Home | History | Annotate | Download | only in data 
      1 <html>
      2 <head>
      3 </head>
      4 <body>
      5 This test shows that cross-site documents are blocked by SiteIsolationPolicy
      6 even if the Same Origin Policy is turned off in the renderer. The Same Origin
      7 Policy can be circumvented when the renderer is compromised, but we have
      8 SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
      9 cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
     10 our ultimate plan is to do that in the browser process.
     11 
     12 <script>
     13 var xhrStatus = -1;
     14 var pathPrefix = "http://bar.com/files/site_isolation/";
     15 
     16 // We only block cross-site documents with a blacklisted mime type(text/html,
     17 // text/xml, application/json), that are correctly sniffed as the content type
     18 // that they claim to be. We also block text/plain documents when their body
     19 // looks like one of the blacklisted content types.
     20 
     21 var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
     22 'valid.json', 'html.txt', 'xml.txt', 'json.txt'];
     23 
     24 var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
     25 'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];
     26 
     27 var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);
     28 
     29 var failed = false;
     30 function sendRequest(resourceUrl) {
     31   var xhr = new XMLHttpRequest();
     32   xhr.onreadystatechange = function() {
     33     if (xhr.readyState == 4) {
     34       var prefix = "";
     35       if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
     36            xhr.responseText != " ") ||
     37           (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
     38            xhr.responseText == " ")) {
     39         // Test failed. Either a resource that should have been blocked is not
     40         // blocked, or a resource that should have not been blocked is blocked.
     41         domAutomationController.setAutomationId(0);
     42         domAutomationController.send(0);
     43         if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
     44           prefix = "[ERROR:resource to be blocked wasn't blocked]";
     45         } else {
     46           prefix = "[ERROR:resource to be unblocked was blocked]";
     47         }
     48       }
     49       document.getElementById("response_body").value +=
     50           ("\n" + prefix + "response to " + resourceUrl + "(" +
     51            xhr.getResponseHeader("content-type") + ") " +
     52            (xhr.responseText == " " ? "blocked" : "not-blocked"));
     53       drive();
     54     }
     55   }
     56   xhr.open('GET', pathPrefix + resourceUrl);
     57   xhr.send();
     58 }
     59 
     60 var cnt = 0;
     61 function drive() {
     62   if (cnt < resourceUrls.length) {
     63     sendRequest(resourceUrls[cnt]);
     64     ++cnt;
     65   } else {
     66     // All the test cases are successfully passed.
     67     domAutomationController.setAutomationId(0);
     68     domAutomationController.send(1);
     69   }
     70 }
     71 
     72 window.onload = function() {
     73   // The call to pushState with another domain will succeed, since the
     74   // test uses --disable-web-security.
     75   history.pushState('', '', 'http://bar.com/files/main.html');
     76   drive();
     77 }
     78 </script>
     79 <textarea rows=20 cols=50 id='response_body'></textarea>
     80 </body>
     81 </html>
     82