1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
<!doctype html>
<meta charset=utf-8>
<title>Check processing of allow attribute in nested browsing context</title>
<link rel="author" title="Google" href="https://www.google.com">
<link rel="help" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow">
<link rel="help" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object">
<link rel="help" href="https://fullscreen.spec.whatwg.org/#fullscreen-enabled-flag">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<div id="log"></div>
<script>
// This returns a data URL (cross-origin with the containing document) which
// advances a counter, and reports the counter value together with the
// document's fullscreenEnabled state, every time it receives a postMessage.
// Fullscreen itself is not important for this test, but the flag is a useful
// indicator of whether a policy-controlled-feature is allowed or denied.
function getSourceForCrossOriginPage(initial_count) {
var page_contents = "<html><body><script>var count="+initial_count+";window.addEventListener('message',function(){parent.postMessage({'count':count++,'fullscreenEnabled':document.fullscreenEnabled},'*');});</scr"+"ipt></body></html>";
return "data:text/html;base64,"+btoa(page_contents);
}
async_test(function(t) {
var iframe = document.createElement("iframe");
iframe.src = getSourceForCrossOriginPage(0);
iframe.addEventListener('load', function() {
// Request the fullscreenEnabled state whenever the frame loads
iframe.contentWindow.postMessage(true,"*");
});
window.addEventListener('message', this.step_func(function(msg) {
if (msg.data.count == 0) {
assert_false(msg.data.fullscreenEnabled, "Document inside cross-origin iframe without allow attribute should not have feature enabled");
iframe.setAttribute("allow", "fullscreen");
iframe.contentWindow.postMessage(true,"*"); // Request state again
} else if (msg.data.count == 1) {
assert_false(msg.data.fullscreenEnabled, "Feature should be denied when correct allow attribute is added, before reload");
iframe.src = getSourceForCrossOriginPage(2); // Reload the frame
} else if (msg.data.count == 2) {
assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when correct allow attribute is added, after reload");
iframe.removeAttribute("allow");
iframe.contentWindow.postMessage(true,"*"); // Request state again
} else if (msg.data.count == 3) {
assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when allow attribute is removed, before reload");
iframe.src = getSourceForCrossOriginPage(4); // Reload the frame
} else if (msg.data.count == 4) {
assert_false(msg.data.fullscreenEnabled, "Feature should be denied when allow attribute is removed, after reload");
iframe.setAttribute("allow", "payment"); // Set allow to an unrelated feature
iframe.src = getSourceForCrossOriginPage(5); // Reload the frame
} else if (msg.data.count == 5) {
assert_false(msg.data.fullscreenEnabled, "Feature should be denied with incorrect allow attribute");
iframe.setAttribute("allow", "payment;fullscreen"); // Include fullscreen again
iframe.src = getSourceForCrossOriginPage(6); // Reload the frame
} else if (msg.data.count == 6) {
assert_true(msg.data.fullscreenEnabled, "Feature should be allowed with complex allow attribute");
t.done();
} else {
assert_unreached();
}
}));
document.body.appendChild(iframe);
}, "iframe-cross-origin-allow");
</script>
|
