1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
<!DOCTYPE html>
<meta charset=utf-8>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<!-- Pull in executor_path needed by newPopup / newIframe -->
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"></script>
<!-- Pull in importScript / newPopup / newIframe -->
<script src="/html/anonymous-iframe/resources/common.js"></script>
<body>
<script>
const navigation_handle_null = "Navigation handle returns null";
const navigation_handle_not_null = "Navigation handle returns not null";
const opener_null_response = "Window.opener is null";
const opener_not_null_response = "Window.opener isn't null";
const does_blob_url_open_return_handle = (blob_url, response_queue_name) => `
async function test() {
const handle = window.open("${blob_url}")
if (!handle) {
return send("${response_queue_name}", "${navigation_handle_null}");
}
return send("${response_queue_name}", "${navigation_handle_not_null}");
}
await test();
`;
const add_iframe_js = (iframe_origin, response_queue_uuid) => `
const importScript = ${importScript};
await importScript("/html/cross-origin-embedder-policy/credentialless" +
"/resources/common.js");
await importScript("/html/anonymous-iframe/resources/common.js");
await importScript("/common/utils.js");
// dispatcher.js has already been loaded by the popup this is running in.
await send("${response_queue_uuid}", newIframe("${iframe_origin}"));
`;
const same_site_origin = get_host_info().HTTPS_ORIGIN;
const cross_site_origin = get_host_info().HTTPS_NOTSAMESITE_ORIGIN;
async function create_test_iframes(t, response_queue_uuid) {
assert_equals("https://" + window.location.host, same_site_origin,
"this test assumes that the page's window.location.host corresponds to " +
"get_host_info().HTTPS_ORIGIN");
// Create a same-origin iframe in a cross-site popup.
const not_same_site_popup_uuid = newPopup(t, cross_site_origin);
await send(not_same_site_popup_uuid,
add_iframe_js(same_site_origin, response_queue_uuid));
const cross_site_iframe_uuid = await receive(response_queue_uuid);
// Create a same-origin iframe in a same-site popup.
const same_origin_popup_uuid = newPopup(t, same_site_origin);
await send(same_origin_popup_uuid,
add_iframe_js(same_site_origin, response_queue_uuid));
const same_site_iframe_uuid = await receive(response_queue_uuid);
return [cross_site_iframe_uuid, same_site_iframe_uuid];
}
const opener_check_frame_html = (noopener_response_queue) => `
<!doctype html>
<!-- dispatcher.js requires the baseURI to be set in order to compute
the server path correctly in the blob URL page. -->
<base href="${window.location.href}">
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"><\/script>
<script src="/html/anonymous-iframe/resources/common.js"><\/script>
<script src="/common/utils.js"><\/script>
<script src="/common/dispatcher/dispatcher.js"><\/script>
<script>
if (window.opener === null) {
send("${noopener_response_queue}", "${opener_null_response}")
} else {
send("${noopener_response_queue}", "${opener_not_null_response}")
}
<\/script>
`;
// Tests blob URL window.open for same and cross partition iframes.
promise_test(t => {
return new Promise(async (resolve, reject) => {
try {
// Creates same and cross partition iframes.
const response_queue_uuid = token();
const noopener_response_queue = token();
const [cross_site_iframe_uuid, same_site_iframe_uuid] =
await create_test_iframes(t, response_queue_uuid);
const blob = new Blob([opener_check_frame_html(noopener_response_queue)], {type : "text/html"});
const blob_url = URL.createObjectURL(blob);
// Attempt to open blob URL in cross partition iframe.
await send(cross_site_iframe_uuid, does_blob_url_open_return_handle(blob_url, response_queue_uuid));
const response_1 = await receive(response_queue_uuid);
if (response_1 !== navigation_handle_null) {
reject(`Blob URL handle wasn't null in not-same-top-level-site iframe: ${response_1}`);
}
const noopener_response_1 = await receive(noopener_response_queue);
if (noopener_response_1 !== opener_null_response) {
reject(`Blob URL page opener wasn't null in not-same-top-level-site iframe.`);
}
// Attempt to open blob URL in same partition iframe.
await send(same_site_iframe_uuid, does_blob_url_open_return_handle(blob_url, response_queue_uuid));
const response_2 = await receive(response_queue_uuid);
if (response_2 !== navigation_handle_not_null) {
reject(`Blob URL wasn't opened in same-top-level-site iframe: ${response_2}`);
}
const noopener_response_2 = await receive(noopener_response_queue);
if (noopener_response_2 !== opener_not_null_response) {
reject(`Blob URL page opener was null in same-top-level-site iframe`);
}
resolve();
} catch (e) {
reject(e);
}
});
}, "Blob URL window.open should enforce noopener for a cross-top-level-site navigation");
const blob_url_iframe_html = (response_queue_uuid, message) => `
<!doctype html>
<!-- dispatcher.js requires the baseURI to be set in order to compute
the server path correctly in the blob URL page. -->
<base href="${window.location.href}">
<script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"><\/script>
<script src="/html/anonymous-iframe/resources/common.js"><\/script>
<script src="/common/utils.js"><\/script>
<script src="/common/dispatcher/dispatcher.js"><\/script>
<script>
send("${response_queue_uuid}", "${message}");
<\/script>
`;
const create_iframe_with_blob_url = (blob_url, response_queue_uuid) => `
const iframe = document.createElement('iframe');
iframe.src = "${blob_url}";
iframe.onload = () => {
const same_site_message = "same_partition_loaded";
const blob_url_iframe_html = ${blob_url_iframe_html};
const same_top_level_site_blob = new Blob([blob_url_iframe_html("${response_queue_uuid}", same_site_message)], {type : "text/html"});
const same_top_level_site_blob_url = URL.createObjectURL(same_top_level_site_blob);
const iframe2 = document.createElement('iframe');
iframe2.src = same_top_level_site_blob_url;
document.body.appendChild(iframe2);
};
document.body.appendChild(iframe);
`;
// Tests blob URL subframe navigations for same and cross partition iframes.
promise_test(t => {
return new Promise(async (resolve, reject) => {
try {
// Creates same and cross partition iframes.
const response_queue_uuid = token();
const cross_site_message = "cross_partition_loaded";
const [cross_site_iframe_uuid, same_site_iframe_uuid] =
await create_test_iframes(t, response_queue_uuid);
// Create blob URL for the cross-site test.
const cross_site_blob = new Blob([blob_url_iframe_html(response_queue_uuid, cross_site_message)], {type: "text/html"});
const cross_site_blob_url = URL.createObjectURL(cross_site_blob);
// Attempt to open blob URL in cross partition iframe.
await send(cross_site_iframe_uuid, create_iframe_with_blob_url(cross_site_blob_url, response_queue_uuid));
const response = await receive(response_queue_uuid);
if (response === cross_site_message) {
reject(`Blob URL subframe navigation succeeded in not-same-top-level-site iframe.`);
}
resolve();
} catch (e) {
reject(e);
}
});
}, "Blob URL should partition subframe navigation.");
const open_blob_url_window_via_a_click = (blob_url) => `
const link = document.createElement("a");
link.href = "${blob_url}";
link.target = "_blank";
link.rel = "opener";
document.body.appendChild(link);
link.click();
`;
// Tests blob URL `<a target="_blank" rel="opener">` click for same and cross partition iframes.
promise_test(t => {
return new Promise(async (resolve, reject) => {
try {
// Creates same and cross partition iframes.
const noopener_response_queue = token();
const [cross_site_iframe_uuid, same_site_iframe_uuid] = await create_test_iframes(t, token());
const blob = new Blob([opener_check_frame_html(noopener_response_queue)], {type : "text/html"});
const blob_url = URL.createObjectURL(blob);
// Attempt to click blob URL in cross partition iframe.
await send(cross_site_iframe_uuid, open_blob_url_window_via_a_click(blob_url));
const noopener_response_1 = await receive(noopener_response_queue);
if (noopener_response_1 !== opener_null_response) {
reject(`Blob URL page opener wasn't null in not-same-top-level-site iframe.`);
}
// Attempt to click blob URL in same partition iframe.
await send(same_site_iframe_uuid, open_blob_url_window_via_a_click(blob_url));
const noopener_response_2 = await receive(noopener_response_queue);
if (noopener_response_2 !== opener_not_null_response) {
reject(`Blob URL page opener was null in same-top-level-site iframe`);
}
resolve();
} catch (e) {
reject(e);
}
});
}, "Blob URL link click should enforce noopener for a cross-top-level-site navigation");
const open_blob_url_window_via_area_click = (blob_url) => `
const canvas = document.createElement("canvas");
canvas.height = 1;
canvas.width = 1;
const dataURL = canvas.toDataURL();
const image = document.createElement("img");
image.src = dataURL;
document.body.appendChild(image);
const map = document.createElement("map");
map.name = "map";
image.useMap = "#map";
document.body.appendChild(map);
const area = document.createElement("area");
area.shape = "rect";
area.coords = "0,0,1,1";
area.href = "${blob_url}";
area.target = "_blank";
area.rel = "opener";
map.appendChild(area);
area.click();
`;
// Tests blob URL `<area target="_blank" rel="opener">` click for same and cross partition iframes.
promise_test(t => {
return new Promise(async (resolve, reject) => {
try {
// Creates same and cross partition iframes.
const noopener_response_queue = token();
const [cross_site_iframe_uuid, same_site_iframe_uuid] = await create_test_iframes(t, token());
const blob = new Blob([opener_check_frame_html(noopener_response_queue)], {type : "text/html"});
const blob_url = URL.createObjectURL(blob);
// Attempt to click blob URL in cross partition iframe.
await send(cross_site_iframe_uuid, open_blob_url_window_via_area_click(blob_url));
const noopener_response_1 = await receive(noopener_response_queue);
if (noopener_response_1 !== opener_null_response) {
reject(`Blob URL page opener wasn't null in not-same-top-level-site iframe.`);
}
// Attempt to click blob URL in same partition iframe.
await send(same_site_iframe_uuid, open_blob_url_window_via_area_click(blob_url));
const noopener_response_2 = await receive(noopener_response_queue);
if (noopener_response_2 !== opener_not_null_response) {
reject(`Blob URL page opener was null in same-top-level-site iframe`);
}
resolve();
} catch (e) {
reject(e);
}
});
}, "Blob URL area element click should enforce noopener for a cross-top-level-site navigation");
</script>
</body>
|
