1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
<!doctype html>
<title>'document-write' tests</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/document-policy/experimental-features/resources/common.js"></script>
<style>
html, body {
height: 100%;
width: 100%;
}
</style>
<body>
<script>
"use strict";
function newIframe() {
var i = document.createElement("iframe");
document.body.appendChild(i);
return i;
}
let iframeElement = document.querySelector("iframe");
const allowed_url = url_base + "document-write-allowed.html";
const disallowed_url = url_base + "document-write-disallowed.html";
let text_to_write = "<div>FOO<\/div>";
let test_cases = [{
api: "open",
query: "body",
expected_value_enabled: false,
},
{
api: "close"
},
{
api: "write",
args: text_to_write,
query: "div",
expected_value_enabled: "FOO"
},
{
api: "writeln",
args: text_to_write,
query: "div",
expected_value_enabled: "FOO"
}];
// The feature 'document-write' is enabled by default and when it
// is enabled, all dynamic markup insertion API work as intended.
test_cases.forEach((tc) => {
promise_test(async() => {
let iframeElement = newIframe();
await loadUrlInIframe(iframeElement, allowed_url);
await sendMessageAndGetResponse(iframeElement.contentWindow, tc).then((response) => {
assert_false(
response.did_throw_exception,
`When feature is disabled, invoking 'document.${tc.api}' should not` +
" throw an exception.");
if (tc.query) {
assert_equals(
response.value,
tc.expected_value_enabled,
`The added script tag by 'document.${tc.api}' must have run.`);
}
});
}, `Verify 'document.${tc.api}' is not normally blocked.` );
});
// Disabling 'document-write' throws exception on the included API.
test_cases.forEach((tc) => {
promise_test(async() => {
let iframeElement = newIframe();
await loadUrlInIframe(iframeElement, disallowed_url);
await sendMessageAndGetResponse(iframeElement.contentWindow, tc).then((response) => {
assert_true(
response.did_throw_exception,
`When feature is enabled, invoking 'document.${tc.api}' should ` +
" throw an exception.");
if (tc.query) {
assert_not_equals(
response.value,
tc.expected_value_enabled,
`The added script tag by 'document.${tc.api}' must not have run.`);
}
});
}, `Verify 'document.${tc.api}' is blocked when the feature is disabled.` );
});
</script>
</body>
|
