Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test the javascript: URL security check #29468

Merged
merged 3 commits into from
Jun 25, 2021
Merged

Test the javascript: URL security check #29468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b2d4070
Test the javascript: URL security check
domenic Jun 23, 2021
8d92be5
http not https
domenic Jun 23, 2021
1365ba5
Add simple same-origin domain test
domenic Jun 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions ...owsing-the-web/navigating-across-documents/javascript-url-security-check-failure.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>javascript: URL security check</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<body>
<script>
"use strict";

const cases = [
["cross-origin", "http://{{hosts[][www]}}:{{ports[http][0]}}/common/blank.html"],
["cross-origin-domain but same-origin", "/html/browsers/windows/resources/document-domain-setter.html"]
];

for (const [description, url] of cases) {
promise_test(async t => {
const iframe = await insertIframe(t, url);

const unreached = t.unreached_func("message event fired");
t.add_cleanup(() => window.removeEventListener("message", unreached));
window.addEventListener("message", unreached);

iframe.src = `javascript:parent.postMessage("boo", "*")`;

// If no message was received after this time, the test passes.
await new Promise(r => t.step_timeout(r, 50));
}, `${description}, setting src`);

promise_test(async t => {
const iframe = await insertIframe(t, url);

const unreached = t.unreached_func("message event fired");
t.add_cleanup(() => window.removeEventListener("message", unreached));
window.addEventListener("message", unreached);

iframe.contentWindow.location.href = `javascript:parent.postMessage("boo", "*")`;

// If no message was received after this time, the test passes.
await new Promise(r => t.step_timeout(r, 50));
}, `${description}, setting location.href`);
}

function insertIframe(t, url) {
return new Promise((resolve, reject) => {
const iframe = document.createElement("iframe");
iframe.src = url;
iframe.onload = () => resolve(iframe);
iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));

t.add_cleanup(() => iframe.remove());

document.body.append(iframe);
});
}
</script>
66 changes: 66 additions & 0 deletions ...-the-web/navigating-across-documents/javascript-url-security-check-multi-globals.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>Multi-globals: which one is the initiator for the javascript: URL security check?</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<body>
<script>
"use strict";
document.domain = "{{hosts[][]}}";

// These tests would fail if a different pair of origins were compared (see, e.g., the discussion in
// https://github.com/whatwg/html/issues/6514).

promise_test(async t => {
const iframe = await insertIframe(t);
const innerIframe = iframe.contentDocument.querySelector("iframe");

// - incumbentNavigationOrigin = this page's origin, http://{{hosts[][]}}:{{ports[http][0]}}
// - iframe's current origin is this origin, http://{{hosts[][]}}:{{ports[http][0]}}.
// javascript:'s security check uses incumbentNavigationOrigin vs. the iframe's current origin
// so the check will pass and the result will get written.
innerIframe.src = "javascript:'test'";

await waitForLoad(innerIframe, "Failed to load the javascript: URL");

assert_equals(innerIframe.contentDocument.body.textContent, "test");
}, "Using iframeEl.src");

promise_test(async t => {
const iframe = await insertIframe(t);
const innerIframe = iframe.contentDocument.querySelector("iframe");

// Here, https://html.spec.whatwg.org/#location-object-navigate sets the source browsing context to the
// incumbent settings object's browsing context. So incumbentNavigationOrigin = this page's origin,
// http://{{hosts[][]}}:{{ports[http][0]}}.
//
// So again, the check will pass.

iframe.contentWindow.frames[0].location.href = "javascript:'test'";

await waitForLoad(innerIframe, "Failed to load the javascript: URL");

assert_equals(innerIframe.contentDocument.body.textContent, "test");
}, "Using location.href");

function insertIframe(t) {
return new Promise((resolve, reject) => {
const iframe = document.createElement("iframe");
iframe.src = "http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html";
iframe.onload = () => resolve(iframe);
iframe.onerror = () => reject(new Error("Failed to load the outer iframe"));

t.add_cleanup(() => iframe.remove());

document.body.append(iframe);
});
}

function waitForLoad(iframe, errorMessage = "Failed to load iframe") {
return new Promise((resolve, reject) => {
iframe.onload = () => resolve(iframe);
iframe.onerror = () => reject(new Error(errorMessage));
});
}
</script>
26 changes: 26 additions & 0 deletions ...web/navigating-across-documents/javascript-url-security-check-same-origin-domain.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>javascript: URL security check for same-origin-domain but not same-origin</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<iframe src="http://{{hosts[][www]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html"></iframe>
<script>
"use strict";
document.domain = "{{host}}";

setup({ explicit_done: true });

window.onload = () => {
async_test(t => {
assert_equals(frames[0].document.body.textContent, "", "before");

window.onmessage = t.step_func_done(() => {
assert_equals(frames[0].document.body.textContent, "new", "after");
});

frames[0].location.href = "javascript:parent.postMessage('done', '*'); 'new';";
});
done();
};
</script>
7 changes: 7 additions & 0 deletions ...owsing-the-web/navigating-across-documents/resources/document-domain-set-to-site.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<!DOCTYPE html>
<meta charset="utf-8">

<script>
"use strict";
document.domain = "{{host}}";
</script>
10 changes: 10 additions & 0 deletions .../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-1.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>Multi-globals test outer subframe</title>

<script>
"use strict";
document.domain = "{{hosts[][]}}";
</script>

<iframe src="http://{{hosts[][]}}:{{ports[http][0]}}/html/browsers/browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html"></iframe>
8 changes: 8 additions & 0 deletions .../browsing-the-web/navigating-across-documents/resources/multi-globals-subframe-2.sub.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<!DOCTYPE html>
<meta charset="utf-8">
<title>Multi-globals test inner subframe</title>

<script>
"use strict";
document.domain = "{{hosts[][]}}";
</script>