| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>Embedded Enforcement: blocked iframes are cross-origin.</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="support/testharness-helper.sub.js"></script> |
| </head> |
| <body> |
| <script> |
| |
| let SecurityError = 18; |
| |
| promise_test(async () => { |
| let iframe = document.createElement("iframe"); |
| let loaded = new Promise(r => iframe.onload = r); |
| iframe.csp = "script-src 'none'"; |
| iframe.src = getCrossOrigin() + "common/blank.html"; |
| document.body.appendChild(iframe); |
| await loaded; |
| assert_throws_dom(SecurityError, () => iframe.contentWindow.document); |
| }, "Document blocked by embedded enforcement and its parent are cross-origin"); |
| |
| promise_test(async () => { |
| // Create an iframe that would have been same-origin with the blocked iframe |
| // if it wasn't blocked. |
| let helper_frame = document.createElement("iframe"); |
| let loaded_helper = new Promise(r => helper_frame.onload = r); |
| helper_frame.src = getCrossOrigin() + |
| "content-security-policy/embedded-enforcement/support/executor.html" |
| document.body.appendChild(helper_frame); |
| await loaded_helper; |
| |
| let reply = new Promise(r => window.onmessage = r); |
| helper_frame.contentWindow.postMessage(` |
| let test = function() { |
| if (parent.frames.length != 2) |
| return "Error: Wrong number of iframes"; |
| |
| if (parent.frames[1] != window) |
| return "Error: Wrong frame index for the second iframe"; |
| |
| // Try to access frames[0] from frames[1]. This must fail. |
| try { |
| parent.frames[0].contentWindow; |
| return "Error: The error page appears same-origin"; |
| } catch(dom_exception) { |
| return dom_exception.code; |
| } |
| }; |
| parent.postMessage(test(), '*'); |
| `, '*'); |
| |
| assert_equals((await reply).data, SecurityError); |
| }, "Two same-origin iframes must appear as cross-origin when one is blocked"); |
| |
| </script> |
| </body> |
| </html> |