summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/scroll-to-text-fragment/scroll-to-text-fragment-security.sub.html
blob: 5bcafed5ddbf48e193fa012afd0de7dbf4f583bc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<!doctype html>
<title>Navigating to a text fragment directive</title>
<meta charset=utf-8>
<link rel="help" href="https://wicg.github.io/ScrollToTextFragment/">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src="/common/utils.js"></script>
<script src="stash.js"></script>
<script>
// Test security restriction for user activation
for (let user_activation of [true, false]) {
  promise_test(t => new Promise((resolve, reject) => {
    let key = token();

    if (user_activation) {
      test_driver.bless('Open a URL with a text fragment directive', () => {
        window.open(`scroll-to-text-fragment-target.html?key=${key}#:~:text=test`, '_blank', 'noopener');
      });
    } else {
      window.open(`scroll-to-text-fragment-target.html?key=${key}#:~:text=test`, '_blank', 'noopener');
    }

    fetchResults(key, resolve, reject);
  }).then(data => {
    assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.');

    if (user_activation) {
      assert_equals(data.scrollPosition, 'text', 'Expected window.open() with a user activation to scroll to text.');
    } else {
      assert_equals(data.scrollPosition, 'top', 'Expected window.open() with no user activation to not activate text fragment directive.');
    }
  }), `Test that a text fragment directive requires a user activation (user_activation=${user_activation}).`);
}

const crossOriginTarget = "http://{{hosts[alt][www]}}:{{ports[http][0]}}/scroll-to-text-fragment/scroll-to-text-fragment-target.html";

// Test security restriction for no window opener
for (let noopener of [true, false]) {
  promise_test(t => new Promise((resolve, reject) => {
    let key = token();

    test_driver.bless('Open a URL with a text fragment directive', () => {
      if (noopener) {
        window.open(`${crossOriginTarget}?key=${key}#:~:text=test`, '_blank', 'noopener');
      } else {
        window.open(`${crossOriginTarget}?key=${key}#:~:text=test`, '_blank');
      }
    });

    fetchResults(key, resolve, reject);
  }).then(data => {
    assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.');

    if (noopener) {
      assert_equals(data.scrollPosition, 'text', 'Expected window.open() with noopener to scroll to text.');
    } else {
      assert_equals(data.scrollPosition, 'top', 'Expected window.open() with opener to not activate text fragment directive.');
    }
  }), `Test that a text fragment directive is not activated when there is a window opener (noopener=${noopener}).`);
}

// Test security restriction for no activation in an iframe
promise_test(t => new Promise((resolve, reject) => {
  let key = token();

  let frame = document.createElement('iframe');
  document.body.appendChild(frame);

  test_driver.bless('Navigate the iframe with a text fragment directive', () => {
    frame.src = `${crossOriginTarget}?key=${key}#:~:text=test`;
  });

  fetchResults(key, resolve, reject);
}).then(data => {
  assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.');
  assert_equals(data.scrollPosition, 'top', 'Expected iframe navigation to not activate text fragment directive.');
}), 'Test that a text fragment directive is not activated within an iframe.');
</script>