blob: f9e814a1e3b1c763754ced89e078493709767f50 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
<!DOCTYPE html>
<html>
<head>
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
<title>filesystem-urls-do-not-match-self</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../support/logTest.sub.js?logs=[]"></script>
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
<!-- enforcing policy:
script-src 'self' 'unsafe-inline' 'self'; connect-src 'self';
-->
</head>
<body>
<p>
filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content..
</p>
<script>
if(!window.webkitRequestFileSystem) {
t_log = async_test();
t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
t_log.phase = t_log.phases.HAS_RESULT;
t_log.done();
} else {
function fail() {
alert_assert("FAIL!");
}
window.webkitRequestFileSystem(
TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
fs.root.getFile('fail.js', {
create: true
}, function(fileEntry) {
fileEntry.createWriter(function(fileWriter) {
fileWriter.onwriteend = function(e) {
var script = document.createElement('script');
script.src = fileEntry.toURL('application/javascript');
document.body.appendChild(script);
};
// Create a new Blob and write it to pass.js.
var b = new Blob(['fail();'], {
type: 'application/javascript'
});
fileWriter.write(b);
});
});
});
var s = document.createElement('script');
s.async = true;
s.defer = true;
s.src = "../support/checkReport.sub.js?reportExists=true&reportField=violated-directive&reportValue=script-src%20'self'%20'unsafe-inline'%20'*'"
document.lastChild.appendChild(s);
}
</script>
<div id="log"></div>
</body>
</html>
|
