summaryrefslogtreecommitdiffstats
path: root/dom/html/test/file_iframe_sandbox_b_if3.html
blob: 350e2ac4726da9189d18c06560dfb7eb9fbd7ed6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Test for Bug 341604</title>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<script>
  function ok(result, message) {
    window.parent.postMessage({ok: result, desc: message}, "*");
  }

  function testXHR() {
    // Standard URL should be blocked as we have a unique origin.
    var xhr = new XMLHttpRequest();
    xhr.open("GET", "file_iframe_sandbox_b_if1.html");
    xhr.onreadystatechange = function (oEvent) {
      var result = false;
      if (xhr.readyState == 4) {
        if (xhr.status == 0) {
          result = true;
        }
        ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
      }
    }
    xhr.send(null);

    // Blob URL should work as it will have our unique origin.
    var blobXhr = new XMLHttpRequest();
    var blobUrl = URL.createObjectURL(new Blob(["wibble"], {type: "text/plain"}));
    blobXhr.open("GET", blobUrl);
    blobXhr.onreadystatechange = function () {
      if (this.readyState == 4) {
        ok(this.status == 200 && this.response == "wibble", "XHR for a blob URL created in this document should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
      }
    }
    try {
      blobXhr.send();
    } catch(e) {
      ok(false, "failed to send XHR for blob URL: error: " + e);
    }

    // Data URL should work as it inherits the loader's origin.
    var dataXhr = new XMLHttpRequest();
    dataXhr.open("GET", "data:text/html,wibble");
    dataXhr.onreadystatechange = function () {
      if (this.readyState == 4) {
        ok(this.status == 200 && this.response == "wibble", "XHR for a data URL should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
      }
    }
    try {
      dataXhr.send();
    } catch(e) {
      ok(false, "failed to send XHR for data URL: error: " + e);
    }
  }

  function doStuff() {
    try {
      window.parent.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
    } catch (error) {
      ok(true, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
    }

    // should NOT be able to access document.cookie
    try {
      var foo = document.cookie;
    } catch(error) {
      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access document.cookie");
    }

    // should NOT be able to access localStorage
    try {
      var foo = window.localStorage;
    } catch(error) {
      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access localStorage");
    }

    // should NOT be able to access sessionStorage
    try {
      var foo = window.sessionStorage;
    } catch(error) {
      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage");
    }

    testXHR();
  }
</script>
<body onLoad="doStuff()">
  I am sandboxed but with "allow-scripts"
</body>
</html>