82 lines
3.5 KiB
HTML
82 lines
3.5 KiB
HTML
<!DOCTYPE HTML>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<title>Tests for Mixed Content Navigation with window.open</title>
|
|
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<script class="testbody" type="text/javascript">
|
|
|
|
SimpleTest.waitForExplicitFinish();
|
|
|
|
let testsCompleted = 0;
|
|
const numberOfTestCases = 2;
|
|
|
|
function markTestCaseComplete() {
|
|
testsCompleted++;
|
|
|
|
if (testsCompleted == numberOfTestCases) {
|
|
SimpleTest.finish();
|
|
}
|
|
}
|
|
|
|
window.onmessage = function(event) {
|
|
if (event.data.src.includes("test1")) {
|
|
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
|
is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
|
|
is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
|
|
is(event.data.method, "http", "messages from test1 iframe should be http.");
|
|
markTestCaseComplete();
|
|
}
|
|
else if (event.data.src.includes("test2")) {
|
|
if (event.data.outcome != 'csp-error') {
|
|
is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe.");
|
|
is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
|
|
is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
|
|
is(event.data.method, "https", "messages from test2 iframe should be https");
|
|
}
|
|
markTestCaseComplete();
|
|
}
|
|
};
|
|
|
|
function testURLInOpenedWindow(testURL) {
|
|
let openedWindow = window.open("javascript:''","_blank");
|
|
openedWindow.onload = function() {
|
|
openedWindow.document.body.innerHTML = '<iframe id="testframe">'
|
|
|
|
let testframe = openedWindow.document.getElementById("testframe");
|
|
testframe.onload = function(event) {
|
|
try {
|
|
let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
|
|
openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*');
|
|
}
|
|
catch (error) {
|
|
// If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case
|
|
if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') {
|
|
openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*');
|
|
}
|
|
else throw error;
|
|
}
|
|
openedWindow.close();
|
|
}
|
|
testframe.onerror = function(error) {
|
|
openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*');
|
|
openedWindow.close();
|
|
}
|
|
|
|
testframe.src = testURL;
|
|
};
|
|
};
|
|
|
|
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
|
testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
|
testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|