tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

navigate-iframe.sub.html (2762B)

      1 <!DOCTYPE html>
      2 <html lang="en">
      3 <head>
      4    <title>Document#fullscreenEnabled</title>
      5    <meta charset="UTF-8" />
      6    <script src="/resources/testharness.js"></script>
      7    <script src="/resources/testharnessreport.js"></script>
      8 </head>
      9 <body>
     10  <div id="log"></div>
     11  <script>
     12 
     13 /*
     14 * According to the spec the `default origin` for an iframe is its `declared
     15 *   origin`, meaning, the src attribute:
     16 *   https://w3c.github.io/webappsec-permissions-policy/#declared-origin
     17 * The `default allowlist` for 'fullscreen' is "'self'":
     18 *   https://fullscreen.spec.whatwg.org/#permissions-policy-integration
     19 * And 'self' means:
     20 *  'self'
     21 *    The feature is allowed in documents in top-level traversables by default,
     22 *    as well as those in child navigables whose document is same origin with
     23 *    its parent’s document, when allowed in that Document. It is disallowed
     24 *    by default in child navigables whose document is cross-origin with its
     25 *    parent’s document.
     26 *  (https://w3c.github.io/webappsec-permissions-policy/#default-allowlists)
     27 * Therefore a navigated iframe must not have fullscreen permissions unless
     28 *   the new origin matches the origin in the src attribute and is same-origin
     29 *   with the embedding page.
     30 */
     31 var expectations = {
     32  "same_to_cross": {allowlist: "", iframe_src: "same", iframe_dest: "cross", target_result: false},
     33  "cross_to_same": {allowlist: "", iframe_src: "cross", iframe_dest: "same", target_result: false},
     34  "same_to_same": {allowlist: "", iframe_src: "same", iframe_dest: "same", target_result: true},
     35  "cross_to_cross": {allowlist: "", iframe_src: "cross", iframe_dest: "cross", target_result: false},
     36  "allowed_cross_to_same": {allowlist: "'self' http://{{hosts[alt][]}}:{{ports[http][0]}}",
     37   iframe_src: "cross", iframe_dest: "same", target_result: true},
     38 };
     39 
     40 for (const [test, {allowlist, iframe_src, iframe_dest, target_result}] of Object.entries(expectations)) {
     41  promise_test(async () => {
     42    let iframe = document.createElement("iframe");
     43    if (allowlist !== "") {
     44      iframe.allow = `fullscreen ${allowlist}`;
     45    }
     46 
     47    document.body.appendChild(iframe);
     48    iframe.addEventListener("load", () => {
     49      iframe.contentWindow.postMessage({dest: iframe_dest}, "*");
     50    });
     51 
     52    let hostname = iframe_src === "same" ? "{{hosts[][]}}" : "{{hosts[alt][]}}";
     53    iframe.src = `http://${hostname}:{{ports[http][0]}}/fullscreen/api/resources/navigate.sub.html`;
     54 
     55    window.addEventListener('message', e => {
     56      if (e.data.report?.api == "fullscreen") {
     57        resolve(e.data.report);
     58      }
     59    });
     60 
     61    const { promise, resolve } = Promise.withResolvers();
     62    const report = await promise;
     63    assert_equals(report.enabled, target_result);
     64  }, test);
     65 }
     66 
     67  </script>
     68 </body>
     69 </html>