testing/web-platform/tests/fetch/security/dangling-markup/dangling-markup-mitigation-allowed-apis.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
  const blank = 'about:blank';
  const dangling_url = 'resources/empty.html?\n<';
  const api_calls = [
    `window.open(\`${dangling_url}\`,'_self')`,
    `location.replace(\`${dangling_url}\`)`,
  ];

  api_calls.forEach(call => {
    async_test(t => {
      const iframe =
        document.body.appendChild(document.createElement('iframe'));
      t.step(() => {
        iframe.contentWindow.eval(call)
        t.step_timeout(()=>{
          assert_false(iframe.contentWindow.location.href.endsWith(blank));
          t.done();
        }, 500);
      });
    }, `Does not block ${call}`);
  });
</script>