1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
// META: variant=?assign
// META: variant=?customproperty
// META: variant=?hash
// META: variant=?host
// META: variant=?hostname
// META: variant=?pathname
// META: variant=?port
// META: variant=?protocol
// META: variant=?reload
// META: variant=?search
// META: variant=?toString
// META: variant=?valueOf
// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js
// META: script=/common/dispatcher/dispatcher.js
const property = window.location.search.substr(1);
promise_test(async t => {
const iframeContext = new RemoteContext(token());
const iframe = document.createElement("iframe");
iframe.src = get_host_info().REMOTE_ORIGIN +
"/common/dispatcher/remote-executor.html?uuid=" + iframeContext.context_id;
document.body.appendChild(iframe);
// Wait for the cross-origin document to be loaded inside the iframe.
assert_equals(
await iframeContext.execute_script(() => "Document loaded") ,
"Document loaded"
);
assert_throws_dom("SecurityError", () => {
const unused = iframe.contentWindow.location[property];
}, "Cross origin get of a location property should throw a security error");
assert_throws_dom("SecurityError", () => {
iframe.contentWindow.location[property] = "Random string";
}, "Cross origin set of a location property should throw a security error");
// Verify that the property was indeed not modified.
assert_not_equals(
await iframeContext.execute_script(property => location[property],
[property]),
"Random string",
);
assert_throws_dom("SecurityError", () => {
const unused = Object.getOwnPropertyDescriptor(
iframe.contentWindow.location, property);
}, "Cross origin get of descriptors should throw a security error");
}, `Verifying that cross-origin access of '${property}' is restricted`);
|
