sandbox-inherit-to-blank-document-unsandboxed-frame.html (3471B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 </head> 7 <body> 8 <script> 9 // Sandbox flags are inherited from a document toward every frame it creates, 10 // which then is inherited to every new document created in this frame. 11 // 12 // Using the flag 'allow-popups-to-escape-sandbox' inhibits this inheritance 13 // mechanism when the new frame is a popup. 14 // 15 // Sandbox flags are not inherited from the initiator/creator when loading a 16 // local scheme document unlike CSP (tested in 17 // ./sandbox-inherit-to-blank-document-unsandboxed.html) 18 // 19 // This tests in particular the initial empty document and the first 20 // about:blank navigation and verifies that no sandbox is applied on the 21 // popups. 22 promise_test(async test => { 23 const msg = await new Promise(r => window.addEventListener("message", r)); 24 assert_false(msg.data.access_initial_navigation_to_about_blank_throws, 25 "Failed to access initial about:blank popup, it is probably sandboxed" 26 ); 27 assert_false(msg.data.access_first_navigation_to_about_blank_throws, 28 "Failed to access navigation to about:blank, it is probably sandboxed" 29 ); 30 assert_false(msg.data.access_after_delay_initial_navigation_to_about_blank_throws, 31 "Failed to access navigation to about:blank, it is probably sandboxed" 32 ); 33 assert_false(msg.data.access_after_delay_first_navigation_to_about_blank_throws, 34 "Failed to access navigation to about:blank, it is probably sandboxed" 35 ); 36 }, "Popup do not inherit sandbox, because of " + 37 "'allow-popups-to-escape-sandbox'. The document isn't sandboxed.") 38 39 </script> 40 <iframe 41 sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox" 42 srcdoc=" 43 <script> 44 let access_initial_navigation_to_about_blank_throws = false; 45 let access_first_navigation_to_about_blank_throws = false; 46 let access_after_delay_initial_navigation_to_about_blank_throws = false; 47 let access_after_delay_first_navigation_to_about_blank_throws = false; 48 const initial_about_blank_window = 49 window.open('/common/blank.html?pipe=status(204)'); 50 try { 51 initial_about_blank_window.origin; 52 } catch(e) { 53 access_initial_navigation_to_about_blank_throws = true; 54 } 55 const renavigated_about_blank_window = window.open('about:blank'); 56 try { 57 renavigated_about_blank_window.origin; 58 } catch(e) { 59 access_first_navigation_to_about_blank_throws = true; 60 } 61 setTimeout(() => { 62 try { 63 initial_about_blank_window.origin; 64 } catch(e) { 65 access_after_delay_initial_navigation_to_about_blank_throws = true; 66 } 67 try { 68 renavigated_about_blank_window.origin; 69 } catch(e) { 70 access_after_delay_first_navigation_to_about_blank_throws = true; 71 } 72 top.postMessage({ 73 'access_initial_navigation_to_about_blank_throws': 74 access_initial_navigation_to_about_blank_throws, 75 'access_first_navigation_to_about_blank_throws': 76 access_first_navigation_to_about_blank_throws, 77 'access_after_delay_initial_navigation_to_about_blank_throws': 78 access_after_delay_initial_navigation_to_about_blank_throws, 79 'access_after_delay_first_navigation_to_about_blank_throws': 80 access_after_delay_first_navigation_to_about_blank_throws 81 }, '*'); 82 }, 500); 83 </script>" 84 > 85 </iframe> 86 </body> 87 </html>