tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

child-navigates-parent-cross-origin.window.js (3096B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=resources/wait-for-messages.js
      3 
      4 function testNavigationFails(params) {
      5  return async (t) => {
      6    // Start waiting for messages before inserting the child frame, to avoid any
      7    // race conditions. Note that this would be racy if we executed tests
      8    // concurrently, thankfully `promise_test` executes sequentially. See also:
      9    // https://github.com/web-platform-tests/rfcs/pull/75
     10    const messagesPromise = waitForMessages(1);
     11 
     12    // Execute the test in an iframe, so that the document executing the test
     13    // is not navigated away mid-test in case of failure.
     14    const child = document.createElement("iframe");
     15    document.body.appendChild(child);
     16    t.add_cleanup(() => { document.body.removeChild(child); });
     17 
     18    const url = new URL(
     19        "resources/child-navigates-parent-cross-origin-inner.html",
     20        window.location);
     21 
     22    // Load the grandchild iframe from a different origin.
     23    url.host = get_host_info().REMOTE_HOST;
     24 
     25    for (const key in params || {}) {
     26      url.searchParams.set(key, params[key]);
     27    }
     28 
     29    const grandchild = child.contentDocument.createElement("iframe");
     30    grandchild.src = url;
     31    child.contentDocument.body.appendChild(grandchild);
     32 
     33    const messages = await messagesPromise;
     34    assert_array_equals(messages, ["error: SecurityError"]);
     35  }
     36 }
     37 
     38 promise_test(
     39    testNavigationFails(),
     40    "Child document attempts to navigate cross-origin parent via location");
     41 
     42 promise_test(
     43    testNavigationFails({ "property": "hash" }),
     44    "Child document attempts to navigate cross-origin parent via "+
     45    "location.hash");
     46 
     47 promise_test(
     48    testNavigationFails({ "property": "host" }),
     49    "Child document attempts to navigate cross-origin parent via "+
     50    "location.host");
     51 
     52 promise_test(
     53    testNavigationFails({ "property": "hostname" }),
     54    "Child document attempts to navigate cross-origin parent via "+
     55    "location.hostname");
     56 
     57 promise_test(
     58    testNavigationFails({ "property": "href" }),
     59    "Child document attempts to navigate cross-origin parent via "+
     60    "location.href");
     61 
     62 promise_test(
     63    testNavigationFails({ "property": "pathname" }),
     64    "Child document attempts to navigate cross-origin parent via "+
     65    "location.pathname");
     66 
     67 promise_test(
     68    testNavigationFails({ "property": "protocol" }),
     69    "Child document attempts to navigate cross-origin parent via "+
     70    "location.protocol");
     71 
     72 promise_test(
     73    testNavigationFails({ "property": "reload" }),
     74    "Child document attempts to navigate cross-origin parent via "+
     75    "location.reload()");
     76 
     77 promise_test(
     78    testNavigationFails({ "property": "replace" }),
     79    "Child document attempts to navigate cross-origin parent via "+
     80    "location.replace()");
     81 
     82 promise_test(
     83    testNavigationFails({ "property": "search" }),
     84    "Child document attempts to navigate cross-origin parent via "+
     85    "location.search");
     86 
     87 promise_test(
     88    testNavigationFails({ "property": "xxxNonExistent" }),
     89    "Child document attempts to navigate cross-origin parent via non-standard "+
     90    "location property");