File: window-open-local-after-network-scheme.sub.html

package info (click to toggle)
thunderbird 1%3A91.13.0-1~deb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 2,953,400 kB
  • sloc: cpp: 6,084,049; javascript: 4,790,441; ansic: 3,341,496; python: 862,958; asm: 366,542; xml: 204,277; java: 152,477; sh: 111,436; makefile: 21,388; perl: 15,312; yacc: 4,583; objc: 3,026; lex: 1,720; exp: 762; pascal: 635; awk: 564; sql: 453; php: 436; lisp: 432; ruby: 99; sed: 69; csh: 45
file content (76 lines) | stat: -rw-r--r-- 2,387 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<title>about:blank in popup inherits CSPs from the navigation initiator</title>
<body>

<script>
  const message_from = (w) => {
    return new Promise(resolve => {
      window.addEventListener('message', msg => {
        if (msg.source == w)
          resolve(msg.data);
      });
    });
  };

  const testCases = [
    {
      previous_origin: window.origin,
      name: "Popup being navigated to about:blank was same-origin.",
    },
    {
      previous_origin: "http://{{hosts[alt][]}}:{{ports[http][0]}}",
      name: "Popup being navigated to about:blank was cross-origin.",
    },
  ];

  testCases.forEach(testCase => {
    promise_test(async t => {
      // Create a popup and navigate it.
      const popup = window.open("about:blank", testCase.name);
      const loaded = message_from(popup);
      window.open(testCase.previous_origin + "/content-security-policy/inheritance/support/postmessage-opener.html", testCase.name);
      t.add_cleanup(() => popup.close());

      assert_equals(await loaded, "ready");

      // Navigate the popup to "about:blank".
      window.open("about:blank", testCase.name);
      await t.step_wait(
        condition = () => {
          try {
            return popup.location.href == "about:blank";
          } catch {}
          return false;
        },
        description = "Wait for the popup to navigate.",
        timeout=3000,
        interval=50);

      // Now create an img in the popup and check if it is blocked by CSPs.
      const script = popup.document.createElement('script');
      script.innerText = `
        function messageBack(msg) {
          opener.postMessage(msg ,"*");
        }
      `;
      popup.document.head.appendChild(script);
      const div = popup.document.createElement('div');

      const img_url = window.origin + "/content-security-policy/support/fail.png";
      div.innerHTML = `
        <img src="${img_url}"
             onload="messageBack('img loaded');"
             onerror="messageBack('img blocked');"
        >
      `;

      const msg = message_from(popup);
      popup.document.body.appendChild(div);
      assert_equals(await msg, "img blocked");
    }, testCase.name);
  });
</script>