tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sandbox-window-open-srcdoc.html (2504B)

      1 <!DOCTYPE html>
      2 <meta charset=utf-8>
      3 <title>window.open("about:srcdoc") from a sandboxed iframe</title>
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <body>
      7 <script>
      8 function waitForEvent(name, target) {
      9  return new Promise(resolve => {
     10    function listener(event) {
     11      resolve(event);
     12      }
     13    target.addEventListener(name, listener, { once: true });
     14  });
     15 }
     16 
     17 // Check what happens when executing window.open("about:srcdoc") from a
     18 // sandboxed iframe. Srcdoc can't be loaded in the main frame. It should
     19 // result in an error page. The error page should be cross-origin with the
     20 // opener.
     21 //
     22 // This test covers an interesting edge case. A main frame should inherit
     23 // sandbox flags. However the document loaded is an internal error page. This
     24 // might trigger some assertions, especially if the implementation wrongly
     25 // applies the sandbox flags of the opener to the internal error page document.
     26 //
     27 // This test is mainly a coverage test. It passes if it doesn't crash.
     28 promise_test(async t => {
     29  let iframe = document.createElement("iframe");
     30  iframe.sandbox = "allow-scripts allow-popups allow-same-origin";
     31  iframe.srcdoc = `
     32    <script>
     33      let w = window.open();
     34      onunload = () => w.close();
     35 
     36      let notify = () => {
     37        try {
     38          w.origin; // Will fail after navigating to about:srcdoc.
     39          parent.postMessage("pending", "*");
     40        } catch (e) {
     41          parent.postMessage("done", "*");
     42        };
     43      };
     44 
     45      addEventListener("message", notify);
     46      notify();
     47 
     48      w.location = "about:srcdoc"; // Error page.
     49    </scr`+`ipt>
     50  `;
     51 
     52  let msg = waitForEvent("message", window);
     53  document.body.appendChild(iframe);
     54  while ( (await msg).data !== "done" ) {
     55    iframe.contentWindow.postMessage("ping","*");
     56    msg = waitForEvent("message", window);
     57  }
     58  iframe.remove();
     59 }, "window.open('about:srcdoc') from sandboxed srcdoc doesn't crash.");
     60 
     61 promise_test(async t => {
     62  let ifr = document.createElement("iframe");
     63  ifr.sandbox = "allow-scripts allow-popups";
     64  ifr.srcdoc = `<script>
     65    const w = window.open();
     66    try {
     67      w.document;
     68      parent.postMessage("fail", "*")
     69    } catch (e) {
     70      parent.postMessage(e.name, "*")
     71    }
     72  </scri`+`pt>`;
     73 
     74  const msg = waitForEvent("message", window);
     75  document.body.appendChild(ifr);
     76  const data = (await msg).data;
     77  assert_equals(data, "SecurityError", "");
     78 }, "popup is isolated from an isolated iframe");
     79 </script>