1 files changed, 38 insertions, 0 deletions

diff --git a/testing/web-platform/tests/navigation-api/navigation-methods/sandboxing-back-parent.html b/testing/web-platform/tests/navigation-api/navigation-methods/sandboxing-back-parent.html
new file mode 100644
index 0000000000..6eee3f917c
--- /dev/null
+++ b/testing/web-platform/tests/navigation-api/navigation-methods/sandboxing-back-parent.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="return-value/resources/helpers.js"></script>
+<iframe id="i" src="/common/blank.html?startI" sandbox="allow-scripts allow-same-origin"></iframe>
+
+<script>
+// Intended setup:
+// Step 0:
+// - Parent: (current URL)
+// - i:     /common/blank.html?startI
+// Step 1:
+// - Parent: (current URL)
+// - i:     resources/navigation-back.html
+// Step 2:
+// - Parent: (current URL)#end
+// - i:     resources/navigation-back.html
+//
+// Then, calling navigation.back() in i will take is from step 2 to step 0, which would navigate the parent.
+// That is not allowed, so the call to back() must reject.
+
+promise_test(async t => {
+  await new Promise(resolve => window.onload = resolve);
+
+  i.contentWindow.location.href = new URL("resources/navigation-back.html", location.href);
+  await new Promise(resolve => i.onload = resolve);
+
+  location.hash = "#end";
+  await new Promise(resolve => window.onhashchange = resolve);
+
+  navigation.onnavigate = t.unreached_func("navigate must not fire");
+  navigation.onnavigateerror = t.unreached_func("navigateerror must not fire");
+  window.onpopstate = t.unreached_func("popstate must not fire");
+  window.onhashchange = t.unreached_func("hashchange must not fire");
+
+  await assertBothRejectDOM(t, i.contentWindow.doNavigationBack(), "SecurityError", i.contentWindow);
+}, "A sandboxed iframe cannot navigate its parent via its own navigation object by using back()");
+</script>