third_party/blink/web_tests/http/tests/security/mixedContent/blocked-blob-url-script-in-data-iframe.https.html

<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
async_test(t => {
    assert_equals(location.protocol, "https:");

    var f = document.createElement("iframe");
    window.addEventListener("message", t.step_func(e => {
        if (e.source !== f.contentWindow)
            return;
        assert_equals(e.data, "PASS");
        t.done();
    }));
    var otherDataUrl = "data:text/html," + encodeURIComponent(`
        <script src="BLOB_URL_HERE"
                onerror="parent.postMessage('PASS', '*');"
                onload="parent.postMessage('FAIL: onload was fired', '*');">
        <\/script>
    `);
    f.src = "data:text/html," + encodeURIComponent(`
        <script>
        var url = URL.createObjectURL(new Blob(["parent.postMessage('FAIL: This external blob:-script should have been blocked', '*');"]));
        // Navigate to another data-URL, which has a new origin.
        location.href = "${otherDataUrl}".replace("BLOB_URL_HERE", url);
        <\/script>
    `);
    document.body.appendChild(f);
}, "'data:' URL frames cannot load 'blob:' resources originating from another data:-URL.");
</script>
</body>