| <!doctype html> |
| <meta charset=utf-8> |
| <title>Check processing of allow attribute in nested browsing context</title> |
| <link rel="author" title="Google" href="https://www.google.com"> |
| <link rel="help" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow"> |
| <link rel="help" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object"> |
| <link rel="help" href="https://fullscreen.spec.whatwg.org/#fullscreen-enabled-flag"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| |
| <div id="log"></div> |
| <script> |
| // This returns a data URL (cross-origin with the containing document) which |
| // advances a counter, and reports the counter value together with the |
| // document's fullscreenEnabled state, every time it receives a postMessage. |
| // Fullscreen itself is not important for this test, but the flag is a useful |
| // indicator of whether a policy-controlled-feature is allowed or denied. |
| function getSourceForCrossOriginPage(initial_count) { |
| var page_contents = "<html><body><script>var count="+initial_count+";window.addEventListener('message',function(){parent.postMessage({'count':count++,'fullscreenEnabled':document.fullscreenEnabled},'*');});</scr"+"ipt></body></html>"; |
| return "data:text/html;base64,"+btoa(page_contents); |
| } |
| |
| async_test(function(t) { |
| var iframe = document.createElement("iframe"); |
| iframe.src = getSourceForCrossOriginPage(0); |
| |
| iframe.addEventListener('load', function() { |
| // Request the fullscreenEnabled state whenever the frame loads |
| iframe.contentWindow.postMessage(true,"*"); |
| }); |
| |
| window.addEventListener('message', this.step_func(function(msg) { |
| if (msg.data.count == 0) { |
| assert_false(msg.data.fullscreenEnabled, "Document inside cross-origin iframe without allow attribute should not have feature enabled"); |
| iframe.setAttribute("allow", "fullscreen"); |
| iframe.contentWindow.postMessage(true,"*"); // Request state again |
| } else if (msg.data.count == 1) { |
| assert_false(msg.data.fullscreenEnabled, "Feature should be denied when correct allow attribute is added, before reload"); |
| iframe.src = getSourceForCrossOriginPage(2); // Reload the frame |
| } else if (msg.data.count == 2) { |
| assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when correct allow attribute is added, after reload"); |
| iframe.removeAttribute("allow"); |
| iframe.contentWindow.postMessage(true,"*"); // Request state again |
| } else if (msg.data.count == 3) { |
| assert_true(msg.data.fullscreenEnabled, "Feature should be allowed when allow attribute is removed, before reload"); |
| iframe.src = getSourceForCrossOriginPage(4); // Reload the frame |
| } else if (msg.data.count == 4) { |
| assert_false(msg.data.fullscreenEnabled, "Feature should be denied when allow attribute is removed, after reload"); |
| iframe.setAttribute("allow", "payment"); // Set allow to an unrelated feature |
| iframe.src = getSourceForCrossOriginPage(5); // Reload the frame |
| } else if (msg.data.count == 5) { |
| assert_false(msg.data.fullscreenEnabled, "Feature should be denied with incorrect allow attribute"); |
| iframe.setAttribute("allow", "payment;fullscreen"); // Include fullscreen again |
| iframe.src = getSourceForCrossOriginPage(6); // Reload the frame |
| } else if (msg.data.count == 6) { |
| assert_true(msg.data.fullscreenEnabled, "Feature should be allowed with complex allow attribute"); |
| t.done(); |
| } else { |
| assert_unreached(); |
| } |
| })); |
| |
| document.body.appendChild(iframe); |
| }, "iframe-cross-origin-allow"); |
| |
| </script> |