File: blob.https.html

package info (click to toggle)
thunderbird 1%3A140.5.0esr-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 4,609,180 kB
  • sloc: cpp: 7,672,739; javascript: 5,901,898; ansic: 3,898,899; python: 1,413,347; xml: 653,997; asm: 462,284; java: 180,927; sh: 113,491; makefile: 20,463; perl: 14,288; objc: 13,059; yacc: 4,583; pascal: 3,352; lex: 1,720; ruby: 1,222; exp: 762; sql: 715; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10
file content (78 lines) | stat: -rw-r--r-- 3,050 bytes parent folder | download | duplicates (12) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
<!doctype html>
<meta charset=utf-8>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<div id=log></div>
<script>
const origins = get_host_info();
[
  {
    "origin": origins.HTTPS_ORIGIN,
    "crossOrigin": origins.HTTPS_REMOTE_ORIGIN
  },
  {
    "origin": origins.HTTPS_REMOTE_ORIGIN,
    "crossOrigin": origins.HTTPS_NOTSAMESITE_ORIGIN
  },
  {
    "origin": origins.HTTPS_NOTSAMESITE_ORIGIN,
    "crossOrigin": origins.HTTPS_ORIGIN
  }
].forEach(({ origin, crossOrigin }) => {
  ["subframe", "navigate", "popup"].forEach(variant => {
    // Due to `noopener` being enforced on Blob URLs where the corresponding
    // origin is cross-site to the opening context's top-level site, require
    // dispatcher.js to pass information back after window.open().
    if (origin === origins.HTTPS_NOTSAMESITE_ORIGIN &&
        crossOrigin === origins.HTTPS_ORIGIN &&
        variant === "popup") {
      return;
    }
    async_test(t => {
      const id = token();
      const frame = document.createElement("iframe");
      t.add_cleanup(() => { frame.remove(); });
      const path = new URL("resources/blob-url-factory.html", window.location).pathname;
      frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`;
      window.addEventListener("message", t.step_func(({ data }) => {
        if (data.id !== id) {
          return;
        }
        assert_equals(data.origin, origin);
        assert_true(data.sameOriginNoCORPSuccess, "Same-origin without CORP did not succeed");
        assert_true(data.crossOriginNoCORPFailure, "Cross-origin without CORP did not fail");
        t.done();
      }));
      document.body.append(frame);
    }, `Cross-Origin-Embedder-Policy and blob: URL from ${origin} in subframe via ${variant}`);
  });
});

// New test for the specific case using dispatcher.js for popups.
promise_test(async t => {
  const origin = origins.HTTPS_NOTSAMESITE_ORIGIN;
  const crossOrigin = origins.HTTPS_ORIGIN;
  const variant = "popup-dispatch";
  const id = token();

  const frame = document.createElement("iframe");
  t.add_cleanup(() => { frame.remove(); });

  const path = new URL("resources/blob-url-factory.html", window.location).pathname;
  frame.src = `${origin}${path}?id=${id}&variant=${variant}&crossOrigin=${crossOrigin}`;
  document.body.append(frame);

  // Use dispatcher to wait for the message.
  const message = await receive(id);
  const data = JSON.parse(message);

  assert_equals(data.origin, origin, "Message origin should match test origin");
  assert_true(data.sameOriginNoCORPSuccess, "Same-origin fetch without CORP should succeed");
  assert_true(data.crossOriginNoCORPFailure, "Cross-origin fetch without CORP should fail");

}, `Cross-Origin-Embedder-Policy and blob: URL from ${origins.HTTPS_NOTSAMESITE_ORIGIN} in popup (using dispatcher)`);

</script>