tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sandbox-mandatory-flags.https.html (4874B)

      1 <!DOCTYPE html>
      2 <meta name=timeout content=long>
      3 <title>Test of sandbox mandatory flags</title>
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script src="resources/utils.js"></script>
      7 <script src="/common/utils.js"></script>
      8 <script src="/common/dispatcher/dispatcher.js"></script>
      9 
     10 <body>
     11 
     12 <script>
     13 
     14 const mandatory_flags = [
     15      'allow-same-origin',
     16      'allow-forms',
     17      'allow-scripts',
     18      'allow-popups',
     19      'allow-popups-to-escape-sandbox',
     20      'allow-top-navigation-by-user-activation'];
     21 
     22 promise_test(async t => {
     23  const key = token();
     24  const value = 'fenced frame loaded';
     25  const iframe = document.createElement('iframe');
     26  iframe.src =
     27      'resources/sandbox-mandatory-flags-iframe.sub.html?key=' + key +
     28      '&value=' + value;
     29  mandatory_flags.forEach(flag => {
     30    iframe.sandbox.add(flag);
     31  });
     32 
     33  document.body.appendChild(iframe);
     34  t.add_cleanup(() => {
     35    iframe.remove();
     36  });
     37  const result = await nextValueFromServer(key);
     38  assert_equals(result, value, 'The fenced frame must be loaded.');
     39 }, 'Sandboxed Iframe with mandatory flags can load a fenced frame.');
     40 
     41 promise_test(async t => {
     42  const key = token();
     43  // Try to load a fenced frame in a sandboxed iframe like this:
     44  //   <iframe sandbox="|mandatory_flags| without |missing_flag|"
     45  //           src="sandbox-mandatory-flags-iframe.sub.html">
     46  //     <fencedframe src="sandbox-mandatory-flags-inner.sub.html">
     47  //       <img src="key-value-store.py?key=|key|&value=|value|">
     48  //     <fencedframe>
     49  //   </iframe>
     50  // But this should fail because the sandboxed iframe is loaded without
     51  // |missing_flag|.
     52  for (let missing_flag of mandatory_flags) {
     53    const value =
     54        'a fenced frame was loaded in a sandboxed iframe without ' +
     55        missing_flag + '.';
     56    const iframe = document.createElement('iframe');
     57    iframe.src =
     58        'resources/sandbox-mandatory-flags-iframe.sub.html?key=' + key +
     59        '&value=' + value;
     60    mandatory_flags.forEach(flag => {
     61      if (flag != missing_flag) {
     62        iframe.sandbox.add(flag);
     63      }
     64    });
     65    document.body.appendChild(iframe);
     66    t.add_cleanup(() => {
     67      iframe.remove();
     68    });
     69  }
     70  t.step_timeout(() => t.done(), 3000);
     71  let server_value = await nextValueFromServer(key);
     72  assert_unreached('fenced frame should not be loaded, but ' + server_value);
     73 }, 'Sandboxed Iframe without one of mandatory flag must fail to load a fenced' +
     74   ' frame.');
     75 
     76 promise_test(async t => {
     77  const key = token();
     78  // Try to load a fenced frame in a nested sandboxed iframe like this:
     79  //   <iframe sandbox="|mandatory_flags| without |missing_flag|"
     80  //           src="sandbox-mandatory-flags-looser-restriction.sub.html">
     81  //     <iframe sandbox="|mandatory_flags|"
     82  //             src="sandbox-mandatory-flags-iframe.sub.html">
     83  //       <fencedframe src="resources/sandbox-mandatory-flags-inner.sub.html">
     84  //         <img src="key-value-store.py?key=|key|&value=|value|">
     85  //       <fencedframe>
     86  //     </iframe>
     87  //   </iframe>
     88  // But this should fail because the nested iframe is loaded sandboxed
     89  // without |missing_flag|.
     90  for (let missing_flag of mandatory_flags) {
     91    const value =
     92        'a fenced frame was loaded in a nested sandboxed iframe without ' +
     93        missing_flag + '.';
     94    const iframe = document.createElement('iframe');
     95    iframe.src =
     96        'resources/sandbox-mandatory-flags-looser-restriction.sub.html?key=' +
     97        key + '&value=' + value;
     98    mandatory_flags.forEach(flag => {
     99      if (flag != missing_flag) {
    100        iframe.sandbox.add(flag);
    101      }
    102    });
    103    document.body.appendChild(iframe);
    104    t.add_cleanup(() => {
    105      iframe.remove();
    106    });
    107  }
    108  t.step_timeout(() => t.done(), 3000);
    109  let server_value = await nextValueFromServer(key);
    110  assert_unreached('fenced frame should not be loaded, but ' + server_value);
    111 }, 'Nested sandboxed iframe without one of mandatory flag must fail to load a' +
    112   'fenced frame even when the inner nested sandboxed iframe has all ' +
    113   'mandatory allow- flags.');
    114 
    115 promise_test(async t => {
    116  const key = token();
    117  // allow-scripts is needed to run iframe.execute, so we will test every other
    118  // sandbox flag
    119  for (let missing_flag of
    120       mandatory_flags.filter(word => word != "allow-scripts")) {
    121    const value =
    122        'canLoadOpaqueURL returned true even with flag ' +
    123        missing_flag + ' not set.';
    124    const flags_to_add = mandatory_flags
    125        .filter(word => word != missing_flag)
    126        .join(" ");
    127    const iframe = attachIFrameContext(
    128        {attributes: [["sandbox", flags_to_add]]});
    129    await iframe.execute(async (t) => {
    130      assert_false(navigator.canLoadAdAuctionFencedFrame());
    131    });
    132  }
    133 }, 'navigator.canLoadAdAuctionFencedFrame considers mandatory sandbox flags');
    134 </script>
    135 
    136 </body>