[ tor-browser ].git.dasho

feature-policy-frame-policy-allowed-for-self.https.sub.html (9296B)
      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4  <meta name="timeout" content="long">
      5  <script src=/resources/testharness.js></script>
      6  <script src=/resources/testharnessreport.js></script>
      7 </head>
      8 <body>
      9  <script src=/feature-policy/resources/featurepolicy.js></script>
     10  <!-- Feature-Policy: fullscreen 'self'; -->
     11  <script>
     12  'use strict';
     13  var same_origin = 'https://{{domains[]}}:{{ports[https][0]}}';
     14  var cross_origin = 'https://{{domains[www]}}:{{ports[https][0]}}';
     15  var same_origin_src = '/feature-policy/resources/feature-policy-allowedfeatures.html';
     16  var cross_origin_src = cross_origin + same_origin_src;
     17  var data_src = 'data:text/html,<h1>data: URL</h1>';
     18  var policies = [
     19    {allow: "*", sameOriginTestExpect: true, crossOriginTestExpect: false, dataOriginTestExpect: false},
     20    {allow: "'self'", sameOriginTestExpect: true, crossOriginTestExpect: false, dataOriginTestExpect: false},
     21    {allow: "'none'", sameOriginTestExpect: false, crossOriginTestExpect: false, dataOriginTestExpect: false},
     22    {allow: "'self' " + cross_origin + " https://www.example.com", sameOriginTestExpect: true, crossOriginTestExpect: false, dataOriginTestExpect: false}];
     23  var pipe_front = '?pipe=sub|header(Feature-Policy,fullscreen ';
     24  var pipe_end = ';)';
     25  var header_policies = ["*", "'self'", "'none'"];
     26 
     27  // Test that frame.policy inherits from parent's header policy when allow
     28  // attribute is not specified.
     29  test(function() {
     30    test_frame_policy('fullscreen', same_origin_src, undefined, true);
     31  }, 'Test frame policy on same origin iframe inherit from header policy.');
     32  test(function() {
     33    test_frame_policy('fullscreen', cross_origin_src, undefined, false);
     34  }, 'Test frame policy on cross origin iframe inherit from header policy.');
     35  test(function() {
     36    test_frame_policy('fullscreen', undefined, true, true);
     37  }, 'Test frame policy on srcdoc iframe inherit from header policy.');
     38  test(function() {
     39    test_frame_policy('fullscreen', same_origin_src, true, true);
     40  }, 'Test frame policy on srcdoc + same origin iframe inherit from header policy.');
     41  test(function() {
     42    test_frame_policy('fullscreen', cross_origin_src, true, true);
     43  }, 'Test frame policy on srcdoc + cross origin iframe inherit from header policy.');
     44  test(function() {
     45    test_frame_policy('fullscreen', data_src, undefined, false);
     46  }, 'Test frame policy on data: URL cross origin iframe inherit from header policy.');
     47 
     48  // Test that frame policy can be used for sandboxed frames. None of these
     49  // frames should be allowed to use fullscreen, as the header prohibits any
     50  // cross-origin use.`
     51  test(function() {
     52    test_frame_policy(
     53      'fullscreen', same_origin_src, undefined, false, undefined, false, true);
     54    }, 'Test frame policy on sandboxed iframe with no allow attribute.');
     55  test(function() {
     56    test_frame_policy(
     57      'fullscreen', same_origin_src, undefined, false, 'fullscreen', false, true);
     58    }, 'Test frame policy on sandboxed iframe with allow="fullscreen".');
     59  test(function() {
     60    test_frame_policy(
     61      'fullscreen', same_origin_src, undefined, false, 'fullscreen \'src\'', false, true);
     62    }, 'Test frame policy on sandboxed iframe with allow="fullscreen \'src\'".');
     63  test(function() {
     64    test_frame_policy(
     65      'fullscreen', cross_origin_src, undefined, false, 'fullscreen ' + cross_origin, false, true);
     66    }, 'Test frame policy on sandboxed iframe with allow="fullscreen ' + cross_origin + '".');
     67  test(function() {
     68    test_frame_policy(
     69      'fullscreen', undefined, true, false, 'fullscreen', false, true);
     70    }, 'Test frame policy on srcdoc sandboxed iframe with allow="fullscreen".');
     71  test(function() {
     72    test_frame_policy(
     73      'fullscreen', same_origin_src, true, false, 'fullscreen', false, true);
     74    }, 'Test frame policy on srcdoc + same origin sandboxed iframe with allow="fullscreen".');
     75  test(function() {
     76    test_frame_policy(
     77      'fullscreen', cross_origin_src, true, false, 'fullscreen', false, true);
     78    }, 'Test frame policy on srcdoc + cross origin sandboxed iframe with allow="fullscreen".');
     79  test(function() {
     80    test_frame_policy(
     81      'fullscreen', data_src, undefined, false, 'fullscreen ' + cross_origin, false, true);
     82    }, 'Test frame policy on sandboxed srcdoc iframe with allow="fullscreen ' + cross_origin + '".');
     83 
     84  // Test frame policy with allow attribute set to be one of the policies above.
     85  for (var i = 0; i < policies.length; i++) {
     86    test(function() {
     87      test_frame_policy(
     88        'fullscreen', same_origin_src, undefined,
     89        policies[i].sameOriginTestExpect,
     90        'fullscreen ' + policies[i].allow + ';');
     91    }, 'Test frame policy on same origin iframe with allow = "' + policies[i].allow + '".');
     92    test(function() {
     93      test_frame_policy(
     94        'fullscreen', cross_origin_src, undefined,
     95        policies[i].crossOriginTestExpect,
     96        'fullscreen ' + policies[i].allow + ';');
     97    }, 'Test frame policy on cross origin iframe with allow = "' + policies[i].allow + '".');
     98    test(function() {
     99      test_frame_policy(
    100        'fullscreen', undefined, true, policies[i].sameOriginTestExpect,
    101        'fullscreen ' + policies[i].allow + ';');
    102    }, 'Test frame policy on srcdoc iframe with allow = "' + policies[i].allow + '".');
    103    test(function() {
    104      test_frame_policy(
    105        'fullscreen', same_origin_src, true, policies[i].sameOriginTestExpect,
    106        'fullscreen ' + policies[i].allow + ';');
    107    }, 'Test frame policy on srcdoc + same origin iframe with allow = "' + policies[i].allow + '".');
    108    test(function() {
    109      test_frame_policy(
    110        'fullscreen', cross_origin_src, true, policies[i].sameOriginTestExpect,
    111        'fullscreen ' + policies[i].allow + ';');
    112    }, 'Test frame policy on srcdoc + cross origin iframe with allow = "' + policies[i].allow + '".');
    113    test(function() {
    114      test_frame_policy(
    115        'fullscreen', data_src, undefined, policies[i].dataOriginTestExpect,
    116        'fullscreen ' + policies[i].allow + ';');
    117    }, 'Test frame policy on data: URL origin iframe with allow = "' + policies[i].allow + '".');
    118  }
    119 
    120  // Test that the header policy of the iframe document does not change the
    121  // frame policy.
    122  for (var i = 0; i < policies.length; i++) {
    123    for (var j = 0; j < header_policies.length; j++) {
    124      test(function() {
    125        test_frame_policy(
    126          'fullscreen',
    127          same_origin_src + pipe_front + header_policies[j] + pipe_end,
    128          undefined, policies[i].sameOriginTestExpect,
    129          'fullscreen ' + policies[i].allow + ';');
    130      }, 'Test frame policy on same origin iframe with allow = "' + policies[i].allow +
    131         '" and header policy = "Feature-Policy: fullscreen ' + header_policies[j] + ';".');
    132      test(function() {
    133        test_frame_policy(
    134          'fullscreen',
    135          cross_origin_src + pipe_front + header_policies[j] + pipe_end,
    136          undefined, policies[i].crossOriginTestExpect,
    137          'fullscreen ' + policies[i].allow + ';');
    138      }, 'Test frame policy on cross origin iframe with allow = "' + policies[i].allow +
    139         '" and header policy = "Feature-Policy: fullscreen ' + header_policies[j] + ';".');
    140    }
    141  }
    142 
    143  // Test that the allow attribute overrides allowfullscreen.
    144  for (var i = 0; i < policies.length; i++) {
    145    test(function() {
    146      test_frame_policy(
    147        'fullscreen', same_origin_src, undefined,
    148        policies[i].sameOriginTestExpect,
    149        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    150    }, 'Test frame policy on same origin iframe with allow = "' + policies[i].allow +
    151       '" and allowfullscreen.');
    152    test(function() {
    153      test_frame_policy(
    154        'fullscreen', cross_origin_src, undefined,
    155        policies[i].crossOriginTestExpect,
    156        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    157    }, 'Test frame policy on cross origin iframe with allow = "' + policies[i].allow +
    158       '" and allowfullscreen.');
    159    test(function() {
    160      test_frame_policy(
    161        'fullscreen', undefined, true, policies[i].sameOriginTestExpect,
    162        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    163    }, 'Test frame policy on srcdoc iframe with allow = "' + policies[i].allow +
    164       '" and allowfullscreen.');
    165    test(function() {
    166      test_frame_policy(
    167        'fullscreen', same_origin_src, true, policies[i].sameOriginTestExpect,
    168        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    169    }, 'Test frame policy on srcdoc + same origin iframe with allow = "' + policies[i].allow +
    170       '" and allowfullscreen.');
    171    test(function() {
    172      test_frame_policy(
    173        'fullscreen', cross_origin_src, true, policies[i].sameOriginTestExpect,
    174        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    175    }, 'Test frame policy on srcdoc + cross origin iframe with allow = "' + policies[i].allow +
    176       '" and allowfullscreen.');
    177    test(function() {
    178      test_frame_policy(
    179        'fullscreen', data_src, undefined, policies[i].dataOriginTestExpect,
    180        'fullscreen ' + policies[i].allow + ';', /*allowfullscreen*/true);
    181    }, 'Test frame policy on data: URL origin iframe with allow = "' + policies[i].allow +
    182       '" and allowfullscreen.');
    183  }
    184  </script>
    185 </body>
    186 </html>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE