| 'use strict'; |
| |
| const kSandboxWindowUrl = 'resources/opaque-origin-sandbox.html'; |
| |
| function add_iframe(test, src, sandbox) { |
| const iframe = document.createElement('iframe'); |
| iframe.src = src; |
| if (sandbox !== undefined) { |
| iframe.sandbox = sandbox; |
| } |
| document.body.appendChild(iframe); |
| test.add_cleanup(() => { |
| iframe.remove(); |
| }); |
| } |
| |
| // Creates a data URI iframe that uses postMessage() to provide its parent |
| // with the test result. The iframe checks for the existence of |
| // |property_name| on the window. |
| async function verify_does_not_exist_in_data_uri_iframe( |
| test, property_name) { |
| const iframe_content = |
| '<script>' + |
| ' const is_property_name_defined = ' + |
| ` (self.${property_name} !== undefined);` + |
| ' parent.postMessage({is_property_name_defined}, "*")' + |
| '</script>'; |
| |
| const data_uri = `data:text/html,${encodeURIComponent(iframe_content)}`; |
| add_iframe(test, data_uri); |
| |
| const event_watcher = new EventWatcher(test, self, 'message'); |
| const message_event = await event_watcher.wait_for('message') |
| |
| assert_false(message_event.data.is_property_name_defined, |
| `Data URI iframes must not define '${property_name}'.`); |
| } |
| |
| // |kSandboxWindowUrl| sends two messages to this window. The first is the |
| // result of showDirectoryPicker(). The second is the result of |
| // navigator.storage.getDirectory(). For windows using sandbox='allow-scripts', |
| // both results must produce rejected promises. |
| async function verify_results_from_sandboxed_child_window(test) { |
| const event_watcher = new EventWatcher(test, self, 'message'); |
| |
| const first_message_event = await event_watcher.wait_for('message'); |
| assert_equals( |
| first_message_event.data, |
| 'showDirectoryPicker(): REJECTED: SecurityError'); |
| |
| const second_message_event = await event_watcher.wait_for('message'); |
| assert_equals(second_message_event.data, |
| 'navigator.storage.getDirectory(): REJECTED: SecurityError'); |
| } |
| |
| promise_test(async test => { |
| await verify_does_not_exist_in_data_uri_iframe(test, 'showDirectoryPicker'); |
| }, 'showDirectoryPicker() must be undefined for data URI iframes.'); |
| |
| promise_test(async test => { |
| await verify_does_not_exist_in_data_uri_iframe( |
| test, 'FileSystemDirectoryHandle'); |
| }, 'FileSystemDirectoryHandle must be undefined for data URI iframes.'); |
| |
| promise_test( |
| async test => { |
| add_iframe(test, kSandboxWindowUrl, /*sandbox=*/ 'allow-scripts'); |
| await verify_results_from_sandboxed_child_window(test); |
| }, |
| 'navigator.storage.getDirectory() and ' + |
| 'showDirectoryPicker() must reject in a sandboxed iframe.'); |
| |
| promise_test( |
| async test => { |
| const child_window_url = kSandboxWindowUrl + |
| '?pipe=header(Content-Security-Policy, sandbox allow-scripts)'; |
| |
| const child_window = window.open(child_window_url); |
| test.add_cleanup(() => { |
| child_window.close(); |
| }); |
| |
| await verify_results_from_sandboxed_child_window(test); |
| }, |
| 'navigator.storage.getDirectory() and ' + |
| 'showDirectoryPicker() must reject in a sandboxed opened window.'); |