| <!DOCTYPE html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| <script> |
| async_test(t => { |
| var i = document.createElement('iframe'); |
| i.setAttribute("sandbox", "allow-scripts"); |
| i.setAttribute("src", "javascript:top.postMessage('fail', '*');"); |
| window.addEventListener( |
| "message", |
| t.unreached_func("The sandboxed 'javascript:' URL should not execute.")); |
| |
| document.body.appendChild(i); |
| |
| // TODO(mkwst): I would love a better test here, but I don't know how else to |
| // verify that the script _doesn't_ execute. |
| setTimeout(t.done.bind(t), 250); |
| }, "JavaScript URLs in sandboxed iframes should not execute, as the origin is distinct from its opener."); |
| </script> |