Bug 1641236 [wpt PR 23795] - Fix "blocked-iframe-are-cross-origin.html"., a=testonly draft
authorarthursonzogni <arthursonzogni@chromium.org>
Mon, 08 Jun 2020 20:07:34 +0000
changeset 2968291 72d0ac83c33d2a19be648d82788139fc6ca8159a
parent 2968290 4d1b87495c8a718a85034f29caa1d16fa70a0b7c
child 2968292 11542ccc5efe0d919cc13a88cc289c5a797ae4c7
push id550673
push userreviewbot
push dateMon, 08 Jun 2020 20:08:18 +0000
treeherdertry@5ad8b739e55a [default view] [failures only]
reviewerstestonly
bugs1641236, 23795, 1041376, 2218049, 774065
milestone79.0a1
Bug 1641236 [wpt PR 23795] - Fix "blocked-iframe-are-cross-origin.html"., a=testonly Automatic update from web-platform-tests Fix "blocked-iframe-are-cross-origin.html". Reported by antoniosartori@, there was an error in the test: "blocked_iframe-are-cross-origin.html" In Javascript, lambda capture is done by reference. The reference was the loop 'variable'. As a result the second test case was run twice. The first test case couldn't work, because embedded enforcement do not apply to same-origin iframes. The patch fixes the test. TBR=mkwst@chromium.org Bug: 1041376 Change-Id: Id5f223aa138470cb263eea5b0af9f616a314a374 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2218049 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#774065} -- wpt-commits: 2e45d1610c21b55ac4dcf4c223964d0d8069f3ee wpt-pr: 23795 Differential Diff: PHID-DIFF-iqcyut22n7fgtne2lsj2
testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html
--- a/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
@@ -1,33 +1,59 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <title>Embedded Enforcement: blocked iframe are cross-origin.</title>
+  <title>Embedded Enforcement: blocked iframes are cross-origin.</title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/testharness-helper.sub.js"></script>
 </head>
 <body>
 <script>
 
 let SecurityError = 18;
 
-let tests = [
-  {name: "Same-origin" , origin: getOrigin()},
-  {name: "Cross-origin", origin: getCrossOrigin()},
-];
+promise_test(async () => {
+  let iframe = document.createElement("iframe");
+  let loaded = new Promise(r => iframe.onload = r);
+  iframe.csp = "script-src 'none'";
+  iframe.src = getCrossOrigin() +  "common/blank.html";
+  document.body.appendChild(iframe);
+  await loaded;
+  assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
+}, "Document blocked by embedded enforcement and its parent are cross-origin");
+
+promise_test(async () => {
+  // Create an iframe that would have been same-origin with the blocked iframe
+  // if it wasn't blocked.
+  let helper_frame = document.createElement("iframe");
+  let loaded_helper = new Promise(r => helper_frame.onload = r);
+  helper_frame.src = getCrossOrigin() +
+    "content-security-policy/embedded-enforcement/support/executor.html"
+  document.body.appendChild(helper_frame);
+  await loaded_helper;
 
-for(test of tests) {
-  promise_test(async () => {
-    let iframe = document.createElement("iframe");
-    let loaded = new Promise(r => iframe.onload = r);
-    iframe.csp = "script-src 'none'";
-    iframe.src = test.origin +  "common/blank.html";
-    document.body.appendChild(iframe);
-    await loaded;
-    assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
-  }, `${test.name} document blocked by embedded enforcement must appear cross-origin`);
-}
+  let reply = new Promise(r => window.onmessage = r);
+  helper_frame.contentWindow.postMessage(`
+    let test = function() {
+      if (parent.frames.length != 2)
+        return "Error: Wrong number of iframes";
+
+      if (parent.frames[1] != window)
+        return "Error: Wrong frame index for the second iframe";
+
+      // Try to access frames[0] from frames[1]. This must fail.
+      try {
+        parent.frames[0].contentWindow;
+        return "Error: The error page appears same-origin";
+      } catch(dom_exception) {
+        return dom_exception.code;
+      }
+    };
+    parent.postMessage(test(), '*');
+  `, '*');
+
+  assert_equals((await reply).data, SecurityError);
+}, "Two same-origin iframes must appear as cross-origin when one is blocked");
 
 </script>
 </body>
 </html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html
@@ -0,0 +1,3 @@
+<script>
+  window.onmessage = event => eval(event.data);
+</script>