diff options
Diffstat (limited to 'testing/web-platform/tests/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_access_details.sub.html')
-rw-r--r-- | testing/web-platform/tests/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_access_details.sub.html | 305 |
1 files changed, 305 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_access_details.sub.html b/testing/web-platform/tests/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_access_details.sub.html new file mode 100644 index 0000000000..eb02c96f1d --- /dev/null +++ b/testing/web-platform/tests/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_access_details.sub.html @@ -0,0 +1,305 @@ +<!DOCTYPE html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="support/document_domain_frame.sub.js"></script> +<body> +<script> +promise_test(async (t) => { + let frame1 = await createFrame(t, "control1-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "control1-2", "{{domains[www1]}}"); + let result = await postMessageToFrame(frame1, { 'poke-at-sibling': "control1-2" }); + assert_equals(result.data, "omg!"); +}, "Access allowed if same-origin with no 'document.domain' modification. (Sanity check)"); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "control2-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "control2-2", "{{domains[www2]}}"); + let result = await postMessageToFrame(frame1, { 'poke-at-sibling': "control2-2" }); + assert_equals(result.data, "SecurityError"); +}, "Access not allowed if different-origin with no 'document.domain' modification. (Sanity check)"); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "one-set-one-not-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "one-set-one-not-2", "{{domains[www1]}}"); + await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + + let result = await postMessageToFrame(frame1, { 'poke-at-sibling': "one-set-one-not-2" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "one-set-one-not-1" }); + assert_equals(result.data, "SecurityError"); +}, "Access disallowed if same-origin but only one sets document.domain."); + +promise_test(async (t) => { + var frame1 = await createFrame(t, "both-set-to-existing-1", "{{domains[www1]}}"); + var frame2 = await createFrame(t, "both-set-to-existing-2", "{{domains[www1]}}"); + let result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame2, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "both-set-to-existing-2" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "both-set-to-existing-1" }); + assert_equals(result.data, "omg!"); +}, "Access allowed if same-origin and both set document.domain to existing value."); + +promise_test(async (t) => { + var frame1 = await createFrame(t, "both-set-to-parent-1", "{{domains[www1]}}"); + var frame2 = await createFrame(t, "both-set-to-parent-2", "{{domains[www2]}}"); + let result = await postMessageToFrame(frame1, { domain: "{{domains[]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame2, { domain: "{{domains[]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "both-set-to-parent-2" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "both-set-to-parent-1" }); + assert_equals(result.data, "omg!"); +}, "Access allowed if different-origin but both set document.domain to parent domain."); + +promise_test(async (t) => { + var frame1 = await createFrame(t, "allow-then-revoke-1", "{{domains[www1]}}"); + var frame2 = await createFrame(t, "allow-then-revoke-2", "{{domains[www1]}}"); + let result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame2, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "allow-then-revoke-2" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "allow-then-revoke-1" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame1, { domain: "{{domains[]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "allow-then-revoke-2" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "allow-then-revoke-1" }); + assert_equals(result.data, "SecurityError"); +}, "Access disallowed again if same-origin, both set document-domain to existing value, then one sets to parent."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "revoke-Window-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "revoke-Window-2", "{{domains[www1]}}"); + + let result = await postMessageToFrame(frame1, { cache: ["parent", "revoke-Window-2"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 1"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "revoke-Window-1"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 1"); + + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "SecurityError"); +}, "Access is revoked to Window object when we stop being same effective script origin due to document.domain."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "revoke-Location-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "revoke-Location-2", "{{domains[www1]}}"); + + let result = await postMessageToFrame(frame1, { cache: ["parent", "revoke-Location-2", "location"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 3"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "revoke-Location-1", "location"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 3"); + + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "SecurityError"); +}, "Access is revoked to Location object when we stop being same effective script origin due to document.domain."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "no-revoke-Document-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "no-revoke-Document-2", "{{domains[www1]}}"); + + let result = await postMessageToFrame(frame1, { cache: ["parent", "no-revoke-Document-2", "document"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "no-revoke-Document-1", "document"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); + + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); +}, "Access is not revoked to Document object when we stop being same effective script origin due to document.domain."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "no-revoke-object-1", "{{domains[www1]}}"); + let frame2 = await createFrame(t, "no-revoke-object-2", "{{domains[www1]}}"); + + let result = await postMessageToFrame(frame1, { cache: ["parent", "no-revoke-object-2", "bar"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "no-revoke-object-1", "bar"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); + + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); +}, "Access is not revoked to random object when we stop being same effective script origin due to document.domain."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "join-and-diverge-1", "{{domains[www2.www1]}}"); + let frame2 = await createFrame(t, "join-and-diverge-2", "{{domains[www1.www1]}}"); + + // Make sure we can't touch each other. + let result = await postMessageToFrame(frame1, { 'poke-at-sibling': "join-and-diverge-2" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "join-and-diverge-1" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame1, { cache: ["parent", "join-and-diverge-2", "bar"] }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "join-and-diverge-1", "document"] }); + assert_equals(result.data, "SecurityError"); + + // Let's join up now. + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame2, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + // Now we should be able to touch each other. + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "join-and-diverge-2" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "join-and-diverge-1" }); + assert_equals(result.data, "omg!"); + + // Cache a random object and a document. + result = await postMessageToFrame(frame1, { cache: ["parent", "join-and-diverge-2", "bar"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "join-and-diverge-1", "document"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); + + // OK, now let's diverge + result = await postMessageToFrame(frame1, { domain: "{{domains[]}}" }); + assert_equals(result.data, "Done"); + + // We should still be able to touch our cached things. + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 2"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 4"); +}, "Access evolves correctly for non-cross-origin objects when we join up via document.domain and then diverge again."); + +promise_test(async (t) => { + let frame1 = await createFrame(t, "join-and-diverge-cross-origin-1", "{{domains[www2.www1]}}"); + let frame2 = await createFrame(t, "join-and-diverge-cross-origin-2", "{{domains[www1.www1]}}"); + + // Make sure we can't touch each other. + let result = await postMessageToFrame(frame1, { 'poke-at-sibling': "join-and-diverge-cross-origin-2" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "join-and-diverge-cross-origin-1" }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame1, { cache: ["parent", "join-and-diverge-2", "bar"] }); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "join-and-diverge-1", "document"] }); + assert_equals(result.data, "SecurityError"); + + // Let's join up now. + result = await postMessageToFrame(frame1, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + result = await postMessageToFrame(frame2, { domain: "{{domains[www1]}}" }); + assert_equals(result.data, "Done"); + + // Now we should be able to touch each other. + result = await postMessageToFrame(frame1, { 'poke-at-sibling': "join-and-diverge-cross-origin-2" }); + assert_equals(result.data, "omg!"); + + result = await postMessageToFrame(frame2, { 'poke-at-sibling': "join-and-diverge-cross-origin-1" }); + assert_equals(result.data, "omg!"); + + // Cache a window and a location + result = await postMessageToFrame(frame1, { cache: ["parent", "join-and-diverge-cross-origin-2"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "Reachable 1"); + + result = await postMessageToFrame(frame2, { cache: ["parent", "join-and-diverge-cross-origin-1", "location"] }); + assert_equals(result.data, "cached"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "Reachable 3"); + + // OK, now let's diverge + result = await postMessageToFrame(frame1, { domain: "{{domains[]}}" }); + assert_equals(result.data, "Done"); + + // Now our cross-origin objects should start denying access. + result = await postMessageToFrame(frame1, 'touch-cached'); + assert_equals(result.data, "SecurityError"); + + result = await postMessageToFrame(frame2, 'touch-cached'); + assert_equals(result.data, "SecurityError"); +}, "Access evolves correctly for cross-origin objects when we join up via document.domain and then diverge again."); +</script> |