sandbox-document-open.html (1527B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title> 4 Check sandbox-flags aren't lost after using document.open(). 5 </title> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <body> 9 <script> 10 promise_test(async test => { 11 let message = new Promise(resolve => 12 window.addEventListener("message", event => resolve(event.data)) 13 ); 14 15 let iframe = document.createElement("iframe"); 16 iframe.setAttribute("sandbox", "allow-scripts allow-same-origin"); 17 iframe.setAttribute("src", "./resources/document-open.html") 18 document.body.appendChild(iframe); 19 20 assert_equals(await message, "document-domain-is-disallowed"); 21 }, "document.open()"); 22 23 promise_test(async test => { 24 let iframe = document.createElement("iframe"); 25 iframe.setAttribute("sandbox", "allow-scripts allow-same-origin"); 26 iframe.setAttribute("src", "/common/blank.html"); 27 let loaded = new Promise(resolve => iframe.onload = resolve); 28 document.body.appendChild(iframe); 29 await loaded; 30 31 let message = new Promise(resolve => 32 window.addEventListener("message", event => resolve(event.data)) 33 ); 34 35 iframe.contentDocument.write(` 36 <script> 37 try { 38 document.domain = document.domain; 39 parent.postMessage('document-domain-is-allowed', '*'); 40 } catch (error) { 41 parent.postMessage('document-domain-is-disallowed', '*'); 42 } 43 </sc`+`ript> 44 `); 45 46 assert_equals(await message, "document-domain-is-disallowed"); 47 }, "other_document.open()"); 48 </script> 49 </body> 50 </html>