tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

show-picker-cross-origin-iframe.html (2747B)

      1 <!DOCTYPE html>
      2 <title>Test showPicker() called from cross-origin iframe</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/common/get-host-info.sub.js"></script>
      6 <body>
      7 <iframe id="iframe1"></iframe>
      8 <iframe id="iframe2"></iframe>
      9 <iframe id="iframe3"></iframe>
     10 <iframe id="iframe4"></iframe>
     11 </body>
     12 <script>
     13 function waitForSecurityErrors() {
     14  return new Promise((resolve) => {
     15    window.addEventListener("message", (event) => resolve(event.data), {
     16      once: true,
     17    });
     18  });
     19 }
     20 
     21 promise_test(async (t) => {
     22  iframe1.src =
     23    new URL("resources/", self.location).pathname +
     24    "show-picker-child-iframe.html";
     25 
     26  // Wait for the iframe to report security errors when calling showPicker().
     27  const securityErrors = await waitForSecurityErrors();
     28  assert_equals(
     29    securityErrors,
     30    "",
     31    "In same-origin iframes, showPicker() does not throw a SecurityError."
     32  );
     33 });
     34 
     35 promise_test(async (t) => {
     36  iframe2.src =
     37    get_host_info().HTTP_NOTSAMESITE_ORIGIN +
     38    new URL("resources/", self.location).pathname +
     39    "show-picker-child-iframe.html";
     40 
     41  // Wait for the iframe to report security errors when calling showPicker().
     42  const securityErrors = await waitForSecurityErrors();
     43  assert_equals(
     44    securityErrors,
     45    "button,checkbox,date,datetime-local,email,hidden,image,month,number,password,radio,range,reset,search,submit,tel,text,time,url,week",
     46    "In cross-origin iframes, showPicker() throws a SecurityError except on file and color."
     47  );
     48 });
     49 
     50 promise_test(async (t) => {
     51  iframe3.src =
     52    new URL("resources/", self.location).pathname +
     53    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
     54 
     55  // Wait for the iframe to report security errors when calling showPicker().
     56  const securityErrors = await waitForSecurityErrors();
     57  assert_equals(
     58    securityErrors,
     59    "",
     60    "In same-origin but cross-origin-domain iframes, showPicker() does not throw a SecurityError."
     61  );
     62 });
     63 
     64 promise_test(async (t) => {
     65  document.domain = get_host_info().ORIGINAL_HOST;
     66  iframe4.src =
     67    get_host_info().HTTP_REMOTE_ORIGIN +
     68    new URL("resources/", self.location).pathname +
     69    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
     70 
     71  // Wait for the iframe to report security errors when calling showPicker().
     72  const securityErrors = await waitForSecurityErrors();
     73  assert_equals(
     74    securityErrors,
     75    "button,checkbox,date,datetime-local,email,hidden,image,month,number,password,radio,range,reset,search,submit,tel,text,time,url,week",
     76    "In cross-origin but same-origin-domain iframes, showPicker() throws a SecurityError except on file and color."
     77  );
     78 });
     79 </script>