diff options
Diffstat (limited to 'testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed-frame.html')
-rw-r--r-- | testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed-frame.html | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed-frame.html b/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed-frame.html new file mode 100644 index 0000000000..0f35f28709 --- /dev/null +++ b/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed-frame.html @@ -0,0 +1,87 @@ +<!DOCTYPE html> +<html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> +<body> +<script> + // Sandbox flags are inherited from a document toward every frame it creates, + // which then is inherited to every new document created in this frame. + // + // Using the flag 'allow-popups-to-escape-sandbox' inhibits this inheritance + // mechanism when the new frame is a popup. + // + // Sandbox flags are not inherited from the initiator/creator when loading a + // local scheme document unlike CSP (tested in + // ./sandbox-inherit-to-blank-document-unsandboxed.html) + // + // This tests in particular the initial empty document and the first + // about:blank navigation and verifies that no sandbox is applied on the + // popups. + promise_test(async test => { + const msg = await new Promise(r => window.addEventListener("message", r)); + assert_false(msg.data.access_initial_navigation_to_about_blank_throws, + "Failed to access initial about:blank popup, it is probably sandboxed" + ); + assert_false(msg.data.access_first_navigation_to_about_blank_throws, + "Failed to access navigation to about:blank, it is probably sandboxed" + ); + assert_false(msg.data.access_after_delay_initial_navigation_to_about_blank_throws, + "Failed to access navigation to about:blank, it is probably sandboxed" + ); + assert_false(msg.data.access_after_delay_first_navigation_to_about_blank_throws, + "Failed to access navigation to about:blank, it is probably sandboxed" + ); + }, "Popup do not inherit sandbox, because of " + + "'allow-popups-to-escape-sandbox'. The document isn't sandboxed.") + +</script> +<iframe + sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox" + srcdoc=" + <script> + let access_initial_navigation_to_about_blank_throws = false; + let access_first_navigation_to_about_blank_throws = false; + let access_after_delay_initial_navigation_to_about_blank_throws = false; + let access_after_delay_first_navigation_to_about_blank_throws = false; + const initial_about_blank_window = + window.open('/common/blank.html?pipe=status(204)'); + try { + initial_about_blank_window.origin; + } catch(e) { + access_initial_navigation_to_about_blank_throws = true; + } + const renavigated_about_blank_window = window.open('about:blank'); + try { + renavigated_about_blank_window.origin; + } catch(e) { + access_first_navigation_to_about_blank_throws = true; + } + setTimeout(() => { + try { + initial_about_blank_window.origin; + } catch(e) { + access_after_delay_initial_navigation_to_about_blank_throws = true; + } + try { + renavigated_about_blank_window.origin; + } catch(e) { + access_after_delay_first_navigation_to_about_blank_throws = true; + } + top.postMessage({ + 'access_initial_navigation_to_about_blank_throws': + access_initial_navigation_to_about_blank_throws, + 'access_first_navigation_to_about_blank_throws': + access_first_navigation_to_about_blank_throws, + 'access_after_delay_initial_navigation_to_about_blank_throws': + access_after_delay_initial_navigation_to_about_blank_throws, + 'access_after_delay_first_navigation_to_about_blank_throws': + access_after_delay_first_navigation_to_about_blank_throws + }, '*'); + }, 500); + </script>" +> +</iframe> +</body> +</html> |