1 files changed, 82 insertions, 0 deletions
diff --git a/dom/security/test/mixedcontentblocker/test_windowOpen.html b/dom/security/test/mixedcontentblocker/test_windowOpen.html
new file mode 100644
index 0000000000..ae286c38f8
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_windowOpen.html
@@ -0,0 +1,82 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Navigation with window.open</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+let testsCompleted = 0;
+const numberOfTestCases = 2;
+
+function markTestCaseComplete() {
+  testsCompleted++;
+
+  if (testsCompleted == numberOfTestCases) {
+    SimpleTest.finish();
+  }
+}
+
+window.onmessage = function(event) {
+  if (event.data.src.includes("test1")) {
+    // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+    is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
+    is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
+    is(event.data.method, "http", "messages from test1 iframe should be http.");
+    markTestCaseComplete();
+  }
+  else if (event.data.src.includes("test2")) {
+    if (event.data.outcome != 'csp-error') {
+      is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe.");
+      is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
+      is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
+      is(event.data.method, "https", "messages from test2 iframe should be https");
+    }
+    markTestCaseComplete();
+  }
+};
+
+function testURLInOpenedWindow(testURL) {
+  let openedWindow = window.open("javascript:''","_blank");
+  openedWindow.onload = function() {
+    openedWindow.document.body.innerHTML = '<iframe id="testframe">'
+
+    let testframe = openedWindow.document.getElementById("testframe");
+    testframe.onload = function(event) {
+      try {
+        let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
+        openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*');
+      }
+      catch (error) {
+        // If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case
+        if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') {
+          openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*');
+        }
+        else throw error;
+      }
+      openedWindow.close();
+    }
+    testframe.onerror = function(error) {
+      openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*');
+      openedWindow.close();
+    }
+
+    testframe.src = testURL;
+  };
+};
+
+// eslint-disable-next-line @microsoft/sdl/no-insecure-url
+testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
+testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
+
+</script>
+</body>
+</html>