| <!DOCTYPE html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| <!-- SEKRITS! --> |
| <input id="sekrit" value="omg!"> |
| |
| <script> |
| function postMessageToFrame(frame, message) { |
| return new Promise(resolve => { |
| var c = new MessageChannel(); |
| c.port1.onmessage = e => { |
| resolve({ data: e.data, frame: frame }) |
| }; |
| frame.contentWindow.postMessage(message, '*', [c.port2]); |
| }); |
| } |
| |
| function createFrame() { |
| return new Promise(resolve => { |
| var i = document.createElement('iframe'); |
| i.src = "./support/document_domain_frame.html"; |
| window.addEventListener('message', m => { |
| if (m.source == i.contentWindow) |
| resolve(i); |
| }); |
| document.body.appendChild(i); |
| }); |
| } |
| |
| promise_test(t => { |
| return createFrame() |
| .then(f => postMessageToFrame(f, 'poke-at-parent')) |
| .then(result => { |
| assert_equals(result.data, document.querySelector('#sekrit').value); |
| result.frame.remove(); |
| }); |
| }, "Access allowed with no 'document.domain' modification. (Sanity check)"); |
| |
| promise_test(t => { |
| return createFrame() |
| .then(f => postMessageToFrame(f, { domain: null })) |
| .then(result => { |
| assert_equals(result.data, 'Done'); |
| return postMessageToFrame(result.frame, 'poke-at-parent') |
| .then(result => { |
| assert_equals(result.data, 'SecurityError'); |
| result.frame.remove(); |
| }); |
| }); |
| }, "No access when frame sets a `null` 'document.domain'."); |
| |
| promise_test(t => { |
| return createFrame() |
| .then(f => { |
| document.domain = null; |
| assert_equals(document.domain, "null"); |
| return postMessageToFrame(f, 'poke-at-parent'); |
| }) |
| .then(result => { |
| assert_equals(result.data, 'SecurityError'); |
| result.frame.remove(); |
| }); |
| }, "No access when parent sets a `null` 'document.domain'."); |
| |
| promise_test(t => { |
| return createFrame() |
| .then(f => { |
| document.domain = null; |
| assert_equals(document.domain, "null"); |
| return postMessageToFrame(f, { domain: null }); |
| }) |
| .then(result => { |
| assert_equals(result.data, 'Done'); |
| return postMessageToFrame(result.frame, 'poke-at-parent') |
| .then(result => { |
| assert_equals(result.data, 'SecurityError'); |
| result.frame.remove(); |
| }); |
| }); |
| }, "No access when both sides set a `null` 'document.domain'."); |
| </script> |