sandboxed-iframe.https.window.js (2629B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=/common/utils.js 3 // META: script=/fetch/fetch-later/resources/fetch-later-helper.js 4 // META: script=/fetch/fetch-later/quota/resources/helper.js 5 'use strict'; 6 7 const {HTTPS_ORIGIN} = get_host_info(); 8 9 // Skips FormData & URLSearchParams, as browser adds extra bytes to them 10 // in addition to the user-provided content. It is difficult to test a 11 // request right at the quota limit. 12 // Skips File & Blob as it's difficult to estimate what additional data are 13 // added into them. 14 const dataType = BeaconDataType.String; 15 16 // Request headers are counted into total request size. 17 const headers = new Headers({'Content-Type': 'text/plain;charset=UTF-8'}); 18 19 const requestUrl = `${HTTPS_ORIGIN}/`; 20 const quota = getRemainingQuota(QUOTA_PER_ORIGIN, requestUrl, headers); 21 const SMALL_REQUEST_BODY_SIZE = 4 * 1024; // 4KB. 22 23 // This test validates the correct behavior for a sandboxed iframe that includes 24 // the 'allow-same-origin' token. 25 // 26 // Such an iframe should be treated as same-origin. Therefore, it should share 27 // the parent document's primary 64KB quota pool for fetchLater() requests. 28 // 29 // The test works by first having the parent document consume its entire quota. 30 // Then, it creates the 'allow-same-origin' sandboxed iframe and attempts to 31 // send a small request. 32 // 33 // The expected result is that the iframe's request is REJECTED with a 34 // QuotaExceededError, proving that it is correctly sharing the parent's 35 // (already exhausted) quota. 36 promise_test(async test => { 37 const controller = new AbortController(); 38 test.add_cleanup(() => controller.abort()); 39 40 // Step 1: Exhaust the parent frame's entire fetchLater() quota. 41 fetchLater(requestUrl, { 42 method: 'POST', 43 signal: controller.signal, 44 body: makeBeaconData(generatePayload(quota), dataType), 45 referrer: '', // Referrer is part of the quota, so we control it. 46 }); 47 48 // Step 2: From a sandboxed 'allow-same-origin' iframe, attempt to send a 49 // small request. This should fail as the shared quota is already gone. 50 await loadFetchLaterIframe( 51 HTTPS_ORIGIN, // The iframe's src is same-origin. 52 { 53 targetUrl: requestUrl, 54 activateAfter: 0, 55 method: 'POST', 56 bodyType: dataType, 57 bodySize: SMALL_REQUEST_BODY_SIZE, 58 referrer: '', 59 sandbox: 'allow-scripts allow-same-origin', 60 expect: new FetchLaterIframeExpectation( 61 FetchLaterExpectationType.ERROR_DOM, 'QuotaExceededError'), 62 }); 63 }, `A sandboxed iframe with 'allow-same-origin' should be treated as same-origin and share the parent's quota.`);