<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>Bug 1302667 - Test frame-src</title> <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> </head> <body> <iframe style="width:100%;" id="testframe"></iframe> <script class="testbody" type="text/javascript"> SimpleTest.waitForExplicitFinish(); /* Description of the test: * We load a page inlcuding a frame a CSP of: * >> frame-src https://example.com; child-src 'none' * and make sure that frame-src governs frames correctly. In addition, * we make sure that child-src is discarded in case frame-src is specified. */ const ORIGIN_1 = "https://example.com/tests/dom/security/test/csp/"; const ORIGIN_2 = "https://test1.example.com/tests/dom/security/test/csp/"; let TESTS = [ // frame-src tests ORIGIN_1 + "file_frame_src_frame_governs.html", ORIGIN_2 + "file_frame_src_frame_governs.html", // child-src tests ORIGIN_1 + "file_frame_src_child_governs.html", ORIGIN_2 + "file_frame_src_child_governs.html", ]; let testIndex = 0; function checkFinish() { if (testIndex >= TESTS.length) { window.removeEventListener("message", receiveMessage); SimpleTest.finish(); return; } runNextTest(); } window.addEventListener("message", receiveMessage); function receiveMessage(event) { let href = event.data.href; let result = event.data.result; if (href.startsWith("https://example.com")) { if (result == "frame-allowed") { ok(true, "allowing frame from https://example.com (" + result + ")"); } else { ok(false, "blocking frame from https://example.com (" + result + ")"); } } else if (href.startsWith("https://test1.example.com")) { if (result == "frame-blocked") { ok(true, "blocking frame from https://test1.example.com (" + result + ")"); } else { ok(false, "allowing frame from https://test1.example.com (" + result + ")"); } } else { // sanity check, we should never enter that branch, bust just in case... ok(false, "unexpected result: " + result); } checkFinish(); } function runNextTest() { document.getElementById("testframe").src = TESTS[testIndex]; testIndex++; } // fire up the tests runNextTest(); </script> </body> </html>