tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

show-picker-cross-origin-iframe.html (2826B)

      1 <!DOCTYPE html>
      2 <title>Test showPicker() called from cross-origin iframe</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/common/get-host-info.sub.js"></script>
      6 <body>
      7 <iframe id="iframe1"></iframe>
      8 <iframe id="iframe2"></iframe>
      9 <iframe id="iframe3"></iframe>
     10 <iframe id="iframe4"></iframe>
     11 </body>
     12 <script>
     13    function waitForSecurityErrors() {
     14        return new Promise((resolve) => {
     15            window.addEventListener("message", (event) => resolve(event.data), {
     16                once: true,
     17            });
     18        });
     19    }
     20 
     21    promise_test(async (t) => {
     22        iframe1.src =
     23            new URL("resources/", self.location).pathname +
     24            "show-picker-child-iframe.html";
     25 
     26        // Wait for the iframe to report security errors when calling showPicker().
     27        const securityErrors = await waitForSecurityErrors();
     28        assert_equals(
     29            securityErrors,
     30            "",
     31            "In same-origin iframes, showPicker() does not throw a SecurityError."
     32        );
     33    });
     34 
     35    promise_test(async (t) => {
     36        iframe2.src =
     37            get_host_info().HTTP_NOTSAMESITE_ORIGIN +
     38            new URL("resources/", self.location).pathname +
     39            "show-picker-child-iframe.html";
     40 
     41        // Wait for the iframe to report security errors when calling showPicker().
     42        const securityErrors = await waitForSecurityErrors();
     43        assert_equals(
     44            securityErrors,
     45            "select",
     46            "In cross-origin iframes, showPicker() throws a SecurityError."
     47        );
     48    });
     49 
     50    promise_test(async (t) => {
     51        iframe3.src =
     52            new URL("resources/", self.location).pathname +
     53            "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
     54 
     55        // Wait for the iframe to report security errors when calling showPicker().
     56        const securityErrors = await waitForSecurityErrors();
     57        assert_equals(
     58            securityErrors,
     59            "",
     60            "In same-origin but cross-origin-domain iframes, showPicker() does not throw a SecurityError."
     61        );
     62    });
     63 
     64    promise_test(async (t) => {
     65        document.domain = get_host_info().ORIGINAL_HOST;
     66        iframe4.src =
     67            get_host_info().HTTP_REMOTE_ORIGIN +
     68            new URL("resources/", self.location).pathname +
     69            "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
     70 
     71        // Wait for the iframe to report security errors when calling showPicker().
     72        const securityErrors = await waitForSecurityErrors();
     73        assert_equals(
     74            securityErrors,
     75            "select",
     76            "In cross-origin but same-origin-domain iframes, showPicker() throws a SecurityError."
     77        );
     78    });
     79 </script>