1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
<!DOCTYPE html>
<html>
<head>
<title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title>
<link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org">
<link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org">
<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<!-- Common global functions for referrer-policy tests. -->
<script src="/common/security-features/resources/common.sub.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<h1>
Referrer Policy: A document with an opaque origin doesn't send referrers
</h1>
<script>
let futureMessage = function() {
return new Promise(resolve => {
window.addEventListener("message", event => resolve(event.data));
});
}
function testSandboxedIframeSubresource(description,
sandboxAttributes,
expectedReferrer) {
promise_test(async test => {
let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
"/common/security-features/subresource/xhr.py";
const iframe = document.createElement("iframe");
iframe.sandbox = sandboxAttributes;
iframe.srcdoc = `
<meta name="referrer" content="always">
<script src="/common/security-features/resources/common.sub.js">
</scr`+`ipt>
<script>
requestViaFetch("${resource_url}").then((msg) => {
parent.postMessage(msg.referrer, '*');
}).catch((e) => {
parent.postMessage("FAILURE", '*');
});
</scr`+`ipt>
`;
const future_message = futureMessage();
document.body.appendChild(iframe);
assert_equals(await future_message, expectedReferrer);
}, description);
}
function testSandboxedIframeMainResource(description,
sandboxAttributes,
expectedReferrer) {
promise_test(async test => {
let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
"/referrer-policy/generic/resources/referrer.py";
const iframe = document.createElement("iframe");
iframe.sandbox = sandboxAttributes;
iframe.srcdoc = `
<meta name="referrer" content="always">
<script>
onload = () => {
location.href = "${document_url}";
}
</scr`+`ipt>
`;
const future_message = futureMessage();
document.body.appendChild(iframe);
assert_equals(await future_message, expectedReferrer);
}, description);
}
testSandboxedIframeSubresource(
"Sandboxed iframe with opaque origin doesn't send referrers to subresources",
"allow-scripts", undefined);
testSandboxedIframeSubresource(
"Sandboxed iframe with tuple origin sends referrers to subresources",
"allow-same-origin allow-scripts", document.location.href);
testSandboxedIframeMainResource(
"Sandboxed iframe with opaque origin doesn't send referrers on navigation",
"allow-scripts", "");
testSandboxedIframeMainResource(
"Sandboxed iframe with tuple origin sends referrers on navigation",
"allow-same-origin allow-scripts", document.location.href);
</script>
</body>
</html>
|
