Bug 1717950 [wpt PR 29468] - Test the javascript: URL security check,…

… a=testonly Automatic update from web-platform-tests Test the javascript: URL security check Follows whatwg/html#6801. -- wpt-commits: da61c71b9417336421d5b0f8b8973a7225d5815b wpt-pr: 29468
jamienicol · Jun 26, 2021 · 9eb1242 · 9eb1242
1 parent a2c7a09
commit 9eb1242
Show file tree

Hide file tree

Showing 6 changed files with 173 additions and 0 deletions.
diff --git a/...owsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html b/...owsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>javascript: URL security check</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+
+const cases = [
+  ["cross-origin", "http://{{hosts[][www]}}:{{ports[http][0]}}/common/blank.html"],
+  ["cross-origin-domain but same-origin", "/html/browsers/windows/resources/document-domain-setter.html"]
+];
+
+for (const [description, url] of cases) {
+  promise_test(async t => {
+    const iframe = await insertIframe(t, url);
+
+    const unreached = t.unreached_func("message event fired");
+    t.add_cleanup(() => window.removeEventListener("message", unreached));
+    window.addEventListener("message", unreached);
+
+    iframe.src = `javascript:parent.postMessage("boo", "*")`;
+
+    // If no message was received after this time, the test passes.
+    await new Promise(r => t.step_timeout(r, 50));
+  }, `${description}, setting src`);
+
+  promise_test(async t => {
+    const iframe = await insertIframe(t, url);
+
+    const unreached = t.unreached_func("message event fired");
+    t.add_cleanup(() => window.removeEventListener("message", unreached));
+    window.addEventListener("message", unreached);
+
+    iframe.contentWindow.location.href = `javascript:parent.postMessage("boo", "*")`;
+
+    // If no message was received after this time, the test passes.
+    await new Promise(r => t.step_timeout(r, 50));
+  }, `${description}, setting location.href`);
+}
+
+function insertIframe(t, url) {
+  return new Promise((resolve, reject) => {
+    const iframe = document.createElement("iframe");
+    iframe.src = url;
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));
+
+    t.add_cleanup(() => iframe.remove());
+
+    document.body.append(iframe);
+  });
+}
+</script>
diff --git a/...-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html b/...-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals: which one is the initiator for the javascript: URL security check?</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+
+// These tests would fail if a different pair of origins were compared (see, e.g., the discussion in
+// https://github.com/whatwg/html/issues/6514).
+
+promise_test(async t => {
+  const iframe = await insertIframe(t);
+  const innerIframe =  iframe.contentDocument.querySelector("iframe");
+
+  // - incumbentNavigationOrigin = this page's origin, http://{{hosts[][]}}:{{ports[http][0]}}
+  // - iframe's current origin is this origin, http://{{hosts[][]}}:{{ports[http][0]}}.
+  // javascript:'s security check uses incumbentNavigationOrigin vs. the iframe's current origin
+  // so the check will pass and the result will get written.
+ innerIframe.src = "javascript:'test'";
+
+  await waitForLoad(innerIframe, "Failed to load the javascript: URL");
+
+  assert_equals(innerIframe.contentDocument.body.textContent, "test");
+}, "Using iframeEl.src");
+
+promise_test(async t => {
+  const iframe = await insertIframe(t);
+  const innerIframe =  iframe.contentDocument.querySelector("iframe");
+
+  // Here, https://html.spec.whatwg.org/#location-object-navigate sets the source browsing context to the
+  // incumbent settings object's browsing context. So incumbentNavigationOrigin = this page's origin,
+  // http://{{hosts[][]}}:{{ports[http][0]}}.
+  //
+  // So again, the check will pass.
+
+  iframe.contentWindow.frames[0].location.href = "javascript:'test'";
+
+  await waitForLoad(innerIframe, "Failed to load the javascript: URL");
+
+  assert_equals(innerIframe.contentDocument.body.textContent, "test");
+}, "Using location.href");
+
+function insertIframe(t) {
+  return new Promise((resolve, reject) => {
+    const iframe = document.createElement("iframe");
+    iframe.src = "http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html";
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));
+
+    t.add_cleanup(() => iframe.remove());
+
+    document.body.append(iframe);
+  });
+}
+
+function waitForLoad(iframe, errorMessage = "Failed to load iframe") {
+  return new Promise((resolve, reject) => {
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error(errorMessage));
+  });
+}
+</script>
diff --git a/...web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html b/...web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>javascript: URL security check for same-origin-domain but not same-origin</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<iframe src="http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html"></iframe>
+<script>
+"use strict";
+document.domain = "{{host}}";
+
+setup({ explicit_done: true });
+
+window.onload = () => {
+  async_test(t => {
+    assert_equals(frames[0].document.body.textContent, "", "before");
+
+    window.onmessage = t.step_func_done(() => {
+      assert_equals(frames[0].document.body.textContent, "new", "after");
+    });
+
+    frames[0].location.href = "javascript:parent.postMessage('done', '*'); 'new';";
+  });
+  done();
+};
+</script>
diff --git a/...owsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html b/...owsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+
+<script>
+"use strict";
+document.domain = "{{host}}";
+</script>
diff --git a/.../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html b/.../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals test outer subframe</title>
+
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+</script>
+
+<iframe src="http://{{hosts[][]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html"></iframe>
diff --git a/.../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html b/.../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals test inner subframe</title>
+
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+</script>