test_iframe_sandbox_navigation.html (11239B)
1 <!DOCTYPE HTML> 2 <html> 3 <!-- 4 https://bugzilla.mozilla.org/show_bug.cgi?id=341604 5 Implement HTML5 sandbox attribute for IFRAMEs 6 --> 7 <head> 8 <meta charset="utf-8"> 9 <title>Test for Bug 341604 - navigation</title> 10 <script src="/tests/SimpleTest/SimpleTest.js"></script> 11 <script src="/tests/SimpleTest/EventUtils.js"></script> 12 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> 13 </head> 14 <script type="application/javascript"> 15 /** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs */ 16 /** Navigation tests Part 1*/ 17 18 SimpleTest.requestLongerTimeout(2); // slow on Android 19 SimpleTest.waitForExplicitFinish(); 20 SimpleTest.requestFlakyTimeout("untriaged"); 21 // a postMessage handler that is used by sandboxed iframes without 22 // 'allow-same-origin'/other windows to communicate pass/fail back to this main page. 23 // it expects to be called with an object like {ok: true/false, desc: 24 // <description of the test> which it then forwards to ok() 25 var bc = SpecialPowers.wrap(BroadcastChannel).unpartitionedTestingChannel("test_iframe_sandbox_navigation"); 26 bc.addEventListener("message", receiveMessage); 27 window.addEventListener("message", receiveMessage); 28 29 var testPassesReceived = 0; 30 31 function receiveMessage(event) { 32 switch (event.data.type) { 33 case "attempted": 34 testAttempted(); 35 break; 36 case "ok": 37 ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted); 38 break; 39 case "if_10": 40 doIf10TestPart2(); 41 break; 42 default: 43 // allow for old style message 44 if (event.data.ok != undefined) { 45 ok_wrapper(event.data.ok, event.data.desc, event.data.addToAttempted); 46 } 47 } 48 } 49 50 // Open windows for tests to attempt to navigate later. 51 var windowsToClose = new Array(); 52 53 var attemptedTests = 0; 54 var passedTests = 0; 55 var totalTestsToPass = 7; 56 var totalTestsToAttempt = 13; 57 58 function ok_wrapper(result, desc, addToAttempted = true) { 59 ok(result, desc); 60 61 if (result) { 62 passedTests++; 63 } 64 65 if (addToAttempted) { 66 testAttempted(); 67 } 68 } 69 70 // Added so that tests that don't register unless they fail, 71 // can at least notify that they've attempted to run. 72 function testAttempted() { 73 attemptedTests++; 74 if (attemptedTests == totalTestsToAttempt) { 75 // Make sure all tests have had a chance to complete. 76 setTimeout(function() {finish();}, 1000); 77 } 78 } 79 80 var finishCalled = false; 81 82 function finish() { 83 if (!finishCalled) { 84 finishCalled = true; 85 is(passedTests, totalTestsToPass, "There are " + totalTestsToPass + " navigation tests that should pass"); 86 87 closeWindows(); 88 89 bc.close(); 90 91 SimpleTest.finish(); 92 } 93 } 94 95 function checkTestsFinished() { 96 // If our own finish() has not been called, probably failed due to a timeout, so close remaining windows. 97 if (!finishCalled) { 98 closeWindows(); 99 } 100 } 101 102 function closeWindows() { 103 for (var i = 0; i < windowsToClose.length; i++) { 104 windowsToClose[i].close(); 105 } 106 } 107 108 function doTest() { 109 // passes if good 110 // 1) A sandboxed iframe is allowed to navigate itself 111 // (done by file_iframe_sandbox_d_if1.html which has 'allow-scripts' and navigates to 112 // file_iframe_sandbox_navigation_pass.html). 113 114 // passes if good 115 // 2) A sandboxed iframe is allowed to navigate its children, even if they are sandboxed 116 // (done by file_iframe_sandbox_d_if2.html which has 'allow-scripts', it navigates a child 117 // iframe containing file_iframe_sandbox_navigation_start.html to file_iframe_sandbox_navigation_pass.html). 118 119 // fails if bad 120 // 3) A sandboxed iframe is not allowed to navigate its ancestor 121 // (done by file_iframe_sandbox_d_if4.html contained within file_iframe_sandbox_d_if3.html, 122 // it attempts to navigate file_iframe_sandbox_d_if3.html to file_iframe_sandbox_navigation_fail.html). 123 124 // fails if bad 125 // 4) A sandboxed iframe is not allowed to navigate its sibling 126 // (done by file_iframe_sandbox_d_if5.html which has 'allow scripts allow-same-origin' 127 // and attempts to navigate file_iframe_navigation_start.html contained in if_sibling on this 128 // page to file_iframe_sandbox_navigation_fail.html). 129 130 // passes if good, fails if bad 131 // 5) When a link is clicked in a sandboxed iframe, the document navigated to is sandboxed 132 // the same as the original document and is not same origin with parent document 133 // (done by file_iframe_sandbox_d_if6.html which simulates a link click and navigates 134 // to file_iframe_sandbox_d_if7.html which attempts to call back into its parent). 135 136 // fails if bad 137 // 6) An iframe (if_8) has sandbox="allow-same-origin allow-scripts", the sandboxed document 138 // (file_iframe_sandbox_d_if_8.html) that it contains accesses its parent (this file) and removes 139 // 'allow-same-origin' and then triggers a reload. 140 // The document should not be able to access its parent (this file). 141 142 // fails if bad 143 // 7) An iframe (if_9) has sandbox="allow-same-origin allow-scripts", the sandboxed document 144 // (file_iframe_sandbox_d_if_9.html) that it contains accesses its parent (this file) and removes 145 // 'allow-scripts' and then triggers a reload. 146 // The document should not be able to run a script and access its parent (this file). 147 148 // passes if good 149 // 8) a document in an iframe with sandbox='allow-scripts' should have a different null 150 // principal in its original document than a document to which it navigates itself 151 // file_iframe_sandbox_d_if_10.html does this, co-ordinating with this page via postMessage 152 153 // passes if good 154 // 9) a document (file_iframe_sandbox_d_if11.html in an iframe (if_11) with sandbox='allow-scripts' 155 // is navigated to file_iframe_sandbox_d_if12.html - when that document loads 156 // a message is sent back to this document, which adds 'allow-same-origin' to if_11 and then 157 // calls .back on it - file_iframe_sandbox_if12.html should be able to call back into this 158 // document - this is all contained in file_iframe_sandbox_d_if13.html which is opened in another 159 // tab so it has its own isolated session history 160 window.open("file_iframe_sandbox_d_if13.html"); 161 162 // open up the top navigation tests 163 164 // fails if bad 165 // 10) iframe with sandbox='allow-scripts' can NOT navigate top 166 // file_iframe_sandbox_e_if1.html contains file_iframe_sandbox_e_if6.html which 167 // attempts to navigate top 168 windowsToClose.push(window.open("file_iframe_sandbox_e_if1.html")); 169 170 // fails if bad 171 // 11) iframe with sandbox='allow-scripts' nested inside iframe with 172 // 'allow-top-navigation allow-scripts' can NOT navigate top 173 // file_iframe_sandbox_e_if2.html contains file_iframe_sandbox_e_if1.html which 174 // contains file_iframe_sandbox_e_if6.html which attempts to navigate top 175 windowsToClose.push(window.open("file_iframe_sandbox_e_if2.html")); 176 177 // passes if good 178 // 12) iframe with sandbox='allow-top-navigation allow-scripts' can navigate top 179 // file_iframe_sandbox_e_if3.html contains file_iframe_sandbox_e_if5.html which navigates top 180 window.open("file_iframe_sandbox_e_if3.html"); 181 182 // passes if good 183 // 13) iframe with sandbox='allow-top-navigation allow-scripts' nested inside an iframe with 184 // 'allow-top-navigation allow-scripts' can navigate top 185 // file_iframe_sandbox_e_if4.html contains file_iframe_sandbox_e_if3.html which contains 186 // file_iframe_sandbox_e_if5.html which navigates top 187 window.open("file_iframe_sandbox_e_if4.html"); 188 } 189 190 addLoadEvent(doTest); 191 192 window.modified_if_8 = false; 193 194 function reload_if_8() { 195 var if_8 = document.getElementById('if_8'); 196 if_8.src = 'file_iframe_sandbox_d_if8.html'; 197 } 198 199 function modify_if_8() { 200 // If this is the second time this has been called 201 // that's a failed test (allow-same-origin was removed 202 // the first time). 203 if (window.modified_if_8) { 204 ok_wrapper(false, "a sandboxed iframe from which 'allow-same-origin' was removed should not be able to access its parent"); 205 206 // need to return here since we end up in an infinite loop otherwise 207 return; 208 } 209 210 var if_8 = document.getElementById('if_8'); 211 window.modified_if_8 = true; 212 213 if_8.sandbox = 'allow-scripts'; 214 testAttempted(); 215 sendMouseEvent({type:'click'}, 'a_button'); 216 } 217 218 window.modified_if_9 = false; 219 220 function reload_if_9() { 221 var if_9 = document.getElementById('if_9'); 222 if_9.src = 'file_iframe_sandbox_d_if9.html'; 223 } 224 225 function modify_if_9() { 226 // If this is the second time this has been called 227 // that's a failed test (allow-scripts was removed 228 // the first time). 229 if (window.modified_if_9) { 230 ok_wrapper(false, "an sandboxed iframe from which 'allow-scripts' should be removed should not be able to access its parent via a script", false); 231 232 // need to return here since we end up in an infinite loop otherwise 233 return; 234 } 235 236 var if_9 = document.getElementById('if_9'); 237 window.modified_if_9 = true; 238 239 if_9.sandbox = 'allow-same-origin'; 240 241 testAttempted(); 242 sendMouseEvent({type:'click'}, 'a_button2'); 243 } 244 245 var firstPrincipal = ""; 246 var secondPrincipal; 247 248 function doIf10TestPart1() { 249 if (firstPrincipal != "") 250 return; 251 252 // use SpecialPowers to get the principal of if_10. 253 // NB: We stringify here and below because special-powers wrapping doesn't 254 // preserve identity. 255 var if_10 = document.getElementById('if_10'); 256 firstPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin; 257 if_10.src = 'file_iframe_sandbox_d_if10.html'; 258 } 259 260 function doIf10TestPart2() { 261 var if_10 = document.getElementById('if_10'); 262 // use SpecialPowers to get the principal of if_10 263 secondPrincipal = SpecialPowers.wrap(if_10).contentDocument.nodePrincipal.origin; 264 ok_wrapper(firstPrincipal != secondPrincipal, "documents should NOT have the same principal if they are sandboxed without" + 265 " allow-same-origin and the first document is navigated to the second"); 266 } 267 </script> 268 <body onunload="checkTestsFinished()"> 269 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs 270 <p id="display"></p> 271 <div id="content"> 272 <iframe sandbox="allow-scripts" id="if_1" src="file_iframe_sandbox_d_if1.html" height="10" width="10"></iframe> 273 <iframe sandbox="allow-scripts" id="if_2" src="file_iframe_sandbox_d_if2.html" height="10" width="10"></iframe> 274 <iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_d_if3.html" height="10" width="10"></iframe> 275 <iframe id="if_sibling" name="if_sibling" src="about:blank" height="10" width="10"></iframe> 276 <iframe sandbox="allow-scripts allow-same-origin" id="if_5" src="file_iframe_sandbox_d_if5.html" height="10" width="10"></iframe> 277 <iframe sandbox="allow-scripts" id="if_6" src="file_iframe_sandbox_d_if6.html" height="10" width="10"></iframe> 278 <iframe sandbox="allow-same-origin allow-scripts" id="if_8" src="file_iframe_sandbox_d_if8.html" height="10" width="10"></iframe> 279 <iframe sandbox="allow-same-origin allow-scripts" id="if_9" src="file_iframe_sandbox_d_if9.html" height="10" width="10"></iframe> 280 <iframe sandbox="allow-scripts" id="if_10" src="file_iframe_sandbox_navigation_start.html" onload='doIf10TestPart1()' height="10" width="10"></iframe> 281 </div> 282 <input type='button' id="a_button" onclick='reload_if_8()'> 283 <input type='button' id="a_button2" onclick='reload_if_9()'> 284 </body> 285 </html>