1 files changed, 93 insertions, 0 deletions
diff --git a/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html b/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html
new file mode 100644
index 0000000000..fd1857e0dd
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title>
+  <link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org">
+  <link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org">
+  <link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Common global functions for referrer-policy tests. -->
+  <script src="/common/security-features/resources/common.sub.js"></script>
+  <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+<h1>
+  Referrer Policy: A document with an opaque origin doesn't send referrers
+</h1>
+<script>
+
+let futureMessage = function() {
+  return new Promise(resolve => {
+    window.addEventListener("message", event => resolve(event.data));
+  });
+}
+
+function testSandboxedIframeSubresource(description,
+                                        sandboxAttributes,
+                                        expectedReferrer) {
+  promise_test(async test => {
+    let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
+      "/common/security-features/subresource/xhr.py";
+    const iframe = document.createElement("iframe");
+    iframe.sandbox = sandboxAttributes;
+    iframe.srcdoc = `
+      <meta name="referrer" content="always">
+      <script src="/common/security-features/resources/common.sub.js">
+      </scr`+`ipt>
+      <script>
+        requestViaFetch("${resource_url}").then((msg) => {
+          parent.postMessage(msg.referrer, '*');
+        }).catch((e) => {
+          parent.postMessage("FAILURE", '*');
+        });
+      </scr`+`ipt>
+    `;
+
+    const future_message = futureMessage();
+    document.body.appendChild(iframe);
+    assert_equals(await future_message, expectedReferrer);
+
+  }, description);
+}
+
+function testSandboxedIframeMainResource(description,
+                                         sandboxAttributes,
+                                         expectedReferrer) {
+  promise_test(async test => {
+    let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
+      "/referrer-policy/generic/resources/referrer.py";
+    const iframe = document.createElement("iframe");
+    iframe.sandbox = sandboxAttributes;
+    iframe.srcdoc = `
+      <meta name="referrer" content="always">
+      <script>
+        onload = () => {
+          location.href = "${document_url}";
+        }
+      </scr`+`ipt>
+    `;
+
+    const future_message = futureMessage();
+    document.body.appendChild(iframe);
+    assert_equals(await future_message, expectedReferrer);
+
+  }, description);
+}
+
+testSandboxedIframeSubresource(
+  "Sandboxed iframe with opaque origin doesn't send referrers to subresources",
+  "allow-scripts", undefined);
+testSandboxedIframeSubresource(
+  "Sandboxed iframe with tuple origin sends referrers to subresources",
+  "allow-same-origin allow-scripts", document.location.href);
+testSandboxedIframeMainResource(
+  "Sandboxed iframe with opaque origin doesn't send referrers on navigation",
+  "allow-scripts", "");
+testSandboxedIframeMainResource(
+  "Sandboxed iframe with tuple origin sends referrers on navigation",
+  "allow-same-origin allow-scripts", document.location.href);
+
+</script>
+</body>
+</html>