iframe-allow.html (3765B)
1 <!doctype html> 2 <meta charset=utf-8> 3 <title>Check processing of allow attribute in nested browsing context</title> 4 <link rel="author" title="Google" href="https://www.google.com"> 5 <link rel="help" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow"> 6 <link rel="help" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object"> 7 <link rel="help" href="https://fullscreen.spec.whatwg.org/#fullscreen-enabled-flag"> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 11 <div id="log"></div> 12 <script> 13 // This returns a data URL (cross-origin with the containing document) which 14 // advances a counter, and reports the counter value together with the 15 // document's fullscreenEnabled state, every time it receives a postMessage. 16 // Fullscreen itself is not important for this test, but the flag is a useful 17 // indicator of whether a policy-controlled-feature is allowed or denied. 18 function getSourceForCrossOriginPage(initial_count) { 19 var page_contents = "<html><body><script>var count="+initial_count+";window.addEventListener('message',function(){parent.postMessage({'count':count++,'fullscreenEnabled':document.fullscreenEnabled},'*');});</scr"+"ipt></body></html>"; 20 return "data:text/html;base64,"+btoa(page_contents); 21 } 22 23 async_test(function(t) { 24 var iframe = document.createElement("iframe"); 25 iframe.src = getSourceForCrossOriginPage(0); 26 27 iframe.addEventListener('load', function() { 28 // Request the fullscreenEnabled state whenever the frame loads 29 iframe.contentWindow.postMessage(true,"*"); 30 }); 31 32 window.addEventListener('message', this.step_func(function(msg) { 33 if (msg.data.count == 0) { 34 assert_false(msg.data.fullscreenEnabled, "Document inside cross-origin iframe without allow attribute should not have feature enabled"); 35 iframe.setAttribute("allow", "fullscreen"); 36 iframe.contentWindow.postMessage(true,"*"); // Request state again 37 } else if (msg.data.count == 1) { 38 assert_false(msg.data.fullscreenEnabled, "Feature should be denied when correct allow attribute is added, before reload"); 39 iframe.src = getSourceForCrossOriginPage(2); // Reload the frame 40 } else if (msg.data.count == 2) { 41 assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when correct allow attribute is added, after reload"); 42 iframe.removeAttribute("allow"); 43 iframe.contentWindow.postMessage(true,"*"); // Request state again 44 } else if (msg.data.count == 3) { 45 assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when allow attribute is removed, before reload"); 46 iframe.src = getSourceForCrossOriginPage(4); // Reload the frame 47 } else if (msg.data.count == 4) { 48 assert_false(msg.data.fullscreenEnabled, "Feature should be denied when allow attribute is removed, after reload"); 49 iframe.setAttribute("allow", "payment"); // Set allow to an unrelated feature 50 iframe.src = getSourceForCrossOriginPage(5); // Reload the frame 51 } else if (msg.data.count == 5) { 52 assert_false(msg.data.fullscreenEnabled, "Feature should be denied with incorrect allow attribute"); 53 iframe.setAttribute("allow", "payment;fullscreen"); // Include fullscreen again 54 iframe.src = getSourceForCrossOriginPage(6); // Reload the frame 55 } else if (msg.data.count == 6) { 56 assert_true(msg.data.fullscreenEnabled, "Feature should be allowed with complex allow attribute"); 57 t.done(); 58 } else { 59 assert_unreached(); 60 } 61 })); 62 63 document.body.appendChild(iframe); 64 }, "iframe-cross-origin-allow"); 65 66 </script>