Bug 886262 - Tests for HTML <object>s do not inherit sandbox flags from their parents. r=bz
authorBob Owen <bobowencode@gmail.com>
Sun, 28 Jul 2013 17:27:32 +0100
changeset 141572 17221c8fa98215dbfb5dc6d7bf2e977d8174e914
parent 141571 10df319c639d93fcbf4f4f7bb4692237e7f17062
child 141573 8c7abf28722416ee96289401047a285cc25b1a6b
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersbz
bugs886262
milestone26.0a1
Bug 886262 - Tests for HTML <object>s do not inherit sandbox flags from their parents. r=bz
content/html/content/test/Makefile.in
content/html/content/test/file_iframe_sandbox_a_if10.html
content/html/content/test/file_iframe_sandbox_a_if11.html
content/html/content/test/file_iframe_sandbox_a_if12.html
content/html/content/test/file_iframe_sandbox_a_if13.html
content/html/content/test/file_iframe_sandbox_a_if14.html
content/html/content/test/file_iframe_sandbox_a_if15.html
content/html/content/test/file_iframe_sandbox_a_if16.html
content/html/content/test/file_iframe_sandbox_a_if17.html
content/html/content/test/file_iframe_sandbox_a_if18.html
content/html/content/test/file_iframe_sandbox_a_if19.html
content/html/content/test/test_iframe_sandbox_inheritance.html
--- a/content/html/content/test/Makefile.in
+++ b/content/html/content/test/Makefile.in
@@ -283,16 +283,23 @@ MOCHITEST_FILES = \
 		file_iframe_sandbox_a_if5.html \
 		file_iframe_sandbox_a_if6.html \
 		file_iframe_sandbox_a_if7.html \
 		file_iframe_sandbox_a_if8.html \
 		file_iframe_sandbox_a_if9.html \
 		file_iframe_sandbox_a_if10.html \
 		file_iframe_sandbox_a_if11.html \
 		file_iframe_sandbox_a_if12.html \
+		file_iframe_sandbox_a_if13.html \
+		file_iframe_sandbox_a_if14.html \
+		file_iframe_sandbox_a_if15.html \
+		file_iframe_sandbox_a_if16.html \
+		file_iframe_sandbox_a_if17.html \
+		file_iframe_sandbox_a_if18.html \
+		file_iframe_sandbox_a_if19.html \
 		test_iframe_sandbox_same_origin.html \
 		file_iframe_sandbox_b_if1.html \
 		file_iframe_sandbox_b_if2.html \
 		file_iframe_sandbox_b_if3.html \
 		test_iframe_sandbox_general.html \
 		file_iframe_sandbox_c_if1.html \
 		file_iframe_sandbox_c_if2.html \
 		file_iframe_sandbox_c_if3.html \
--- a/content/html/content/test/file_iframe_sandbox_a_if10.html
+++ b/content/html/content/test/file_iframe_sandbox_a_if10.html
@@ -2,10 +2,11 @@
 <html>
 <head>
   <meta charset="utf-8">
   <title>Test for Bug 341604</title>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
 </head>
 <frameset>
   <frame src="file_iframe_sandbox_a_if11.html">
+  <frame src="file_iframe_sandbox_a_if16.html">
 </frameset>
 </html>
--- a/content/html/content/test/file_iframe_sandbox_a_if11.html
+++ b/content/html/content/test/file_iframe_sandbox_a_if11.html
@@ -13,11 +13,11 @@
         window.parent.parent.postMessage({ok: true, desc: "a frame inside a sandboxed iframe is not same origin with the iframe's parent"}, "*");
       }
      }
   </script>
 </head>
 <frameset>
   <frame onload='doStuff()' src="file_iframe_sandbox_a_if12.html">
 </frameset>
-I'm a &lt;frame&gt; inside an iframe which is sandboxed with 'allow-scripts'
+I'm a &lt;frame&gt; inside an iframe which is sandboxed with 'allow-scripts allow-forms'
 </html>
 
--- a/content/html/content/test/file_iframe_sandbox_a_if12.html
+++ b/content/html/content/test/file_iframe_sandbox_a_if12.html
@@ -12,12 +12,12 @@ function doStuff() {
   }
   catch (e) {
     dump("caught some e if12\n");
     window.parent.parent.parent.postMessage({ok: true, desc: "a frame inside a frame inside a sandboxed iframe is not same origin with the iframe's parent"}, "*");
   }
 }
 </script>
 <body onload='doStuff()'>
-  I'm a &lt;frame&gt; inside a &lt;frame&gt; inside an iframe which is sandboxed with 'allow-scripts'
+  I'm a &lt;frame&gt; inside a &lt;frame&gt; inside an iframe which is sandboxed with 'allow-scripts allow-forms'
 </body>
 </html>
 
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if13.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<body>
+  <object data="file_iframe_sandbox_a_if14.html"></object>
+</body>
+
+</html>
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if14.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  window.addEventListener("message", receiveMessage, false);
+
+  function receiveMessage(event)
+  {
+    window.parent.parent.postMessage({ok: event.data.ok, desc: "objects containing " + event.data.desc}, "*");
+  }
+
+  function doStuff() {
+    try {
+      window.parent.parent.ok_wrapper(false, "an object inside a sandboxed iframe should NOT be same origin with the iframe's parent");
+    }
+    catch (e) {
+      window.parent.parent.postMessage({ok: true, desc: "an object inside a sandboxed iframe is not same origin with the iframe's parent"}, "*");
+    }
+  }
+</script>
+
+<body onload='doStuff()'>
+I'm a &lt;object&gt; inside an iframe which is sandboxed with 'allow-scripts allow-forms'
+
+  <object data="file_iframe_sandbox_a_if15.html"></object>
+</body>
+
+</html>
+
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if15.html
@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+function doStuff() {
+  try {
+    window.parent.parent.parent.ok_wrapper(false, "an object inside a frame or object inside a sandboxed iframe should NOT be same origin with the iframe's parent");
+  }
+  catch (e) {
+    window.parent.parent.parent.postMessage({ok: true, desc: "an object inside a frame or object inside a sandboxed iframe is not same origin with the iframe's parent"}, "*");
+  }
+
+  // Check that sandboxed forms browsing context flag NOT set by attempting to submit a form.
+  document.getElementById('a_form').submit();
+}
+</script>
+
+<body onload='doStuff()'>
+  I'm a &lt;object&gt; inside a &lt;frame&gt; or &lt;object&gt; inside an iframe which is sandboxed with 'allow-scripts allow-forms'
+
+  <form method="get" action="file_iframe_sandbox_form_pass.html" id="a_form">
+    First name: <input type="text" name="firstname">
+    Last name: <input type="text" name="lastname">
+    <input type="submit" id="a_button">
+  </form>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if16.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  window.addEventListener("message", receiveMessage, false);
+
+  function receiveMessage(event)
+  {
+    window.parent.parent.postMessage({ok: event.data.ok, desc: "objects containing " + event.data.desc}, "*");
+  }
+</script>
+
+<body>
+I'm a &lt;frame&gt; inside an iframe which is sandboxed with 'allow-scripts allow-forms'
+
+  <object data="file_iframe_sandbox_a_if15.html"></object>
+</body>
+
+</html>
+
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if17.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    var if_18_19 = document.getElementById('if_18_19');
+    if_18_19.sandbox = "allow-scripts allow-same-origin";
+    if_18_19.contentWindow.postMessage("go", "*");
+  }
+</script>
+
+<body onload="doTest()">
+  I am sandboxed but with "allow-scripts". I change the sandbox flags on if_18_19 to
+  "allow-scripts allow-same-origin" then get it to re-navigate itself to
+  file_iframe_sandbox_a_if18.html, which attemps to call a function in my parent.
+  This should fail since my sandbox flags should be copied to it when the sandbox
+  flags are changed.
+
+  <iframe sandbox="allow-scripts" id="if_18_19" src="file_iframe_sandbox_a_if19.html" height="10" width="10"></iframe>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if18.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+
+<script>
+  function doTest() {
+    try {
+      window.parent.parent.ok_wrapper(false, "an iframe in an iframe SHOULD copy its parent's sandbox flags when its sandbox flags are changed");
+    }
+    catch (e) {
+      window.parent.parent.postMessage({ok: true, desc: "an iframe in an iframe copies its parent's sandbox flags when its sandbox flags are changed"}, "*");
+    }
+  }
+</script>
+
+<body onload="doTest()">
+  I'm an iframe whose sandbox flags have been changed to include allow-same-origin.
+  I should not be able to call a function in my parent's parent because my parent's
+  iframe does not have allow-same-origin set.
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_a_if19.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 886262</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+
+<script>
+  window.addEventListener("message", function(e){
+     window.open("file_iframe_sandbox_a_if18.html", "_self");
+  }, false);
+</script>
+
+<body>
+  I'm just here to navigate to file_iframe_sandbox_a_if18.html after my owning
+  iframe has had allow-same-origin added.
+</body>
+</html>
+
--- a/content/html/content/test/test_iframe_sandbox_inheritance.html
+++ b/content/html/content/test/test_iframe_sandbox_inheritance.html
@@ -9,16 +9,19 @@ Implement HTML5 sandbox attribute for IF
   <title>Test for Bug 341604</title>
   <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
 </head>
 <script type="application/javascript">
 /** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
 /** Inheritance Tests **/
 
+// Assertion failure in docshell/shistory/src/nsSHEntry.cpp (currently line 625).
+// Bug 901876 raised.
+SimpleTest.expectAssertions(1);
 SimpleTest.waitForExplicitFinish();
   
 // A postMessage handler that is used by sandboxed iframes without
 // 'allow-same-origin' to communicate pass/fail back to this main page.
 // It expects to be called with an object like {ok: true/false, desc:
 // <description of the test> which it then forwards to ok().
 window.addEventListener("message", receiveMessage, false);
 
@@ -34,18 +37,18 @@ function ok_wrapper(result, desc) {
   ok(result, desc);
 
   completedTests++;
 
   if (result) {
 	  passedTests++;
   } 
 
-  if (completedTests == 6) {
-    is(passedTests, 6, "there should be 6 passed inheritance tests");
+  if (completedTests == 13) {
+    is(passedTests, completedTests, "there should be " + completedTests + " passed inheritance tests");
     SimpleTest.finish();
   }
 }
 
 function doTest() {
   // fails if bad
   // 1) an iframe with no sandbox attribute inside an iframe that has sandbox = ""
   // should not be able to execute scripts (cannot ever loosen permissions)
@@ -97,22 +100,69 @@ function doTest() {
   // 10) a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
   // origin with this document
   // done by file_iframe_sandbox_a_if11.html which is contained with file_iframe_sandbox_a_if10.html
 
   // passes if good
   // 11) a <frame> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
   // origin with its parent frame or this document
   // done by file_iframe_sandbox_a_if12.html which is contained with file_iframe_sandbox_a_if11.html
+
+  // passes if good, fails if bad
+  // 12) An <object> inside an <iframe> sandboxed with 'allow-scripts' should not be same
+  // origin with this document
+  // Done by file_iframe_sandbox_a_if14.html which is contained within file_iframe_sandbox_a_if13.html
+
+  // passes if good, fails if bad
+  // 13) An <object> inside an <object> inside an <iframe> sandboxed with 'allow-scripts' should not be same
+  // origin with its parent frame or this document
+  // Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if14.html
+
+  // passes if good, fails if bad
+  // 14) An <object> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts' should not be same
+  // origin with its parent frame or this document
+  // Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if16.html
+  // which is contained within file_iframe_sandbox_a_if10.html
+
+  // passes if good
+  // 15) An <object> inside an <object> inside an <iframe> sandboxed with 'allow-scripts allow-forms'
+  // should be able to submit forms.
+  // Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if14.html
+
+  // passes if good
+  // 16) An <object> inside a <frame> inside an <iframe> sandboxed with 'allow-scripts allow-forms'
+  // should be able to submit forms.
+  // Done by file_iframe_sandbox_a_if15.html which is contained within file_iframe_sandbox_a_if16.html
+  // which is contained within file_iframe_sandbox_a_if10.html
+
+  // fails if bad
+  // 17) An <object> inside an <iframe> sandboxed with 'allow-same-origin'
+  // should not be able to run scripts.
+  // Done by iframe "if_no_scripts" using a data: load.
+
+  // passes if good
+  // 18) An <object> inside an <iframe> sandboxed with 'allow-scripts allow-same-origin'
+  // should be able to run scripts and be same origin with this document.
+  // Done by iframe "if_scripts" using a data: load.
+
+  // passes if good, fails if bad
+  // 19) Make sure that the parent's document's sandboxing flags are copied when
+  // changing the sandbox flags on an iframe inside an iframe.
+  // Done in file_iframe_sandbox_a_if17.html and file_iframe_sandbox_a_if18.html
 }
 
 addLoadEvent(doTest);
 </script>
 <body>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
 <p id="display"></p>
 <div id="content">
 <iframe sandbox="" id="if_1" src="file_iframe_sandbox_a_if1.html" height="10" width="10"></iframe>
 <iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_a_if3.html" height="10" width="10"></iframe>
 <iframe sandbox="allow-scripts allow-same-origin" id="if_5" src="file_iframe_sandbox_a_if5.html" height="10" width="10"></iframe>
 <iframe sandbox="allow-scripts allow-same-origin" id="if_8" src="file_iframe_sandbox_a_if8.html" height="10" width="10"></iframe>
-<iframe sandbox="allow-scripts" id="if_10" src="file_iframe_sandbox_a_if10.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts allow-forms" id="if_10" src="file_iframe_sandbox_a_if10.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts allow-forms" id="if_13" src="file_iframe_sandbox_a_if13.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-same-origin" id="if_no_scripts" src="data:text/html,<object%20data='data:text/html,<script>parent.parent.ok_wrapper(false, &quot;an object inside an iframe sandboxed with only allow-same-origin should not be able to run scripts&quot;)</script>'></object>" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts allow-same-origin" id="if_scripts" src="data:text/html,<object%20data='data:text/html,<script>parent.parent.ok_wrapper(true, &quot;an object inside an iframe sandboxed with allow-scripts allow-same-origin should be able to run scripts and call functions in the parent of the iframe&quot;)</script>'></object>" height="10" width="10"></iframe>
+<iframe sandbox="allow-same-origin" id="if_19" src="data:text/html,<iframe%20data='data:text/html,<script>parent.parent.ok_wrapper(true, &quot;an object inside an iframe sandboxed with allow-scripts allow-same-origin should be able to run scripts and call functions in the parent of the iframe&quot;)</script>'></object>" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_17" src="file_iframe_sandbox_a_if17.html" height="10" width="10"></iframe>
 </div>