1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=341604
Implement HTML5 sandbox attribute for IFRAMEs - inheritance tests
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 341604</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<script type="application/javascript">
/** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
/** Inheritance Tests **/
SimpleTest.waitForExplicitFinish();
SimpleTest.requestFlakyTimeout("untriaged");
// A postMessage handler that is used by sandboxed iframes without
// 'allow-same-origin' to communicate pass/fail back to this main page.
// It expects to be called with an object like {ok: true/false, desc:
// <description of the test> which it then forwards to ok().
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
switch (event.data.type) {
case "attempted":
testAttempted();
break;
case "ok":
ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted);
break;
default:
// allow for old style message
if (event.data.ok != undefined) {
ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted);
}
}
}
var attemptedTests = 0;
var passedTests = 0;
var totalTestsToPass = 15;
var totalTestsToAttempt = 19;
function ok_wrapper(result, desc, addToAttempted = true) {
ok(result, desc);
if (result) {
passedTests++;
}
if (addToAttempted) {
testAttempted();
}
}
// Added so that tests that don't register unless they fail,
// can at least notify that they've attempted to run.
function testAttempted() {
attemptedTests++;
if (attemptedTests == totalTestsToAttempt) {
// Make sure all tests have had a chance to complete.
setTimeout(function() {finish();}, 1000);
}
}
var finishCalled = false;
function finish() {
if (!finishCalled) {
finishCalled = true;
is(passedTests, totalTestsToPass, "There are " + totalTestsToPass + " inheritance tests that should pass");
SimpleTest.finish();
}
}
function doTest() {
// fails if bad
// 1) an iframe with no sandbox attribute inside an iframe that has sandbox = ""
// should not be able to execute scripts (cannot ever loosen permissions)
// (done by file_iframe_sandbox_a_if2.html contained within file_iframe_sandbox_a_if1.html)
testAttempted();
// fails if bad
// 2) an iframe with sandbox = "allow-scripts" inside an iframe that has sandbox = ""
// should not be able to execute scripts (cannot ever loosen permissions)
// (done by file_iframe_sandbox_a_if2.html contained within file_iframe_sandbox_a_if1.html)
testAttempted();
// passes if good and fails if bad
// 3) an iframe with no sandbox attribute inside an iframe that has sandbox = "allow-scripts"
// should not be same origin with the top window
// (done by file_iframe_sandbox_a_if4.html contained within file_iframe_sandbox_a_if3.html)
// passes if good and fails if bad
// 4) an iframe with no sandbox attribute inside an iframe that has sandbox = "allow-scripts"
// should not be same origin with its parent
// (done by file_iframe_sandbox_a_if4.html contained within file_iframe_sandbox_a_if3.html)
// passes if good
// 5) an iframe with 'allow-same-origin' and 'allow-scripts' inside an iframe with 'allow-same-origin'
// and 'allow-scripts' should be same origin with the top window
// (done by file_iframe_sandbox_a_if6.html contained within file_iframe_sandbox_a_if5.html)
// passes if good
// 6) an iframe with 'allow-same-origin' and 'allow-scripts' inside an iframe with 'allow-same-origin'
// and 'allow-scripts' should be same origin with its parent
// (done by file_iframe_sandbox_a_if6.html contained within file_iframe_sandbox_a_if5.html)
// passes if good
// 7) an iframe with no sandbox attribute inside an iframe that has sandbox = "allow-scripts"
// should be able to execute scripts
// (done by file_iframe_sandbox_a_if7.html contained within file_iframe_sandbox_a_if3.html)
// fails if bad
// 8) an iframe with sandbox="" inside an iframe that has allow-scripts should not be able
// to execute scripts
// (done by file_iframe_sandbox_a_if2.html contained within file_iframe_sandbox_a_if3.html)
testAttempted();
// passes if good
// 9) make sure that changing the sandbox flags on an iframe (if_8) doesn't affect
// the sandboxing of subloads of content within that iframe
var if_8 = document.getElementById('if_8');
if_8.sandbox = 'allow-scripts';
if_8.contentWindow.doSubload();
// passes if good
// 10) a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
// origin with this document
// done by file_iframe_sandbox_a_if11.html which is contained with file_iframe_sandbox_a_if10.html
// passes if good
// 11) a <frame> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
// origin with its parent frame or this document
// done by file_iframe_sandbox_a_if12.html which is contained with file_iframe_sandbox_a_if11.html
// passes if good, fails if bad
// 12) An <object> inside an <iframe> sandboxed with 'allow-scripts' should not be same
// origin with this document
// Done by file_iframe_sandbox_a_if14.html which is contained within file_iframe_sandbox_a_if13.html
// passes if good, fails if bad
// 13) An <object> inside an <object> inside an <iframe> sandboxed with 'allow-scripts' should not be same
// origin with its parent frame or this document
// Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if14.html
// passes if good, fails if bad
// 14) An <object> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
// origin with its parent frame or this document
// Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if16.html
// which is contained within file_iframe_sandbox_a_if10.html
// passes if good
// 15) An <object> inside an <object> inside an <iframe> sandboxed with 'allow-scripts allow-forms'
// should be able to submit forms.
// Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if14.html
// passes if good
// 16) An <object> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts allow-forms'
// should be able to submit forms.
// Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if16.html
// which is contained within file_iframe_sandbox_a_if10.html
// fails if bad
// 17) An <object> inside an <iframe> sandboxed with 'allow-same-origin'
// should not be able to run scripts.
// Done by iframe "if_no_scripts", which loads file_iframe_sandbox_srcdoc_no_allow_scripts.html.
testAttempted();
// passes if good
// 18) An <object> inside an <iframe> sandboxed with 'allow-scripts allow-same-origin'
// should be able to run scripts and be same origin with this document.
// Done by iframe "if_scripts", which loads file_iframe_sandbox_srcdoc_allow_scripts.html.
// passes if good, fails if bad
// 19) Make sure that the parent's document's sandboxing flags are copied when
// changing the sandbox flags on an iframe inside an iframe.
// Done in file_iframe_sandbox_a_if17.html and file_iframe_sandbox_a_if18.html
}
addLoadEvent(doTest);
</script>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
<p id="display"></p>
<div id="content">
<iframe sandbox="" id="if_1" src="file_iframe_sandbox_a_if1.html" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_a_if3.html" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts allow-same-origin" id="if_5" src="file_iframe_sandbox_a_if5.html" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts allow-same-origin" id="if_8" src="file_iframe_sandbox_a_if8.html" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts allow-forms" id="if_10" src="file_iframe_sandbox_a_if10.html" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts allow-forms" id="if_13" src="file_iframe_sandbox_a_if13.html" height="10" width="10"></iframe>
<iframe sandbox="allow-same-origin" id="if_no_scripts" srcdoc="<object data='file_iframe_sandbox_srcdoc_no_allow_scripts.html'></object>" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts allow-same-origin" id="if_scripts" srcdoc="<object data='file_iframe_sandbox_srcdoc_allow_scripts.html'></object>" height="10" width="10"></iframe>
<iframe sandbox="allow-scripts" id="if_17" src="file_iframe_sandbox_a_if17.html" height="10" width="10"></iframe>
</div>
</body>
</html>
|
