| <!DOCTYPE html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| <script> |
| async_test(t => { |
| assert_equals(location.protocol, "https:"); |
| |
| var f = document.createElement("iframe"); |
| window.addEventListener("message", t.step_func(e => { |
| if (e.source !== f.contentWindow) |
| return; |
| assert_equals(e.data, "PASS"); |
| t.done(); |
| })); |
| var otherDataUrl = "data:text/html," + encodeURIComponent(` |
| <script src="BLOB_URL_HERE" |
| onerror="parent.postMessage('PASS', '*');" |
| onload="parent.postMessage('FAIL: onload was fired', '*');"> |
| <\/script> |
| `); |
| f.src = "data:text/html," + encodeURIComponent(` |
| <script> |
| var url = URL.createObjectURL(new Blob(["parent.postMessage('FAIL: This external blob:-script should have been blocked', '*');"])); |
| // Navigate to another data-URL, which has a new origin. |
| location.href = "${otherDataUrl}".replace("BLOB_URL_HERE", url); |
| <\/script> |
| `); |
| document.body.appendChild(f); |
| }, "'data:' URL frames cannot load 'blob:' resources originating from another data:-URL."); |
| </script> |
| </body> |