content-security-policy/child-src/child-src-cross-origin-load.sub.html - external/github.com/web-platform-tests/wpt - Git at Google

 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head>
 <body></body>

 <script>
 async_test(test => {
   let count = 0;
   window.addEventListener("message", test.step_func((event) => {
     assert_equals(event.data, "PASS");
     count++;
     assert_less_than_equal(count, 2);
     if (count == 2) {
       // Use a timeout, to let some time for additional messages to show up
       // before declaring this test as completed.
       test.step_timeout(() => test.done(), 1000);
     }
   }));
 }, "Two of the three iframe are expected to load.");

 // IFrames blocked by CSP should generate a 'load', not 'error' event,
 // regardless of blocked state. This means they appear to be normal
 // cross-origin loads, thereby not leaking URL information directly to JS.
 const runTest = (description, src) => {
   async_test(test => {
     const iframe = document.createElement("iframe");
     iframe.src = src;
     iframe.onload = () => test.done();
     iframe.onerror = () => test.assert_unreached('unexpected onerror')
     document.body.appendChild(iframe);
   }, description);
 };

 runTest("Navigation in iframe allowed by child-src 'self'",
   "/content-security-policy/support/postmessage-pass.html");

 runTest("Navigation in iframe allowed by child-src explicit CSP source",
   "http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html");

 runTest("Navigation in iframe not allowed by child-src",
   "http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html");
 </script>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<meta http-equiv="Content-Security-Policy" content="child-src 'self' http://www1.{{host}}:{{ports[http][0]}}; script-src 'self' 'unsafe-inline'; connect-src 'self';"> </head>
	<body></body>

	<script>
	async_test(test => {
	let count = 0;
	window.addEventListener("message", test.step_func((event) => {
	assert_equals(event.data, "PASS");
	count++;
	assert_less_than_equal(count, 2);
	if (count == 2) {
	// Use a timeout, to let some time for additional messages to show up
	// before declaring this test as completed.
	test.step_timeout(() => test.done(), 1000);
	}
	}));
	}, "Two of the three iframe are expected to load.");

	// IFrames blocked by CSP should generate a 'load', not 'error' event,
	// regardless of blocked state. This means they appear to be normal
	// cross-origin loads, thereby not leaking URL information directly to JS.
	const runTest = (description, src) => {
	async_test(test => {
	const iframe = document.createElement("iframe");
	iframe.src = src;
	iframe.onload = () => test.done();
	iframe.onerror = () => test.assert_unreached('unexpected onerror')
	document.body.appendChild(iframe);
	}, description);
	};

	runTest("Navigation in iframe allowed by child-src 'self'",
	"/content-security-policy/support/postmessage-pass.html");

	runTest("Navigation in iframe allowed by child-src explicit CSP source",
	"http://{{domains[www1]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-pass.html");

	runTest("Navigation in iframe not allowed by child-src",
	"http://{{domains[www2]}}:{{ports[http][0]}}/content-security-policy/support/postmessage-fail.html");
	</script>