summaryrefslogtreecommitdiffstats
path: root/dom/html/test/file_iframe_sandbox_b_if3.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/html/test/file_iframe_sandbox_b_if3.html')
-rw-r--r--dom/html/test/file_iframe_sandbox_b_if3.html92
1 files changed, 92 insertions, 0 deletions
diff --git a/dom/html/test/file_iframe_sandbox_b_if3.html b/dom/html/test/file_iframe_sandbox_b_if3.html
new file mode 100644
index 0000000000..350e2ac472
--- /dev/null
+++ b/dom/html/test/file_iframe_sandbox_b_if3.html
@@ -0,0 +1,92 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset="utf-8">
+ <title>Test for Bug 341604</title>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+ function ok(result, message) {
+ window.parent.postMessage({ok: result, desc: message}, "*");
+ }
+
+ function testXHR() {
+ // Standard URL should be blocked as we have a unique origin.
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "file_iframe_sandbox_b_if1.html");
+ xhr.onreadystatechange = function (oEvent) {
+ var result = false;
+ if (xhr.readyState == 4) {
+ if (xhr.status == 0) {
+ result = true;
+ }
+ ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
+ }
+ }
+ xhr.send(null);
+
+ // Blob URL should work as it will have our unique origin.
+ var blobXhr = new XMLHttpRequest();
+ var blobUrl = URL.createObjectURL(new Blob(["wibble"], {type: "text/plain"}));
+ blobXhr.open("GET", blobUrl);
+ blobXhr.onreadystatechange = function () {
+ if (this.readyState == 4) {
+ ok(this.status == 200 && this.response == "wibble", "XHR for a blob URL created in this document should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
+ }
+ }
+ try {
+ blobXhr.send();
+ } catch(e) {
+ ok(false, "failed to send XHR for blob URL: error: " + e);
+ }
+
+ // Data URL should work as it inherits the loader's origin.
+ var dataXhr = new XMLHttpRequest();
+ dataXhr.open("GET", "data:text/html,wibble");
+ dataXhr.onreadystatechange = function () {
+ if (this.readyState == 4) {
+ ok(this.status == 200 && this.response == "wibble", "XHR for a data URL should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
+ }
+ }
+ try {
+ dataXhr.send();
+ } catch(e) {
+ ok(false, "failed to send XHR for data URL: error: " + e);
+ }
+ }
+
+ function doStuff() {
+ try {
+ window.parent.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
+ } catch (error) {
+ ok(true, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
+ }
+
+ // should NOT be able to access document.cookie
+ try {
+ var foo = document.cookie;
+ } catch(error) {
+ ok(true, "a document sandboxed without allow-same-origin should NOT be able to access document.cookie");
+ }
+
+ // should NOT be able to access localStorage
+ try {
+ var foo = window.localStorage;
+ } catch(error) {
+ ok(true, "a document sandboxed without allow-same-origin should NOT be able to access localStorage");
+ }
+
+ // should NOT be able to access sessionStorage
+ try {
+ var foo = window.sessionStorage;
+ } catch(error) {
+ ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage");
+ }
+
+ testXHR();
+ }
+</script>
+<body onLoad="doStuff()">
+ I am sandboxed but with "allow-scripts"
+</body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-15 09:01:12 +0000