Bug 1641236 [wpt PR 23795] - Fix "blocked-iframe-are-cross-origin.html"., a=testonly
Automatic update from web-platform-tests
Fix "blocked-iframe-are-cross-origin.html".
Reported by antoniosartori@, there was an error in the test:
"blocked_iframe-are-cross-origin.html"
In Javascript, lambda capture is done by reference. The reference was
the loop 'variable'. As a result the second test case was run twice.
The first test case couldn't work, because embedded enforcement do not
apply to same-origin iframes.
The patch fixes the test.
TBR=mkwst@chromium.org
Bug: 1041376
Change-Id: Id5f223aa138470cb263eea5b0af9f616a314a374
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2218049
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#774065}
--
wpt-commits: 2e45d1610c21b55ac4dcf4c223964d0d8069f3ee
wpt-pr: 23795
Differential Diff: PHID-DIFF-iqcyut22n7fgtne2lsj2
--- a/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
@@ -1,33 +1,59 @@
<!DOCTYPE html>
<html>
<head>
- <title>Embedded Enforcement: blocked iframe are cross-origin.</title>
+ <title>Embedded Enforcement: blocked iframes are cross-origin.</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/testharness-helper.sub.js"></script>
</head>
<body>
<script>
let SecurityError = 18;
-let tests = [
- {name: "Same-origin" , origin: getOrigin()},
- {name: "Cross-origin", origin: getCrossOrigin()},
-];
+promise_test(async () => {
+ let iframe = document.createElement("iframe");
+ let loaded = new Promise(r => iframe.onload = r);
+ iframe.csp = "script-src 'none'";
+ iframe.src = getCrossOrigin() + "common/blank.html";
+ document.body.appendChild(iframe);
+ await loaded;
+ assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
+}, "Document blocked by embedded enforcement and its parent are cross-origin");
+
+promise_test(async () => {
+ // Create an iframe that would have been same-origin with the blocked iframe
+ // if it wasn't blocked.
+ let helper_frame = document.createElement("iframe");
+ let loaded_helper = new Promise(r => helper_frame.onload = r);
+ helper_frame.src = getCrossOrigin() +
+ "content-security-policy/embedded-enforcement/support/executor.html"
+ document.body.appendChild(helper_frame);
+ await loaded_helper;
-for(test of tests) {
- promise_test(async () => {
- let iframe = document.createElement("iframe");
- let loaded = new Promise(r => iframe.onload = r);
- iframe.csp = "script-src 'none'";
- iframe.src = test.origin + "common/blank.html";
- document.body.appendChild(iframe);
- await loaded;
- assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
- }, `${test.name} document blocked by embedded enforcement must appear cross-origin`);
-}
+ let reply = new Promise(r => window.onmessage = r);
+ helper_frame.contentWindow.postMessage(`
+ let test = function() {
+ if (parent.frames.length != 2)
+ return "Error: Wrong number of iframes";
+
+ if (parent.frames[1] != window)
+ return "Error: Wrong frame index for the second iframe";
+
+ // Try to access frames[0] from frames[1]. This must fail.
+ try {
+ parent.frames[0].contentWindow;
+ return "Error: The error page appears same-origin";
+ } catch(dom_exception) {
+ return dom_exception.code;
+ }
+ };
+ parent.postMessage(test(), '*');
+ `, '*');
+
+ assert_equals((await reply).data, SecurityError);
+}, "Two same-origin iframes must appear as cross-origin when one is blocked");
</script>
</body>
</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/support/executor.html
@@ -0,0 +1,3 @@
+<script>
+ window.onmessage = event => eval(event.data);
+</script>
