tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

coop-sandbox-cuts-opener.https.html (2361B)

      1 <!doctype html>
      2 <title>
      3  Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary
      4 </title>
      5 <script src="/resources/testharness.js"></script>
      6 <script src="/resources/testharnessreport.js"></script>
      7 <script src="/common/dispatcher/dispatcher.js"></script>
      8 <script src="/common/get-host-info.sub.js"></script>
      9 <script src="/common/utils.js"></script>
     10 <script src="resources/common.js"></script>
     11 <body>
     12 <script>
     13 const executor_path = "/common/dispatcher/executor.html?pipe=";
     14 const coop_same_origin_header =
     15  '|header(Cross-Origin-Opener-Policy,same-origin)';
     16 const coop_unsafe_none_header =
     17  '|header(Cross-Origin-Opener-Policy,unsafe-none)';
     18 
     19 function getExecutorPath(uuid, origin, coop_header) {
     20  return origin.origin + executor_path + coop_header  + `&uuid=${uuid}`;
     21 }
     22 
     23 [
     24  "allow-popups allow-scripts allow-same-origin",
     25  "allow-popups allow-scripts",
     26 ].forEach(sandboxValue => {
     27  async_test(t => {
     28    // Set up dispatcher communications.
     29    const iframe_token = token();
     30    const popup_token = token();
     31    const main_frame_token_for_popup = token();
     32    const main_frame_token_for_iframe = token();
     33 
     34    // Create a sandboxed iframe.
     35    const iframe = document.createElement("iframe");
     36    iframe.sandbox = sandboxValue;
     37    iframe.src = getExecutorPath(iframe_token, SAME_ORIGIN,
     38                                 coop_unsafe_none_header);
     39    document.body.append(iframe);
     40    t.add_cleanup(() => iframe.remove());
     41 
     42    // Open a COOP popup from the sandboxed iframe.
     43    const popup_url = getExecutorPath(popup_token,
     44    SAME_ORIGIN,
     45    coop_same_origin_header);
     46    send(iframe_token, `window.popup = window.open('${popup_url}')`);
     47 
     48    // This should fail. We ping the popup, if we get an answer it loaded.
     49    send(popup_token, `
     50    send('${main_frame_token_for_popup}', 'Popup loaded');
     51    `);
     52    receive(main_frame_token_for_popup)
     53    .then(t.unreached_func("A COOP popup was created from a sandboxed frame"));
     54 
     55    // We delay probing the popup.closed property to give it time to settle.
     56    t.step_timeout(() => {
     57    send(iframe_token,
     58    `send('${main_frame_token_for_iframe}', window.popup.closed);`);
     59    }, 1500);
     60    receive(main_frame_token_for_iframe)
     61    .then(t.step_func_done(data => assert_equals(data, "true")));
     62 
     63  }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
     64 });
     65 </script>
     66 </body>