| <!DOCTYPE html> |
| <meta charset=utf-8> |
| <title>window.open in sandbox iframe</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/common/utils.js"></script> |
| <body> |
| <script> |
| setup({single_test: true}); |
| // check that the popup's URL is not loaded |
| const uuid = token(); |
| async function assert_popup_not_loaded() { |
| const response = await fetch(`/fetch/api/resources/stash-take.py?key=${uuid}`); |
| assert_equals(await response.json(), null); // is "loaded" if it loads |
| } |
| |
| // check for message from the iframe |
| window.onmessage = e => { |
| assert_equals(e.data, 'null', 'return value of window.open (stringified)'); |
| step_timeout(async () => { |
| await assert_popup_not_loaded(); |
| done(); |
| }, 1000); |
| }; |
| const iframe = document.createElement('iframe'); |
| iframe.sandbox = 'allow-scripts'; |
| iframe.srcdoc = ` |
| <script> |
| let result; |
| try { |
| result = window.open('/fetch/api/resources/stash-put.py?key=${uuid}&value=loaded', '_blank'); |
| } catch(ex) { |
| result = ex; |
| } |
| parent.postMessage(String(result), '*'); |
| <\/script> |
| `; |
| document.body.appendChild(iframe); |
| </script> |