the frame.'); |
| window.onload = _ => { |
| // The test verifies that Content-Security-Policy from the main frame |
| // restricts child frame's location even when the location is changed |
| // as a result of a navigation trigerred from within the child frame |
| // (which might reside in another renderer process due to --site-per-process). |
| var url = "https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html"; |
| var i = document.createElement('iframe'); |
| i.src = url; |
| document.body.appendChild(i); |
| }; |
| }, "The frame's navigation is blocked."); |
| </script> |