File: sandbox-inherited-from-required-csp.html

package info (click to toggle)
thunderbird 1%3A143.0.1-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 4,703,968 kB
  • sloc: cpp: 7,770,492; javascript: 5,943,842; ansic: 3,918,754; python: 1,418,263; xml: 653,354; asm: 474,045; java: 183,079; sh: 111,238; makefile: 20,410; perl: 14,359; objc: 13,059; yacc: 4,583; pascal: 3,405; lex: 1,720; ruby: 999; exp: 762; sql: 715; awk: 580; php: 436; lisp: 430; sed: 69; csh: 10
file content (154 lines) | stat: -rw-r--r-- 5,003 bytes parent folder | download | duplicates (22) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 
<!DOCTYPE html>
<meta charset=utf-8>
<title>Inherit sandbox from CSP embedded enforcement</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<script>
// Check sandbox flags are properly defined when its parent requires them and
// the child allows it.

const same_origin = get_host_info().HTTP_ORIGIN;
const cross_origin = get_host_info().HTTP_REMOTE_ORIGIN;
const check_sandbox_url =
  "/html/browsers/sandboxing/resources/check-sandbox-flags.html?pipe=";
const allow_csp_from_star = "|header(Allow-CSP-From,*)";

// Return a promise, resolving when |element| triggers |event_name| event.
const future = (element, event_name, source) => {
  return new Promise(resolve => {
    element.addEventListener(event_name, event => {
      if (!source || source.contentWindow == event.source)
        resolve(event)
    })
  });
};

const check_sandbox_script = `
<script>
  try {
    document.domain = document.domain;
    parent.postMessage("document-domain-is-allowed", "*");
  } catch (exception) {
    parent.postMessage("document-domain-is-disallowed", "*");
  }
</scr`+`ipt>
`;

const sandbox_policy = "sandbox allow-scripts allow-same-origin";

// Test using the modern async/await primitives are easier to read/write.
// However they run sequentially, contrary to async_test. This is the parallel
// version, to avoid timing out.
let promise_test_parallel = (promise, description) => {
  async_test(test => {
    promise(test)
    .then(() => {test.done();})
    .catch(test.step_func(error => { throw error; }));
  }, description);
};

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;

  // The <iframe> immediately hosts the initial empty document after being
  // appended into the DOM. It will, as long as its 'src' isn't loaded. That's
  // why a page do not load is being used.
  iframe.src = "/fetch/api/resources/infinite-slow-response.py";
  document.body.appendChild(iframe);

  const iframe_reply = future(window, "message", iframe);
  iframe.contentDocument.write(check_sandbox_script);
  const result = await iframe_reply;
  iframe.remove();

  assert_equals(result.data, "document-domain-is-disallowed");
}, "initial empty document");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.src = "data:text/html,dummy";

  const iframe_load_1 = future(iframe, "load");
  document.body.appendChild(iframe);
  await iframe_load_1;

  const iframe_load_2 = future(iframe, "load");
  iframe.csp = sandbox_policy;
  iframe.src = "about:blank";
  await iframe_load_2;

  const iframe_reply = future(window, "message", iframe);
  iframe.contentDocument.write(check_sandbox_script);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "about:blank");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src =
    `data:text/html,${encodeURI(check_sandbox_script)}`;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "data-url");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.srcdoc = check_sandbox_script;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "srcdoc");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;

  const blob = new Blob([check_sandbox_script], { type: "text/html" });

  iframe.src = URL.createObjectURL(blob);

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "blob URL");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src = same_origin + check_sandbox_url + allow_csp_from_star;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "same-origin");

promise_test_parallel(async test => {
  const iframe = document.createElement("iframe");
  iframe.csp = sandbox_policy;
  iframe.src = cross_origin + check_sandbox_url + allow_csp_from_star;

  const iframe_reply = future(window, "message", iframe);
  document.body.appendChild(iframe);
  const result = await iframe_reply;

  assert_equals(result.data, "document-domain-is-disallowed");
}, "cross-origin");

</script>