| <!DOCTYPE html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="./support/helper.js"></script> |
| <body> |
| <script> |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN"; |
| |
| wait_for_message_from(i, t) |
| .then(t.step_func_done(e => { |
| assert_equals(e.data, "Loaded"); |
| i.remove(); |
| })); |
| |
| document.body.appendChild(i); |
| }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` allows same-origin framing."); |
| |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/xfo.py?value=SAMEORIGIN&value2=DENY"; |
| |
| assert_no_message_from(i, t); |
| |
| i.onload = t.step_func_done(_ => { |
| assert_equals(i.contentDocument, null); |
| i.remove(); |
| }); |
| |
| document.body.appendChild(i); |
| }, "`XFO: SAMEORIGIN; XFO: DENY` blocks same-origin framing."); |
| |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/xfo.py?value=DENY&value2=SAMEORIGIN"; |
| |
| assert_no_message_from(i, t); |
| |
| i.onload = t.step_func_done(_ => { |
| assert_equals(i.contentDocument, null); |
| i.remove(); |
| }); |
| |
| document.body.appendChild(i); |
| }, "`XFO: DENY; XFO: SAMEORIGIN` blocks same-origin framing."); |
| |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/xfo.py?value=INVALID&value2=SAMEORIGIN"; |
| |
| wait_for_message_from(i, t) |
| .then(t.step_func_done(e => { |
| assert_equals(e.data, "Loaded"); |
| i.remove(); |
| })); |
| |
| document.body.appendChild(i); |
| }, "`XFO: INVALID; XFO: SAMEORIGIN` allows same-origin framing."); |
| |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/xfo.py?value=SAMEORIGIN&value2=INVALID"; |
| |
| wait_for_message_from(i, t) |
| .then(t.step_func_done(e => { |
| assert_equals(e.data, "Loaded"); |
| i.remove(); |
| })); |
| |
| document.body.appendChild(i); |
| }, "`XFO: SAMEORIGIN; XFO: INVALID` allows same-origin framing."); |
| |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.src = "http://{{domains[www]}}:{{ports[http][0]}}/x-frame-options/support/xfo.py?value=SAMEORIGIN&value2=SAMEORIGIN"; |
| |
| assert_no_message_from(i, t); |
| |
| i.onload = t.step_func_done(_ => { |
| assert_equals(i.contentDocument, null); |
| i.remove(); |
| }); |
| |
| document.body.appendChild(i); |
| }, "`XFO: SAMEORIGIN; XFO: SAMEORIGIN` blocks cross-origin framing."); |
| </script> |