javascript-url-security-check-failure.sub.html (1854B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>javascript: URL security check</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 7 <body> 8 <script> 9 "use strict"; 10 11 const cases = [ 12 ["cross-origin", "http://{{hosts[][www]}}:{{ports[http][0]}}/common/blank.html"], 13 ["cross-origin-domain but same-origin", "/html/browsers/windows/resources/document-domain-setter.html"] 14 ]; 15 16 for (const [description, url] of cases) { 17 promise_test(async t => { 18 const iframe = await insertIframe(t, url); 19 20 const unreached = t.unreached_func("message event fired"); 21 t.add_cleanup(() => window.removeEventListener("message", unreached)); 22 window.addEventListener("message", unreached); 23 24 iframe.src = `javascript:parent.postMessage("boo", "*")`; 25 26 // If no message was received after this time, the test passes. 27 await new Promise(r => t.step_timeout(r, 50)); 28 }, `${description}, setting src`); 29 30 promise_test(async t => { 31 const iframe = await insertIframe(t, url); 32 33 const unreached = t.unreached_func("message event fired"); 34 t.add_cleanup(() => window.removeEventListener("message", unreached)); 35 window.addEventListener("message", unreached); 36 37 iframe.contentWindow.location.href = `javascript:parent.postMessage("boo", "*")`; 38 39 // If no message was received after this time, the test passes. 40 await new Promise(r => t.step_timeout(r, 50)); 41 }, `${description}, setting location.href`); 42 } 43 44 function insertIframe(t, url) { 45 return new Promise((resolve, reject) => { 46 const iframe = document.createElement("iframe"); 47 iframe.src = url; 48 iframe.onload = () => resolve(iframe); 49 iframe.onerror = () => reject(new Error("Failed to load the outer iframe")); 50 51 t.add_cleanup(() => iframe.remove()); 52 53 document.body.append(iframe); 54 }); 55 } 56 </script>