sandbox-inherit-to-blank-document-unsandboxed.html (3895B)
1 <!-- 2 Content-Security-Policy: sandbox allow-scripts 3 allow-popups 4 allow-popups-to-escape-sandbox 5 --> 6 <!DOCTYPE html> 7 <html> 8 <head> 9 <script src="/resources/testharness.js"></script> 10 <script src="/resources/testharnessreport.js"></script> 11 </head> 12 <body> 13 14 <script> 15 16 // Sandbox flags are inherited from a document toward every frame it creates, 17 // which then is inherited to every new document created in this frame. 18 19 // Using the flag 'allow-popups-to-escape-sandbox' inhibits this inheritance 20 // mechanism when the new frame is a popup. 21 // 22 // Sandbox flags can also be set via CSP. CSP are inherited from a document 23 // toward every other documents its creates that are loading with a local scheme. 24 // In particular, this includes: 25 // - The initial empty document 26 // - The first about:blank navigation. See (note) 27 // - Any about:blank navigation. 28 // 29 // Both mechanism are at play here. 30 // 31 // Note: As of 2021, Chrome handles the very first navigation to about:blank in 32 // a frame synchronously instead of asynchronously. This is the only navigation 33 // behaving this way. As a result, inheritance of sandbox is different and needs 34 // to be tested separately. 35 // See also: 36 // https://docs.google.com/document/d/1KY0DCaoKjUPbOX28N9KWvBjbnAfQEIRTaLbZUq9EkK8 37 38 test(test => { 39 assert_equals(window.origin, 'null'); 40 }, "Document is sandboxed via its CSP."); 41 42 promise_test(async test => { 43 // The navigation will be canceled (204 no content). As a result, the 44 // document in the popup must still be the initial empty document. 45 const w = window.open("/common/blank.html?pipe=status(204)"); 46 47 // The initial empty document is sandboxed, because it inherited CSP from 48 // its opener. However this is impossible to verify. There are cross-origin 49 // access restrictions and an about:blank document can't do much on its own. 50 // We try to identify that the document is sandboxed by accessing a 51 // cross-origin restricted API. 52 assert_throws_dom( 53 "SecurityError", () => { w.origin }, 54 "Access before timeout throws"); 55 56 // Test after a 500ms timeout, delay after which we expect asynchronous 57 // navigations to be canceled. 58 await new Promise(r => setTimeout(r, 500) ); 59 60 // The about:blank must still be sandboxed. 61 assert_throws_dom( 62 "SecurityError", () => { w.origin }, 63 "Access after timeout throws"); 64 }, "The initial empty document inherit sandbox via CSP."); 65 66 // Regression test for https://crbug.com/1190065 67 promise_test(async test => { 68 const w = window.open("about:blank"); 69 70 // The about:blank document is sandboxed, because it inherited CSP from its 71 // opener. However this is impossible to verify. There are cross-origin 72 // access restrictions and an about:blank document can't do much on its own. 73 // We try to identify that the document is sandboxed by accessing a 74 // cross-origin restricted API. 75 assert_throws_dom( 76 "SecurityError", () => { w.origin }, 77 "Access before timeout throws"); 78 79 // Test after a 500ms timeout, delay after which we expect asynchronous 80 // about:blank navigation to be completed. 81 await new Promise(r => setTimeout(r, 500) ); 82 83 // The about:blank must still be sandboxed. 84 assert_throws_dom( 85 "SecurityError", () => { w.origin }, 86 "Access after timeout throws"); 87 }, "The synchronous re-navigation to about:blank inherits sandbox via CSP"); 88 89 async_test(test => { 90 window.addEventListener("message", test.step_func_done(e => { 91 assert_equals(e.data.origin, (new URL(location)).origin, 92 "popup is not sandboxed"); 93 })); 94 window.open("./resources/post-origin-to-opener.html"); 95 }, "Popup do not inherit sandbox, because of 'allow-popups-to-escape-sandbox'" + 96 " the document doesn't inherit CSP. The document isn't sandboxed") 97 98 </script> 99 </body> 100 </html>