function xfo_simple_tests({ headerValue, headerValue2, cspValue, sameOriginAllowed, crossOriginAllowed }) { simpleXFOTestsInner({ urlPrefix: "", allowed: sameOriginAllowed, headerValue, headerValue2, cspValue, sameOrCross: "same-origin" }); simpleXFOTestsInner({ urlPrefix: "http://{{domains[www]}}:{{ports[http][0]}}", allowed: crossOriginAllowed, headerValue, headerValue2, cspValue, sameOrCross: "cross-origin" }); } function simpleXFOTestsInner({ urlPrefix, allowed, headerValue, headerValue2, cspValue, sameOrCross }) { const value2QueryString = headerValue2 !== undefined ? `&value2=${headerValue2}` : ``; const cspQueryString = cspValue !== undefined ? `&csp_value=${cspValue}` : ``; const valueMessageString = headerValue === "" ? "(the empty string)" : headerValue; const value2MessageString = headerValue2 === "" ? "(the empty string)" : headerValue2; const value2MaybeMessageString = headerValue2 !== undefined ? `;${headerValue2}` : ``; const cspMessageString = cspValue !== undefined ? ` with CSP ${cspValue}` : ``; // This will test the multi-header variant, if headerValue2 is not undefined. xfo_test({ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue}${value2QueryString}${cspQueryString}`, check: allowed ? "loaded message" : "no message", message: `\`${valueMessageString}${value2MaybeMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` }); if (headerValue2 !== undefined && headerValue2 !== headerValue) { // Reversed variant xfo_test({ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2}&value2=${headerValue}${cspQueryString}`, check: allowed ? "loaded message" : "no message", message: `\`${value2MessageString};${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` }); // Comma variant xfo_test({ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue},${headerValue2}${cspQueryString}`, check: allowed ? "loaded message" : "no message", message: `\`${valueMessageString},${value2MessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` }); // Comma + reversed variant xfo_test({ url: `${urlPrefix}/x-frame-options/support/xfo.py?value=${headerValue2},${headerValue}${cspQueryString}`, check: allowed ? "loaded message" : "no message", message: `\`${value2MessageString},${valueMessageString}\` ${allowed ? "allows" : "blocks"} ${sameOrCross} framing${cspMessageString}` }); } } function xfo_test({ url, check, message }) { async_test(t => { const i = document.createElement("iframe"); i.src = url; switch (check) { case "loaded message": { waitForMessageFrom(i, t).then(t.step_func_done(e => { assert_equals(e.data, "Loaded"); })); break; } case "failed message": { waitForMessageFrom(i, t).then(t.step_func_done(e => { assert_equals(e.data, "Failed"); })); break; } case "no message": { waitForMessageFrom(i, t).then(t.unreached_func("Frame should not have sent a message.")); i.onload = t.step_func_done(() => { assert_equals(i.contentDocument, null); }); break; } default: { throw new Error("Bad test"); } } document.body.append(i); t.add_cleanup(() => i.remove()); }, message); } function waitForMessageFrom(frame, test) { return new Promise(resolve => { window.addEventListener("message", test.step_func(e => { if (e.source == frame.contentWindow) { resolve(e); } })); }); }