sandbox-disallow-popups.html (1161B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>window.open in sandbox iframe</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/common/utils.js"></script> 7 <body> 8 <script> 9 setup({single_test: true}); 10 // check that the popup's URL is not loaded 11 const uuid = token(); 12 async function assert_popup_not_loaded() { 13 const response = await fetch(`/fetch/api/resources/stash-take.py?key=${uuid}`); 14 assert_equals(await response.json(), null); // is "loaded" if it loads 15 } 16 17 // check for message from the iframe 18 window.onmessage = e => { 19 assert_equals(e.data, 'null', 'return value of window.open (stringified)'); 20 step_timeout(async () => { 21 await assert_popup_not_loaded(); 22 done(); 23 }, 1000); 24 }; 25 const iframe = document.createElement('iframe'); 26 iframe.sandbox = 'allow-scripts'; 27 iframe.srcdoc = ` 28 <script> 29 let result; 30 try { 31 result = window.open('/fetch/api/resources/stash-put.py?key=${uuid}&value=loaded', '_blank'); 32 } catch(ex) { 33 result = ex; 34 } 35 parent.postMessage(String(result), '*'); 36 <\/script> 37 `; 38 document.body.appendChild(iframe); 39 </script>