• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<html>
2<head>
3</head>
4<body>
5This test shows that cross-site documents are blocked by SiteIsolationPolicy
6even if the Same Origin Policy is turned off in the renderer. The Same Origin
7Policy can be circumvented when the renderer is compromised, but we have
8SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
9cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
10our ultimate plan is to do that in the browser process.
11
12<script>
13var xhrStatus = -1;
14var pathPrefix = "http://bar.com/files/site_isolation/";
15
16// We only block cross-site documents with a blacklisted mime type(text/html,
17// text/xml, application/json), that are correctly sniffed as the content type
18// that they claim to be. We also block text/plain documents when their body
19// looks like one of the blacklisted content types.
20
21var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
22'valid.json', 'html.txt', 'xml.txt', 'json.txt'];
23
24var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
25'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];
26
27var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);
28
29var failed = false;
30function sendRequest(resourceUrl) {
31  var xhr = new XMLHttpRequest();
32  xhr.onreadystatechange = function() {
33    if (xhr.readyState == 4) {
34      var prefix = "";
35      if ((blockedResourceUrls.indexOf(resourceUrl) != -1 &&
36           xhr.responseText != " ") ||
37          (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 &&
38           xhr.responseText == " ")) {
39        // Test failed. Either a resource that should have been blocked is not
40        // blocked, or a resource that should have not been blocked is blocked.
41        domAutomationController.setAutomationId(0);
42        domAutomationController.send(0);
43        if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
44          prefix = "[ERROR:resource to be blocked wasn't blocked]";
45        } else {
46          prefix = "[ERROR:resource to be unblocked was blocked]";
47        }
48      }
49      document.getElementById("response_body").value +=
50          ("\n" + prefix + "response to " + resourceUrl + "(" +
51           xhr.getResponseHeader("content-type") + ") " +
52           (xhr.responseText == " " ? "blocked" : "not-blocked"));
53      drive();
54    }
55  }
56  xhr.open('GET', pathPrefix + resourceUrl);
57  xhr.send();
58}
59
60var cnt = 0;
61function drive() {
62  if (cnt < resourceUrls.length) {
63    sendRequest(resourceUrls[cnt]);
64    ++cnt;
65  } else {
66    // All the test cases are successfully passed.
67    domAutomationController.setAutomationId(0);
68    domAutomationController.send(1);
69  }
70}
71
72window.onload = function() {
73  // The call to pushState with another domain will succeed, since the
74  // test uses --disable-web-security.
75  history.pushState('', '', 'http://bar.com/files/main.html');
76  drive();
77}
78</script>
79<textarea rows=20 cols=50 id='response_body'></textarea>
80</body>
81</html>
82