File: navigate-iframe.sub.html

package info (click to toggle)
firefox 147.0.2-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,683,484 kB
  • sloc: cpp: 7,607,246; javascript: 6,533,185; ansic: 3,775,227; python: 1,415,393; xml: 634,561; asm: 438,951; java: 186,241; sh: 62,752; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6
file content (69 lines) | stat: -rw-r--r-- 2,762 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
<!DOCTYPE html>
<html lang="en">
<head>
    <title>Document#fullscreenEnabled</title>
    <meta charset="UTF-8" />
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
</head>
<body>
  <div id="log"></div>
  <script>

/*
 * According to the spec the `default origin` for an iframe is its `declared
 *   origin`, meaning, the src attribute:
 *   https://w3c.github.io/webappsec-permissions-policy/#declared-origin
 * The `default allowlist` for 'fullscreen' is "'self'":
 *   https://fullscreen.spec.whatwg.org/#permissions-policy-integration
 * And 'self' means:
 *  'self'
 *    The feature is allowed in documents in top-level traversables by default,
 *    as well as those in child navigables whose document is same origin with
 *    its parent’s document, when allowed in that Document. It is disallowed
 *    by default in child navigables whose document is cross-origin with its
 *    parent’s document.
 *  (https://w3c.github.io/webappsec-permissions-policy/#default-allowlists)
 * Therefore a navigated iframe must not have fullscreen permissions unless
 *   the new origin matches the origin in the src attribute and is same-origin
 *   with the embedding page.
 */
var expectations = {
  "same_to_cross": {allowlist: "", iframe_src: "same", iframe_dest: "cross", target_result: false},
  "cross_to_same": {allowlist: "", iframe_src: "cross", iframe_dest: "same", target_result: false},
  "same_to_same": {allowlist: "", iframe_src: "same", iframe_dest: "same", target_result: true},
  "cross_to_cross": {allowlist: "", iframe_src: "cross", iframe_dest: "cross", target_result: false},
  "allowed_cross_to_same": {allowlist: "'self' http://{{hosts[alt][]}}:{{ports[http][0]}}",
   iframe_src: "cross", iframe_dest: "same", target_result: true},
};

for (const [test, {allowlist, iframe_src, iframe_dest, target_result}] of Object.entries(expectations)) {
  promise_test(async () => {
    let iframe = document.createElement("iframe");
    if (allowlist !== "") {
      iframe.allow = `fullscreen ${allowlist}`;
    }

    document.body.appendChild(iframe);
    iframe.addEventListener("load", () => {
      iframe.contentWindow.postMessage({dest: iframe_dest}, "*");
    });

    let hostname = iframe_src === "same" ? "{{hosts[][]}}" : "{{hosts[alt][]}}";
    iframe.src = `http://${hostname}:{{ports[http][0]}}/fullscreen/api/resources/navigate.sub.html`;

    window.addEventListener('message', e => {
      if (e.data.report?.api == "fullscreen") {
        resolve(e.data.report);
      }
    });

    const { promise, resolve } = Promise.withResolvers();
    const report = await promise;
    assert_equals(report.enabled, target_result);
  }, test);
}

  </script>
</body>
</html>