1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
// META: script=/common/utils.js
promise_test(async t => {
let iframe_allowed = (iframe) => new Promise(async resolve => {
window.addEventListener("message", t.step_func(msg => {
if (msg.source !== iframe.contentWindow) return;
assert_equals(msg.data, "loaded",
"Unexpected message from broadcast channel.");
resolve(true);
}));
// To see whether the iframe was blocked, we check whether it
// becomes cross-origin (since error pages are loaded cross-origin).
await t.step_wait(() => {
try {
// Accessing contentWindow.location.href cross-origin throws.
iframe.contentWindow.location.href === null;
return false;
} catch {
return true;
}
});
resolve(false);
});
// Create a credentialless child iframe.
const child = document.createElement("iframe");
child.credentialless = true;
t.add_cleanup(() => child.remove());
child.src = "/html/cross-origin-embedder-policy/resources/" +
"navigate-none.sub.html?postMessageTo=top";
document.body.append(child);
assert_true(await iframe_allowed(child),
"The credentialless iframe should be allowed.");
// Create a child of the credentialless iframe. Even if the grandchild
// does not have the 'credentialless' attribute set, it inherits the
// credentialless property from the parent.
const grandchild = child.contentDocument.createElement("iframe");
grandchild.src = "/html/cross-origin-embedder-policy/resources/" +
"navigate-none.sub.html?postMessageTo=top";
child.contentDocument.body.append(grandchild);
assert_true(await iframe_allowed(grandchild),
"The child of the credentialless iframe should be allowed.");
}, 'Loading a credentialless iframe with COEP: require-corp is allowed.');
|
