sandbox-inherited-from-required-csp.html (5003B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>Inherit sandbox from CSP embedded enforcement</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/common/get-host-info.sub.js"></script> 7 <body> 8 <script> 9 // Check sandbox flags are properly defined when its parent requires them and 10 // the child allows it. 11 12 const same_origin = get_host_info().HTTP_ORIGIN; 13 const cross_origin = get_host_info().HTTP_REMOTE_ORIGIN; 14 const check_sandbox_url = 15 "/html/browsers/sandboxing/resources/check-sandbox-flags.html?pipe="; 16 const allow_csp_from_star = "|header(Allow-CSP-From,*)"; 17 18 // Return a promise, resolving when |element| triggers |event_name| event. 19 const future = (element, event_name, source) => { 20 return new Promise(resolve => { 21 element.addEventListener(event_name, event => { 22 if (!source || source.contentWindow == event.source) 23 resolve(event) 24 }) 25 }); 26 }; 27 28 const check_sandbox_script = ` 29 <script> 30 try { 31 document.domain = document.domain; 32 parent.postMessage("document-domain-is-allowed", "*"); 33 } catch (exception) { 34 parent.postMessage("document-domain-is-disallowed", "*"); 35 } 36 </scr`+`ipt> 37 `; 38 39 const sandbox_policy = "sandbox allow-scripts allow-same-origin"; 40 41 // Test using the modern async/await primitives are easier to read/write. 42 // However they run sequentially, contrary to async_test. This is the parallel 43 // version, to avoid timing out. 44 let promise_test_parallel = (promise, description) => { 45 async_test(test => { 46 promise(test) 47 .then(() => {test.done();}) 48 .catch(test.step_func(error => { throw error; })); 49 }, description); 50 }; 51 52 promise_test_parallel(async test => { 53 const iframe = document.createElement("iframe"); 54 iframe.csp = sandbox_policy; 55 56 // The <iframe> immediately hosts the initial empty document after being 57 // appended into the DOM. It will, as long as its 'src' isn't loaded. That's 58 // why a page do not load is being used. 59 iframe.src = "/fetch/api/resources/infinite-slow-response.py"; 60 document.body.appendChild(iframe); 61 62 const iframe_reply = future(window, "message", iframe); 63 iframe.contentDocument.write(check_sandbox_script); 64 const result = await iframe_reply; 65 iframe.remove(); 66 67 assert_equals(result.data, "document-domain-is-disallowed"); 68 }, "initial empty document"); 69 70 promise_test_parallel(async test => { 71 const iframe = document.createElement("iframe"); 72 iframe.src = "data:text/html,dummy"; 73 74 const iframe_load_1 = future(iframe, "load"); 75 document.body.appendChild(iframe); 76 await iframe_load_1; 77 78 const iframe_load_2 = future(iframe, "load"); 79 iframe.csp = sandbox_policy; 80 iframe.src = "about:blank"; 81 await iframe_load_2; 82 83 const iframe_reply = future(window, "message", iframe); 84 iframe.contentDocument.write(check_sandbox_script); 85 const result = await iframe_reply; 86 87 assert_equals(result.data, "document-domain-is-disallowed"); 88 }, "about:blank"); 89 90 promise_test_parallel(async test => { 91 const iframe = document.createElement("iframe"); 92 iframe.csp = sandbox_policy; 93 iframe.src = 94 `data:text/html,${encodeURI(check_sandbox_script)}`; 95 96 const iframe_reply = future(window, "message", iframe); 97 document.body.appendChild(iframe); 98 const result = await iframe_reply; 99 100 assert_equals(result.data, "document-domain-is-disallowed"); 101 }, "data-url"); 102 103 promise_test_parallel(async test => { 104 const iframe = document.createElement("iframe"); 105 iframe.csp = sandbox_policy; 106 iframe.srcdoc = check_sandbox_script; 107 108 const iframe_reply = future(window, "message", iframe); 109 document.body.appendChild(iframe); 110 const result = await iframe_reply; 111 112 assert_equals(result.data, "document-domain-is-disallowed"); 113 }, "srcdoc"); 114 115 promise_test_parallel(async test => { 116 const iframe = document.createElement("iframe"); 117 iframe.csp = sandbox_policy; 118 119 const blob = new Blob([check_sandbox_script], { type: "text/html" }); 120 121 iframe.src = URL.createObjectURL(blob); 122 123 const iframe_reply = future(window, "message", iframe); 124 document.body.appendChild(iframe); 125 const result = await iframe_reply; 126 127 assert_equals(result.data, "document-domain-is-disallowed"); 128 }, "blob URL"); 129 130 promise_test_parallel(async test => { 131 const iframe = document.createElement("iframe"); 132 iframe.csp = sandbox_policy; 133 iframe.src = same_origin + check_sandbox_url + allow_csp_from_star; 134 135 const iframe_reply = future(window, "message", iframe); 136 document.body.appendChild(iframe); 137 const result = await iframe_reply; 138 139 assert_equals(result.data, "document-domain-is-disallowed"); 140 }, "same-origin"); 141 142 promise_test_parallel(async test => { 143 const iframe = document.createElement("iframe"); 144 iframe.csp = sandbox_policy; 145 iframe.src = cross_origin + check_sandbox_url + allow_csp_from_star; 146 147 const iframe_reply = future(window, "message", iframe); 148 document.body.appendChild(iframe); 149 const result = await iframe_reply; 150 151 assert_equals(result.data, "document-domain-is-disallowed"); 152 }, "cross-origin"); 153 154 </script>