content/test/data/cross_site_document_blocking/request.html - chromium/src - Git at Google

 <html>
 <head>
 </head>
 <body>

 <p>This test does cross-site XHR fetches of documents with the Same Origin
 Policy turned off in the renderer. The Same Origin Policy can be circumvented
 when the renderer is compromised, but site isolation ought to block cross-site
 documents at the IPC layer.</p>

 <p>We only block cross-site documents with a blacklisted mime type (text/html,
 text/xml, application/json), that are correctly sniffed as the content type that
 they claim to be. We also block text/plain documents when their body looks like
 one of the blacklisted content types.</p>

 <script>
 var pathPrefix = "http://bar.com/site_isolation/";

 // To be called from the browsertest via ExecuteScriptAndExtractBool().
 // |rangeHeader| is an optional parameter for specifying a range request header
 // value (e.g., "bytes=10-20").
 function sendRequest(resourceUrl, rangeHeader) {
   var xhr = new XMLHttpRequest();
   xhr.onreadystatechange = function() {
     if (xhr.readyState == 4) {
       // When a document is blocked, it will appear as the empty string.
       var wasBlocked = xhr.responseText == "";
       document.getElementById("response_body").value +=
           ("\n" + "response to " + resourceUrl + "(" +
            xhr.getResponseHeader("content-type") + ") " +
            (wasBlocked ? "blocked" : "not-blocked"));

       domAutomationController.send(wasBlocked);
     }
   }
   xhr.open('GET', pathPrefix + resourceUrl);
   if (rangeHeader) {
     xhr.setRequestHeader("Range", rangeHeader);
   }
   xhr.send();
 }
 </script>
 <textarea rows=20 cols=50 id='response_body'></textarea>
 </body>
 </html>
	<html>
	<head>
	</head>
	<body>

	<p>This test does cross-site XHR fetches of documents with the Same Origin
	Policy turned off in the renderer. The Same Origin Policy can be circumvented
	when the renderer is compromised, but site isolation ought to block cross-site
	documents at the IPC layer.</p>

	<p>We only block cross-site documents with a blacklisted mime type (text/html,
	text/xml, application/json), that are correctly sniffed as the content type that
	they claim to be. We also block text/plain documents when their body looks like
	one of the blacklisted content types.</p>

	<script>
	var pathPrefix = "http://bar.com/site_isolation/";

	// To be called from the browsertest via ExecuteScriptAndExtractBool().
	// \|rangeHeader\| is an optional parameter for specifying a range request header
	// value (e.g., "bytes=10-20").
	function sendRequest(resourceUrl, rangeHeader) {
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	if (xhr.readyState == 4) {
	// When a document is blocked, it will appear as the empty string.
	var wasBlocked = xhr.responseText == "";
	document.getElementById("response_body").value +=
	("\n" + "response to " + resourceUrl + "(" +
	xhr.getResponseHeader("content-type") + ") " +
	(wasBlocked ? "blocked" : "not-blocked"));

	domAutomationController.send(wasBlocked);
	}
	}
	xhr.open('GET', pathPrefix + resourceUrl);
	if (rangeHeader) {
	xhr.setRequestHeader("Range", rangeHeader);
	}
	xhr.send();
	}
	</script>
	<textarea rows=20 cols=50 id='response_body'></textarea>
	</body>
	</html>