Skip to main content

Browse the archive

https://github.com/web-platform-tests/wpt
26 December 2018, 22:31:15 UTC
Revision c26bdad5f6e564f0a791c746c549493c6f9dae7a authored by andypaicu@chromium.org on 16 August 2017, 15:22:43 UTC, committed by Chromium WPT Sync on 16 August 2017, 15:22:43 UTC 
Fixed securityviolationevent not containing the full src and path
 
Modified resource fetching to allow piping back to the ResourceClient a
struct needed for firing the securityviolationevent. This allows us
to specify the targeted element as well in the event.

CSP violation events have overly vague srcElement and path when being
triggered for an element that requires a fetch because the element is not
being passed down to where the csp check takes place and the report is
fired.

Bug: 737647
Change-Id: I944ea2ea69447c612c01b9e6f723f110fa28a1f5
Reviewed-on: https://chromium-review.googlesource.com/558917
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
WPT-Export-Revision: 31f217e45648ca2ab02d5c681cde6e48f0134852
1 parent 2a86707
Raw File
Tip revision: c26bdad5f6e564f0a791c746c549493c6f9dae7a authored by andypaicu@chromium.org on 16 August 2017, 15:22:43 UTC
Fixed securityviolationevent not containing the full src and path
Tip revision: c26bdad
postMessage_origin_mismatch_xorigin.sub.htm 
<!DOCTYPE html>
<html>
<head>
<title> Cross-origin: Origin of the target window doesn't match the given origin </title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<div id=log></div>

<div style="display:none">
    <iframe width="70%" onload="PostMessageTest()" src="{{location[scheme]}}://{{domains[www1]}}:{{location[port]}}/webmessaging/support/ChildWindowPostMessage.htm"></iframe>
</div>

<script>


    var description = "Test Description: " +
                      "Cross-origin: If the origin of the target window doesn't match the given origin, " +
                      "the message is discarded.";

    var t = async_test(description);

    var PORT = location.port !== "" ? ":" + location.port : "";
    var TARGET = document.querySelector("iframe");
    var XORIGIN = "{{location[scheme]}}://{{domains[www1]}}" + PORT;
    var SORIGIN = "{{location[scheme]}}://{{host}}" + PORT;
    var ExpectedResult = ["#0", XORIGIN, "#3", XORIGIN];
    var ActualResult = [];

    function PostMessageTest()
    {
        TARGET.contentWindow.postMessage("#0", XORIGIN);
        TARGET.contentWindow.postMessage("#1", "http://www.invalid-domain.com");
        TARGET.contentWindow.postMessage("#2", SORIGIN);
        TARGET.contentWindow.postMessage("#3", "*");
    }

    window.onmessage = t.step_func(function(e)
    {
        ActualResult.push(e.data, e.origin);

        if (ActualResult.length >= ExpectedResult.length)
        {
            assert_array_equals(ActualResult, ExpectedResult, "ActualResult");
            t.done();
        }
    });
</script>
</body>
</html>
back to top