iframe-inheritance-javascript.html (1687B)
1 <!doctype html> 2 <title>Referrer Policy: iframes with javascript url reuse referrer policy</title> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script src="/common/get-host-info.sub.js"></script> 6 <script src="resources/make-html-script.js"></script> 7 <meta name="referrer" content="unsafe-url"> 8 <div id="log"></div> 9 <script> 10 11 [ 12 { 13 fetchReferrer: "", 14 // Because the URL of the Document of <iframe src="javascript:..."> is 15 // "about:blank", the stripped URL is no referrer: 16 // https://w3c.github.io/webappsec-referrer-policy/#strip-url. 17 expected: undefined 18 }, 19 { 20 fetchReferrer: location.origin+"/custom", 21 // <iframe src="javascript:..."> inherits its parent's referrer policy. 22 // Note: Setting an explicit URL as referrer succeeds 23 // because the same-origin check at 24 // https://fetch.spec.whatwg.org/#dom-request 25 // is done against <iframe>'s origin, which inherits the parent 26 // Document's origin == location.orgin. Furthermore, since the iframe 27 // inherits its parent's referrer policy, the URL should be restricted to 28 // its origin. 29 expected: self.origin + "/custom" 30 } 31 ].forEach(({ fetchReferrer, expected }) => { 32 promise_test(t => { 33 return new Promise(resolve => { 34 window.addEventListener("message", t.step_func(msg => { 35 assert_equals(msg.data.referrer, expected); 36 resolve(); 37 }), { once: true }); 38 const iframe = document.createElement("iframe"); 39 iframe.src = `javascript:'${createScriptString(get_host_info().REMOTE_ORIGIN, fetchReferrer)}'`; 40 document.body.appendChild(iframe); 41 }); 42 }); 43 }); 44 45 </script>