File: sandbox-mandatory-flags.https.html

package info (click to toggle)
thunderbird 1%3A128.14.0esr-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,334,824 kB
  • sloc: cpp: 7,391,917; javascript: 5,617,271; ansic: 3,833,216; python: 1,230,742; xml: 619,690; asm: 456,022; java: 179,892; sh: 118,796; makefile: 21,908; perl: 14,825; objc: 12,399; yacc: 4,583; pascal: 2,973; lex: 1,720; ruby: 1,190; exp: 762; sql: 674; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10
file content (136 lines) | stat: -rw-r--r-- 4,874 bytes parent folder | download | duplicates (18) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
<!DOCTYPE html>
<meta name=timeout content=long>
<title>Test of sandbox mandatory flags</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="resources/utils.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>

<body>

<script>

const mandatory_flags = [
      'allow-same-origin',
      'allow-forms',
      'allow-scripts',
      'allow-popups',
      'allow-popups-to-escape-sandbox',
      'allow-top-navigation-by-user-activation'];

promise_test(async t => {
  const key = token();
  const value = 'fenced frame loaded';
  const iframe = document.createElement('iframe');
  iframe.src =
      'resources/sandbox-mandatory-flags-iframe.sub.html?key=' + key +
      '&value=' + value;
  mandatory_flags.forEach(flag => {
    iframe.sandbox.add(flag);
  });

  document.body.appendChild(iframe);
  t.add_cleanup(() => {
    iframe.remove();
  });
  const result = await nextValueFromServer(key);
  assert_equals(result, value, 'The fenced frame must be loaded.');
}, 'Sandboxed Iframe with mandatory flags can load a fenced frame.');

promise_test(async t => {
  const key = token();
  // Try to load a fenced frame in a sandboxed iframe like this:
  //   <iframe sandbox="|mandatory_flags| without |missing_flag|"
  //           src="sandbox-mandatory-flags-iframe.sub.html">
  //     <fencedframe src="sandbox-mandatory-flags-inner.sub.html">
  //       <img src="key-value-store.py?key=|key|&value=|value|">
  //     <fencedframe>
  //   </iframe>
  // But this should fail because the sandboxed iframe is loaded without
  // |missing_flag|.
  for (let missing_flag of mandatory_flags) {
    const value =
        'a fenced frame was loaded in a sandboxed iframe without ' +
        missing_flag + '.';
    const iframe = document.createElement('iframe');
    iframe.src =
        'resources/sandbox-mandatory-flags-iframe.sub.html?key=' + key +
        '&value=' + value;
    mandatory_flags.forEach(flag => {
      if (flag != missing_flag) {
        iframe.sandbox.add(flag);
      }
    });
    document.body.appendChild(iframe);
    t.add_cleanup(() => {
      iframe.remove();
    });
  }
  t.step_timeout(() => t.done(), 3000);
  let server_value = await nextValueFromServer(key);
  assert_unreached('fenced frame should not be loaded, but ' + server_value);
}, 'Sandboxed Iframe without one of mandatory flag must fail to load a fenced' +
   ' frame.');

promise_test(async t => {
  const key = token();
  // Try to load a fenced frame in a nested sandboxed iframe like this:
  //   <iframe sandbox="|mandatory_flags| without |missing_flag|"
  //           src="sandbox-mandatory-flags-looser-restriction.sub.html">
  //     <iframe sandbox="|mandatory_flags|"
  //             src="sandbox-mandatory-flags-iframe.sub.html">
  //       <fencedframe src="resources/sandbox-mandatory-flags-inner.sub.html">
  //         <img src="key-value-store.py?key=|key|&value=|value|">
  //       <fencedframe>
  //     </iframe>
  //   </iframe>
  // But this should fail because the nested iframe is loaded sandboxed
  // without |missing_flag|.
  for (let missing_flag of mandatory_flags) {
    const value =
        'a fenced frame was loaded in a nested sandboxed iframe without ' +
        missing_flag + '.';
    const iframe = document.createElement('iframe');
    iframe.src =
        'resources/sandbox-mandatory-flags-looser-restriction.sub.html?key=' +
        key + '&value=' + value;
    mandatory_flags.forEach(flag => {
      if (flag != missing_flag) {
        iframe.sandbox.add(flag);
      }
    });
    document.body.appendChild(iframe);
    t.add_cleanup(() => {
      iframe.remove();
    });
  }
  t.step_timeout(() => t.done(), 3000);
  let server_value = await nextValueFromServer(key);
  assert_unreached('fenced frame should not be loaded, but ' + server_value);
}, 'Nested sandboxed iframe without one of mandatory flag must fail to load a' +
   'fenced frame even when the inner nested sandboxed iframe has all ' +
   'mandatory allow- flags.');

promise_test(async t => {
  const key = token();
  // allow-scripts is needed to run iframe.execute, so we will test every other
  // sandbox flag
  for (let missing_flag of
       mandatory_flags.filter(word => word != "allow-scripts")) {
    const value =
        'canLoadOpaqueURL returned true even with flag ' +
        missing_flag + ' not set.';
    const flags_to_add = mandatory_flags
        .filter(word => word != missing_flag)
        .join(" ");
    const iframe = attachIFrameContext(
        {attributes: [["sandbox", flags_to_add]]});
    await iframe.execute(async (t) => {
      assert_false(navigator.canLoadAdAuctionFencedFrame());
    });
  }
}, 'navigator.canLoadAdAuctionFencedFrame considers mandatory sandbox flags');
</script>

</body>