scroll-to-text-fragment-security.sub.html (3470B)
1 <!doctype html> 2 <title>Navigating to a text fragment directive</title> 3 <meta charset=utf-8> 4 <link rel="help" href="https://wicg.github.io/ScrollToTextFragment/"> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <script src="/resources/testdriver.js"></script> 8 <script src="/resources/testdriver-vendor.js"></script> 9 <script src="/common/utils.js"></script> 10 <script src="stash.js"></script> 11 <script> 12 // Test security restriction for user activation 13 for (let user_activation of [true, false]) { 14 promise_test(t => new Promise((resolve, reject) => { 15 let key = token(); 16 17 if (user_activation) { 18 test_driver.bless('Open a URL with a text fragment directive', () => { 19 window.open(`scroll-to-text-fragment-target.html?key=${key}#:~:text=test`, '_blank', 'noopener'); 20 }); 21 } else { 22 window.open(`scroll-to-text-fragment-target.html?key=${key}#:~:text=test`, '_blank', 'noopener'); 23 } 24 25 fetchResults(key, resolve, reject); 26 }).then(data => { 27 assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.'); 28 29 if (user_activation) { 30 assert_equals(data.scrollPosition, 'text', 'Expected window.open() with a user activation to scroll to text.'); 31 } else { 32 assert_equals(data.scrollPosition, 'top', 'Expected window.open() with no user activation to not activate text fragment directive.'); 33 } 34 }), `Test that a text fragment directive requires a user activation (user_activation=${user_activation}).`); 35 } 36 37 const crossOriginTarget = "http://{{hosts[alt][www]}}:{{ports[http][0]}}/scroll-to-text-fragment/scroll-to-text-fragment-target.html"; 38 39 // Test security restriction for no window opener 40 for (let noopener of [true, false]) { 41 promise_test(t => new Promise((resolve, reject) => { 42 let key = token(); 43 44 test_driver.bless('Open a URL with a text fragment directive', () => { 45 if (noopener) { 46 window.open(`${crossOriginTarget}?key=${key}#:~:text=test`, '_blank', 'noopener'); 47 } else { 48 window.open(`${crossOriginTarget}?key=${key}#:~:text=test`, '_blank'); 49 } 50 }); 51 52 fetchResults(key, resolve, reject); 53 }).then(data => { 54 assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.'); 55 56 if (noopener) { 57 assert_equals(data.scrollPosition, 'text', 'Expected window.open() with noopener to scroll to text.'); 58 } else { 59 assert_equals(data.scrollPosition, 'top', 'Expected window.open() with opener to not activate text fragment directive.'); 60 } 61 }), `Test that a text fragment directive is not activated when there is a window opener (noopener=${noopener}).`); 62 } 63 64 // Test security restriction for no activation in an iframe 65 promise_test(t => new Promise((resolve, reject) => { 66 let key = token(); 67 68 let frame = document.createElement('iframe'); 69 document.body.appendChild(frame); 70 71 test_driver.bless('Navigate the iframe with a text fragment directive', () => { 72 frame.src = `${crossOriginTarget}?key=${key}#:~:text=test`; 73 }); 74 75 fetchResults(key, resolve, reject); 76 }).then(data => { 77 assert_equals(data.href.indexOf(':~:'), -1, 'Expected fragment directive to be stripped from the URL.'); 78 assert_equals(data.scrollPosition, 'top', 'Expected iframe navigation to not activate text fragment directive.'); 79 }), 'Test that a text fragment directive is not activated within an iframe.'); 80 </script>