tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

allow-attribute-src.https.html (2944B)

      1 <!DOCTYPE html>
      2 <title>Test the 'src' attribute set in fenced frames.</title>
      3 <meta name=variant content="?type=fencedframe">
      4 <meta name=variant content="?type=iframe">
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script src="/common/utils.js"></script>
      8 <script src="/common/dispatcher/dispatcher.js"></script>
      9 <script src="resources/utils.js"></script>
     10 <script src="/common/media.js"></script>
     11 <script src="/common/get-host-info.sub.js"></script>
     12 
     13 <body></body>
     14 <script>
     15 frame_builder = () => {
     16  const params = new URLSearchParams(location.search);
     17  if (params.get('type') === "fencedframe") {
     18    return attachFencedFrameContext({
     19      attributes: [["allow", "shared-storage"]]
     20    });
     21  } else {
     22    return attachIFrameContext({
     23      generator_api: "fledge",
     24      attributes: [["allow", "shared-storage"]]
     25    });
     26  }
     27 }
     28 
     29 promise_test(async () => {
     30  // Not specifying an allowlist for a permissions policy will default the
     31  // allowlist to 'src', which is an allowlist unique to iframes/fencedframes
     32  // that matches either the URL of the 'src' attribute, the mapped URL of the
     33  // URN in the 'src' attribute, or the mapped URL of the config in the 'config'
     34  // attribute.
     35  const frame = await frame_builder();
     36  await frame.execute(async () => {
     37    assert_true(document.featurePolicy.allowsFeature("shared-storage"));
     38  });
     39 }, 'Src permissions policy in allow attribute.');
     40 
     41 promise_test(async () => {
     42  const frame = await frame_builder();
     43  await navigateFrameContext(frame, {
     44    origin: get_host_info().HTTPS_ORIGIN,
     45  });
     46  // When the fenced frame navigates itself to a same-origin page, the resulting
     47  // document should still allow "shared-storage" since it is still same-origin to the
     48  // original mapped URL (i.e. what 'src' is considered to be).
     49  await frame.execute(async () => {
     50    assert_true(document.featurePolicy.allowsFeature("shared-storage"));
     51  });
     52 }, 'Src permissions policy after same-origin navigation.');
     53 
     54 promise_test(async () => {
     55  const frame = await frame_builder();
     56  await navigateFrameContext(frame, {
     57    origin: get_host_info().HTTPS_REMOTE_ORIGIN,
     58  });
     59  // When the fenced frame navigates itself to a cross-origin page, the
     60  // resulting document should not allow "shared-storage" since it is now cross-origin
     61  // to the original mapped URL (i.e. what 'src' is considered to be).
     62  await frame.execute(async () => {
     63    assert_false(document.featurePolicy.allowsFeature("shared-storage"));
     64  });
     65 }, 'Src permissions policy after cross-origin navigation.');
     66 
     67 promise_test(async () => {
     68  const frame = await frame_builder();
     69  await frame.execute(async () => {
     70    const child_frame = await attachIFrameContext();
     71    await child_frame.execute(() => {
     72      assert_true(document.featurePolicy.allowsFeature("shared-storage"));
     73    })
     74  });
     75 }, 'Src permissions policy in child iframe inheritance works properly.');
     76 </script>