[ tor-browser ].git.dasho

anonymous-iframe-popup.tentative.https.window.js (2996B)
      1 // META: timeout=long
      2 // META: script=/common/get-host-info.sub.js
      3 // META: script=/common/utils.js
      4 // META: script=/common/dispatcher/dispatcher.js
      5 // META: script=/html/cross-origin-embedder-policy/credentialless/resources/common.js
      6 
      7 const {ORIGIN, REMOTE_ORIGIN} = get_host_info();
      8 const control_iframe = document.createElement('iframe');
      9 const iframe_credentialless = document.createElement('iframe');
     10 
     11 promise_setup(async t => {
     12  const createControlIframe = new Promise(async resolve => {
     13    control_iframe.onload = resolve;
     14    control_iframe.src = ORIGIN + `/common/blank.html`;
     15    document.body.append(control_iframe);
     16  });
     17 
     18  const createIframeCredentialless = new Promise(async resolve => {
     19    iframe_credentialless.onload = resolve;
     20    iframe_credentialless.src = ORIGIN + `/common/blank.html`;
     21    iframe_credentialless.credentialless = true;
     22    document.body.append(iframe_credentialless);
     23  });
     24 
     25  await Promise.all([createControlIframe, createIframeCredentialless]);
     26 });
     27 
     28 // Create cross-origin popup from iframes. The opener should be blocked for
     29 // credentialless iframe and work for normal iframe.
     30 promise_test(async t => {
     31  const control_token = token();
     32  const control_src = REMOTE_ORIGIN + executor_path + `&uuid=${control_token}`;
     33  const control_popup = control_iframe.contentWindow.open(control_src);
     34  add_completion_callback(() => send(control_token, "close();"));
     35  assert_equals(
     36    control_popup.opener, control_iframe.contentWindow,
     37    "Opener from normal iframe should be available.");
     38 
     39  const credentialless_token = token();
     40  const credentialless_src =
     41    REMOTE_ORIGIN + executor_path + `&uuid=${credentialless_token}`;
     42  const credentialless_popup =
     43    iframe_credentialless.contentWindow.open(credentialless_src);
     44  add_completion_callback(() => send(credentialless_token, "close();"));
     45  assert_equals(credentialless_popup, null,
     46    "Opener from credentialless iframe should be blocked.");
     47 }, 'Cross-origin popup from normal/credentiallessiframes.');
     48 
     49 // Create a same-origin popup from iframes. The opener should be blocked for
     50 // credentialless iframe and work for normal iframe.
     51 promise_test(async t => {
     52  const control_token = token();
     53  const control_src = ORIGIN + executor_path + `&uuid=${control_token}`;
     54  const control_popup = control_iframe.contentWindow.open(control_src);
     55  add_completion_callback(() => send(control_token, "close();"));
     56  assert_equals(
     57    control_popup.opener, control_iframe.contentWindow,
     58    "Opener from normal iframe should be available.");
     59 
     60  const credentialless_token = token();
     61  const credentialless_src =
     62    ORIGIN + executor_path + `&uuid=${credentialless_token}`;
     63  const credentialless_popup = iframe_credentialless.contentWindow.open(credentialless_src);
     64  add_completion_callback(() => send(credentialless_token, "close();"));
     65  assert_equals(credentialless_popup, null,
     66    "Opener from credentialless iframe should be blocked.");
     67 }, 'Same-origin popup from normal/credentialless iframes.');
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE