test_windowOpen.html (3554B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Tests for Mixed Content Navigation with window.open</title> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 11 <body> 12 13 <script class="testbody" type="text/javascript"> 14 15 SimpleTest.waitForExplicitFinish(); 16 17 let testsCompleted = 0; 18 const numberOfTestCases = 2; 19 20 function markTestCaseComplete() { 21 testsCompleted++; 22 23 if (testsCompleted == numberOfTestCases) { 24 SimpleTest.finish(); 25 } 26 } 27 28 window.onmessage = function(event) { 29 if (event.data.src.includes("test1")) { 30 // eslint-disable-next-line @microsoft/sdl/no-insecure-url 31 is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe."); 32 is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window."); 33 is(event.data.method, "http", "messages from test1 iframe should be http."); 34 markTestCaseComplete(); 35 } 36 else if (event.data.src.includes("test2")) { 37 if (event.data.outcome != 'csp-error') { 38 is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe."); 39 is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file."); 40 is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window."); 41 is(event.data.method, "https", "messages from test2 iframe should be https"); 42 } 43 markTestCaseComplete(); 44 } 45 }; 46 47 function testURLInOpenedWindow(testURL) { 48 let openedWindow = window.open("javascript:''","_blank"); 49 openedWindow.onload = function() { 50 openedWindow.document.body.innerHTML = '<iframe id="testframe">' 51 52 let testframe = openedWindow.document.getElementById("testframe"); 53 testframe.onload = function(event) { 54 try { 55 let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec; 56 openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*'); 57 } 58 catch (error) { 59 // If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case 60 if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') { 61 openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*'); 62 } 63 else throw error; 64 } 65 openedWindow.close(); 66 } 67 testframe.onerror = function(error) { 68 openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*'); 69 openedWindow.close(); 70 } 71 72 testframe.src = testURL; 73 }; 74 }; 75 76 // eslint-disable-next-line @microsoft/sdl/no-insecure-url 77 testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html"); 78 testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html"); 79 80 </script> 81 </body> 82 </html>