1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title><!-- TODO: insert title here --></title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
<script>
SimpleTest.waitForExplicitFinish();
const blob = new Blob(["x"], { type: "application/pdf" });
const blobURL = URL.createObjectURL(blob);
const blobFrame = document.createElement("iframe");
blobFrame.src = blobURL;
document.getElementById("content").appendChild(blobFrame);
const dataURL = "data:application/pdf,";
const dataFrame = document.createElement("iframe");
dataFrame.src = dataURL;
document.getElementById("content").appendChild(dataFrame);
addLoadEvent(function() {
// blob:// URLs inherit their origin, so the window inside blobFrame
// should be same-orgin with us except for the PDF viewer messing with
// origins.
const printFunc = blobFrame.contentWindow.print;
is(typeof printFunc, "function", "Should have a 'print' function");
ok(Object.getOwnPropertyNames(blobFrame.contentWindow).includes("print"),
"Should see 'print' property in property names");
try {
// data: URLs get nonce origins, so the window inside dataFrame is not
// same-origin with us in any way.
dataFrame.contentWindow.print;
ok(false, "Should throw on cross-origin .print access");
} catch (e) {
ok(/Permission denied/.test(e.message), "Should have a security error");
}
ok(!Object.getOwnPropertyNames(dataFrame.contentWindow).includes("print"),
"Should not see 'print' property in property names");
try {
printFunc.call(dataFrame.contentWindow);
ok(false, "Should throw on cross-origin call");
} catch (e) {
ok(/Permission to call/.test(e.message),
"Should have a security error for call");
}
// It'd be nice to test that calling the function works right, but if it
// does it'll put up the print dialog, which is not helpful in an
// automated test.
SimpleTest.finish();
});
</script>
</div>
<pre id="test"></pre>
</body>
</html>
|
