From b2d40709688318653b8d29da2fd9091a6e682cef Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 23 Jun 2021 18:56:29 -0400
Subject: [PATCH 1/3] Test the javascript: URL security check

---
 ...script-url-security-check-failure.sub.html | 56 ++++++++++++++++
 ...-url-security-check-multi-globals.sub.html | 66 +++++++++++++++++++
 .../multi-globals-subframe-1.sub.html         | 10 +++
 .../multi-globals-subframe-2.sub.html         |  8 +++
 4 files changed, 140 insertions(+)
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html

diff --git a/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html
new file mode 100644
index 00000000000000..a153ad3e48b2fe
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>javascript: URL security check</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+
+const cases = [
+  ["cross-origin", "http://{{hosts[][www]}}:{{ports[http][0]}}/common/blank.html"],
+  ["cross-origin-domain but same-origin", "/html/browsers/windows/resources/document-domain-setter.html"]
+];
+
+for (const [description, url] of cases) {
+  promise_test(async t => {
+    const iframe = await insertIframe(t, url);
+
+    const unreached = t.unreached_func("message event fired");
+    t.add_cleanup(() => window.removeEventListener("message", unreached));
+    window.addEventListener("message", unreached);
+
+    iframe.src = `javascript:parent.postMessage("boo", "*")`;
+
+    // If no message was received after this time, the test passes.
+    await new Promise(r => t.step_timeout(r, 50));
+  }, `${description}, setting src`);
+
+  promise_test(async t => {
+    const iframe = await insertIframe(t, url);
+
+    const unreached = t.unreached_func("message event fired");
+    t.add_cleanup(() => window.removeEventListener("message", unreached));
+    window.addEventListener("message", unreached);
+
+    iframe.contentWindow.location.href = `javascript:parent.postMessage("boo", "*")`;
+
+    // If no message was received after this time, the test passes.
+    await new Promise(r => t.step_timeout(r, 50));
+  }, `${description}, setting location.href`);
+}
+
+function insertIframe(t, url) {
+  return new Promise((resolve, reject) => {
+    const iframe = document.createElement("iframe");
+    iframe.src = url;
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));
+
+    t.add_cleanup(() => iframe.remove());
+
+    document.body.append(iframe);
+  });
+}
+</script>
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
new file mode 100644
index 00000000000000..c839c55ba0cf3e
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals: which one is the initiator for the javascript: URL security check?</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<body>
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+
+// These tests would fail if a different pair of origins were compared (see, e.g., the discussion in
+// https://github.com/whatwg/html/issues/6514).
+
+promise_test(async t => {
+  const iframe = await insertIframe(t);
+  const innerIframe =  iframe.contentDocument.querySelector("iframe");
+
+  // - incumbentNavigationOrigin = this page's origin, https://{{hosts[][]}}:{{ports[https][0]}}
+  // - iframe's current origin is this origin, https://{{hosts[][]}}:{{ports[https][0]}}.
+  // javascript:'s security check uses incumbentNavigationOrigin vs. the iframe's current origin
+  // so the check will pass and the result will get written.
+ innerIframe.src = "javascript:'test'";
+
+  await waitForLoad(innerIframe, "Failed to load the javascript: URL");
+
+  assert_equals(innerIframe.contentDocument.body.textContent, "test");
+}, "Using iframeEl.src");
+
+promise_test(async t => {
+  const iframe = await insertIframe(t);
+  const innerIframe =  iframe.contentDocument.querySelector("iframe");
+
+  // Here, https://html.spec.whatwg.org/#location-object-navigate sets the source browsing context to the
+  // incumbent settings object's browsing context. So incumbentNavigationOrigin = this page's origin,
+  // https://{{hosts[][]}}:{{ports[https][0]}}.
+  //
+  // So again, the check will pass.
+
+  iframe.contentWindow.frames[0].location.href = "javascript:'test'";
+
+  await waitForLoad(innerIframe, "Failed to load the javascript: URL");
+
+  assert_equals(innerIframe.contentDocument.body.textContent, "test");
+}, "Using location.href");
+
+function insertIframe(t) {
+  return new Promise((resolve, reject) => {
+    const iframe = document.createElement("iframe");
+    iframe.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html";
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));
+
+    t.add_cleanup(() => iframe.remove());
+
+    document.body.append(iframe);
+  });
+}
+
+function waitForLoad(iframe, errorMessage = "Failed to load iframe") {
+  return new Promise((resolve, reject) => {
+    iframe.onload = () => resolve(iframe);
+    iframe.onerror = () => reject(new Error(errorMessage));
+  });
+}
+</script>
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
new file mode 100644
index 00000000000000..5acff8ef802585
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals test outer subframe</title>
+
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+</script>
+
+<iframe src="https://{{hosts[][]}}:{{ports[https][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html"></iframe>
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html
new file mode 100644
index 00000000000000..593c428a67566a
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Multi-globals test inner subframe</title>
+
+<script>
+"use strict";
+document.domain = "{{hosts[][]}}";
+</script>

From 8d92be575525fc94e2b302c597c6c5ebdd2fcd40 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Wed, 23 Jun 2021 19:04:58 -0400
Subject: [PATCH 2/3] http not https

---
 .../javascript-url-security-check-multi-globals.sub.html  | 8 ++++----
 .../resources/multi-globals-subframe-1.sub.html           | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
index c839c55ba0cf3e..4b9d3b7afa1bea 100644
--- a/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
+++ b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
@@ -16,8 +16,8 @@
   const iframe = await insertIframe(t);
   const innerIframe =  iframe.contentDocument.querySelector("iframe");
 
-  // - incumbentNavigationOrigin = this page's origin, https://{{hosts[][]}}:{{ports[https][0]}}
-  // - iframe's current origin is this origin, https://{{hosts[][]}}:{{ports[https][0]}}.
+  // - incumbentNavigationOrigin = this page's origin, http://{{hosts[][]}}:{{ports[http][0]}}
+  // - iframe's current origin is this origin, http://{{hosts[][]}}:{{ports[http][0]}}.
   // javascript:'s security check uses incumbentNavigationOrigin vs. the iframe's current origin
   // so the check will pass and the result will get written.
  innerIframe.src = "javascript:'test'";
@@ -33,7 +33,7 @@
 
   // Here, https://html.spec.whatwg.org/#location-object-navigate sets the source browsing context to the
   // incumbent settings object's browsing context. So incumbentNavigationOrigin = this page's origin,
-  // https://{{hosts[][]}}:{{ports[https][0]}}.
+  // http://{{hosts[][]}}:{{ports[http][0]}}.
   //
   // So again, the check will pass.
 
@@ -47,7 +47,7 @@
 function insertIframe(t) {
   return new Promise((resolve, reject) => {
     const iframe = document.createElement("iframe");
-    iframe.src = "https://{{hosts[][www]}}:{{ports[https][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html";
+    iframe.src = "http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html";
     iframe.onload = () => resolve(iframe);
     iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));
 
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
index 5acff8ef802585..a87b2fd2be9880 100644
--- a/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
+++ b/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
@@ -7,4 +7,4 @@
 document.domain = "{{hosts[][]}}";
 </script>
 
-<iframe src="https://{{hosts[][]}}:{{ports[https][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html"></iframe>
+<iframe src="http://{{hosts[][]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html"></iframe>

From 1365ba5b8c86f9b90eda2dd8c58aa70e2073657d Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Fri, 25 Jun 2021 12:04:55 -0400
Subject: [PATCH 3/3] Add simple same-origin domain test

---
 ...security-check-same-origin-domain.sub.html | 26 +++++++++++++++++++
 .../document-domain-set-to-site.sub.html      |  7 +++++
 2 files changed, 33 insertions(+)
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html
 create mode 100644 html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html

diff --git a/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html
new file mode 100644
index 00000000000000..a14a13cfd60bdd
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>javascript: URL security check for same-origin-domain but not same-origin</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<iframe src="http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html"></iframe>
+<script>
+"use strict";
+document.domain = "{{host}}";
+
+setup({ explicit_done: true });
+
+window.onload = () => {
+  async_test(t => {
+    assert_equals(frames[0].document.body.textContent, "", "before");
+
+    window.onmessage = t.step_func_done(() => {
+      assert_equals(frames[0].document.body.textContent, "new", "after");
+    });
+
+    frames[0].location.href = "javascript:parent.postMessage('done', '*'); 'new';";
+  });
+  done();
+};
+</script>
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html b/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html
new file mode 100644
index 00000000000000..3c4355c452946d
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+
+<script>
+"use strict";
+document.domain = "{{host}}";
+</script>