sandboxed-iframe-with-opaque-origin.html (3338B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title> 5 <link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org"> 6 <link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org"> 7 <link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer"> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <!-- Common global functions for referrer-policy tests. --> 11 <script src="/common/security-features/resources/common.sub.js"></script> 12 <script src="/common/get-host-info.sub.js"></script> 13 </head> 14 <body> 15 <h1> 16 Referrer Policy: A document with an opaque origin doesn't send referrers 17 </h1> 18 <script> 19 20 let futureMessage = function() { 21 return new Promise(resolve => { 22 window.addEventListener("message", event => resolve(event.data)); 23 }); 24 } 25 26 function testSandboxedIframeSubresource(description, 27 sandboxAttributes, 28 expectedReferrer) { 29 promise_test(async test => { 30 let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN + 31 "/common/security-features/subresource/xhr.py"; 32 const iframe = document.createElement("iframe"); 33 iframe.sandbox = sandboxAttributes; 34 iframe.srcdoc = ` 35 <meta name="referrer" content="always"> 36 <script src="/common/security-features/resources/common.sub.js"> 37 </scr`+`ipt> 38 <script> 39 requestViaFetch("${resource_url}").then((msg) => { 40 parent.postMessage(msg.referrer, '*'); 41 }).catch((e) => { 42 parent.postMessage("FAILURE", '*'); 43 }); 44 </scr`+`ipt> 45 `; 46 47 const future_message = futureMessage(); 48 document.body.appendChild(iframe); 49 assert_equals(await future_message, expectedReferrer); 50 51 }, description); 52 } 53 54 function testSandboxedIframeMainResource(description, 55 sandboxAttributes, 56 expectedReferrer) { 57 promise_test(async test => { 58 let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN + 59 "/referrer-policy/generic/resources/referrer.py"; 60 const iframe = document.createElement("iframe"); 61 iframe.sandbox = sandboxAttributes; 62 iframe.srcdoc = ` 63 <meta name="referrer" content="always"> 64 <script> 65 onload = () => { 66 location.href = "${document_url}"; 67 } 68 </scr`+`ipt> 69 `; 70 71 const future_message = futureMessage(); 72 document.body.appendChild(iframe); 73 assert_equals(await future_message, expectedReferrer); 74 75 }, description); 76 } 77 78 testSandboxedIframeSubresource( 79 "Sandboxed iframe with opaque origin doesn't send referrers to subresources", 80 "allow-scripts", undefined); 81 testSandboxedIframeSubresource( 82 "Sandboxed iframe with tuple origin sends referrers to subresources", 83 "allow-same-origin allow-scripts", document.location.href); 84 testSandboxedIframeMainResource( 85 "Sandboxed iframe with opaque origin doesn't send referrers on navigation", 86 "allow-scripts", ""); 87 testSandboxedIframeMainResource( 88 "Sandboxed iframe with tuple origin sends referrers on navigation", 89 "allow-same-origin allow-scripts", document.location.href); 90 91 </script> 92 </body> 93 </html>