File: show-picker-cross-origin-iframe.html

package info (click to toggle)
thunderbird 1%3A140.3.1esr-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,608,628 kB
  • sloc: cpp: 7,671,698; javascript: 5,901,131; ansic: 3,898,955; python: 1,413,270; xml: 653,997; asm: 462,284; java: 180,948; sh: 113,489; makefile: 20,460; perl: 14,288; objc: 13,059; yacc: 4,583; pascal: 3,352; lex: 1,720; ruby: 1,222; exp: 762; sql: 715; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10
file content (79 lines) | stat: -rw-r--r-- 2,747 bytes parent folder | download | duplicates (15) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
<!DOCTYPE html>
<title>Test showPicker() called from cross-origin iframe</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<iframe id="iframe1"></iframe>
<iframe id="iframe2"></iframe>
<iframe id="iframe3"></iframe>
<iframe id="iframe4"></iframe>
</body>
<script>
function waitForSecurityErrors() {
  return new Promise((resolve) => {
    window.addEventListener("message", (event) => resolve(event.data), {
      once: true,
    });
  });
}

promise_test(async (t) => {
  iframe1.src =
    new URL("resources/", self.location).pathname +
    "show-picker-child-iframe.html";

  // Wait for the iframe to report security errors when calling showPicker().
  const securityErrors = await waitForSecurityErrors();
  assert_equals(
    securityErrors,
    "",
    "In same-origin iframes, showPicker() does not throw a SecurityError."
  );
});

promise_test(async (t) => {
  iframe2.src =
    get_host_info().HTTP_NOTSAMESITE_ORIGIN +
    new URL("resources/", self.location).pathname +
    "show-picker-child-iframe.html";

  // Wait for the iframe to report security errors when calling showPicker().
  const securityErrors = await waitForSecurityErrors();
  assert_equals(
    securityErrors,
    "button,checkbox,date,datetime-local,email,hidden,image,month,number,password,radio,range,reset,search,submit,tel,text,time,url,week",
    "In cross-origin iframes, showPicker() throws a SecurityError except on file and color."
  );
});

promise_test(async (t) => {
  iframe3.src =
    new URL("resources/", self.location).pathname +
    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;

  // Wait for the iframe to report security errors when calling showPicker().
  const securityErrors = await waitForSecurityErrors();
  assert_equals(
    securityErrors,
    "",
    "In same-origin but cross-origin-domain iframes, showPicker() does not throw a SecurityError."
  );
});

promise_test(async (t) => {
  document.domain = get_host_info().ORIGINAL_HOST;
  iframe4.src =
    get_host_info().HTTP_REMOTE_ORIGIN +
    new URL("resources/", self.location).pathname +
    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;

  // Wait for the iframe to report security errors when calling showPicker().
  const securityErrors = await waitForSecurityErrors();
  assert_equals(
    securityErrors,
    "button,checkbox,date,datetime-local,email,hidden,image,month,number,password,radio,range,reset,search,submit,tel,text,time,url,week",
    "In cross-origin but same-origin-domain iframes, showPicker() throws a SecurityError except on file and color."
  );
});
</script>