| <!DOCTYPE html> |
| <meta charset=utf-8> |
| <title>Inherit sandbox flags from the initiator's frame</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| <script> |
| // Check sandbox flags are properly inherited when a document initiate a |
| // navigation inside another frame that it doesn't own directly. |
| |
| // This check the sandbox flags defined by the frame. See also the other test |
| // about sandbox flags defined by the response (e.g. CSP sandbox): |
| // => sandbox-inherited-from-initiators-response.html |
| |
| // Return a promise, resolving when |element| triggers |event_name| event. |
| let future = (element, event_name) => { |
| return new Promise(resolve => { |
| element.addEventListener(event_name, event => resolve(event)) |
| }); |
| }; |
| |
| promise_test(async test => { |
| const iframe_1 = document.createElement("iframe"); |
| const iframe_2 = document.createElement("iframe"); |
| |
| iframe_1.id = "iframe_1"; |
| iframe_2.id = "iframe_2"; |
| |
| const iframe_1_script = encodeURI(` |
| <script> |
| try { |
| document.domain = document.domain; |
| parent.postMessage("not sandboxed", "*"); |
| } catch (exception) { |
| parent.postMessage("sandboxed", "*"); |
| } |
| </scr`+`ipt> |
| `); |
| |
| const iframe_2_script = ` |
| <script> |
| const iframe_1 = parent.document.querySelector("#iframe_1"); |
| iframe_1.src = "data:text/html,${iframe_1_script}"; |
| </scr`+`ipt> |
| `; |
| |
| iframe_2.sandbox = "allow-scripts allow-same-origin"; |
| iframe_2.srcdoc = iframe_2_script; |
| |
| // Insert |iframe_1|. It will load the initial empty document, with no sandbox |
| // flags. |
| const iframe_1_load_1 = future(iframe_1, "load"); |
| document.body.appendChild(iframe_1); |
| await iframe_1_load_1; |
| |
| // Insert |iframe_2|. It will load with sandbox flags. It will make |iframe_1| |
| // to navigate toward a data-url, which should inherit the sandbox flags. |
| const iframe_1_reply = future(window, "message"); |
| document.body.appendChild(iframe_2); |
| const result = await iframe_1_reply; |
| |
| assert_equals("sandboxed", result.data); |
| }) |
| </script> |