forked from mirrors/gecko-dev
27 lines
1 KiB
HTML
27 lines
1 KiB
HTML
<!DOCTYPE HTML>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
</head>
|
|
<body>
|
|
<!-- iframe loading the blob url with null origin -->
|
|
<iframe id="blobFrame"></iframe>
|
|
<script>
|
|
// If the alert box is blocked correctly by the CSP then postMessage will
|
|
// send the message and test passes.
|
|
var alertScriptText = "data:text/html,<script>location=URL.createObjectURL(" +
|
|
"new Blob(['<script>alert(document.URL);parent.parent.postMessage(" +
|
|
"{\"test\": \"block_alert_test\", \"msg\": \"alert blocked by" +
|
|
" CSP\"}, \"*\");<\\/script>'], {type:\"text/html\"}));<\/script>";
|
|
document.getElementById("blobFrame").src=alertScriptText;
|
|
try {
|
|
var w = window.open("http://www.example.com","newwindow");
|
|
parent.postMessage({"test": "block_window_open_test",
|
|
"msg": "new window not blocked by CSP"},"*");
|
|
} catch(err) {
|
|
parent.postMessage({"test": "block_window_open_test",
|
|
"msg": "window blocked by CSP"},"*");
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|