blocked-iframe-are-cross-origin.html (1964B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Embedded Enforcement: blocked iframes are cross-origin.</title> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="support/testharness-helper.sub.js"></script> 8 </head> 9 <body> 10 <script> 11 12 let SecurityError = 18; 13 14 promise_test(async () => { 15 let iframe = document.createElement("iframe"); 16 let loaded = new Promise(r => iframe.onload = r); 17 iframe.csp = "script-src 'none'"; 18 iframe.src = getCrossOrigin() + "common/blank.html"; 19 document.body.appendChild(iframe); 20 await loaded; 21 assert_throws_dom(SecurityError, () => iframe.contentWindow.document); 22 }, "Document blocked by embedded enforcement and its parent are cross-origin"); 23 24 promise_test(async () => { 25 // Create an iframe that would have been same-origin with the blocked iframe 26 // if it wasn't blocked. 27 let helper_frame = document.createElement("iframe"); 28 let loaded_helper = new Promise(r => helper_frame.onload = r); 29 helper_frame.src = getCrossOrigin() + 30 "content-security-policy/embedded-enforcement/support/executor.html" 31 document.body.appendChild(helper_frame); 32 await loaded_helper; 33 34 let reply = new Promise(r => window.onmessage = r); 35 helper_frame.contentWindow.postMessage(` 36 let test = function() { 37 if (parent.frames.length != 2) 38 return "Error: Wrong number of iframes"; 39 40 if (parent.frames[1] != window) 41 return "Error: Wrong frame index for the second iframe"; 42 43 // Try to access frames[0] from frames[1]. This must fail. 44 try { 45 parent.frames[0].contentWindow; 46 return "Error: The error page appears same-origin"; 47 } catch(dom_exception) { 48 return dom_exception.code; 49 } 50 }; 51 parent.postMessage(test(), '*'); 52 `, '*'); 53 54 assert_equals((await reply).data, SecurityError); 55 }, "Two same-origin iframes must appear as cross-origin when one is blocked"); 56 57 </script> 58 </body> 59 </html>