third-party-subframe-hsts-upgrade.tentative.sub.html (1765B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>HSTS upgrade for third-party iframe</title> 4 <script src='/resources/testharness.js'></script> 5 <script src='/resources/testharnessreport.js'></script> 6 <script src='/common/get-host-info.sub.js'></script> 7 <body> 8 <script> 9 const isUpgraded = `${get_host_info().HTTP_NOTSAMESITE_ORIGIN}/hsts/resources/is-upgraded.html` 10 const removeAltHSTS = `${get_host_info().HTTPS_NOTSAMESITE_ORIGIN}/hsts/resources/hsts.py?remove`; 11 const setAltHSTS = `${get_host_info().HTTPS_NOTSAMESITE_ORIGIN}/hsts/resources/hsts.py?set`; 12 const iframe = document.createElement('iframe'); 13 iframe.style = 'display: none'; 14 iframe.src = isUpgraded; 15 16 async function tryFetch(uri) { 17 try { 18 await fetch(uri).then(response => { 19 if (!response.ok) { 20 return Promise.reject('Fetching hsts.py somehow failed.'); 21 } 22 }); 23 } catch (e) { 24 return Promise.reject(e); 25 } 26 } 27 28 // Step 1) Fetch and receive Strict-Transport-Security header from 3P host 29 promise_setup(() => tryFetch(setAltHSTS)); 30 31 promise_test(t => { 32 t.add_cleanup(() => tryFetch(removeAltHSTS)); 33 34 return new Promise((resolve, reject) => { 35 // Step 2) Embed iframe of 3P insecure alt host 36 document.body.appendChild(iframe); 37 38 // Step 3) Ensure that the 3P iframe wasn't upgraded via HSTS 39 window.addEventListener('message', e => { 40 if (e.source !== iframe.contentWindow) { 41 return; 42 } 43 44 if (e.data?.name === 'iframe-protocol-check') { 45 if (e.data.protocol === 'http:') { 46 resolve(); 47 } else { 48 reject(); 49 } 50 } 51 }, {once: true}); 52 }); 53 54 }, 'Third-party HSTS upgrades should be prevented'); 55 </script> 56 </body> 57 </html>