| <!DOCTYPE html> |
| <title>Test fenced frame sandbox attribute.</title> |
| <meta name="timeout" content="long"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/common/utils.js"></script> |
| <script src="/common/dispatcher/dispatcher.js"></script> |
| <script src="resources/utils.js"></script> |
| |
| <body> |
| <script> |
| |
| async function runTest(t, sandbox_flags, success) { |
| const frame = await attachFencedFrameContext({ |
| generator_api: 'fledge', resolve_to_config: true, |
| attributes: [['sandbox', sandbox_flags]]}); |
| |
| assert_equals(frame.element.sandbox.value, sandbox_flags); |
| if (sandbox_flags) { |
| assert_equals(frame.element.sandbox.length, sandbox_flags.split(' ').length); |
| } else { |
| assert_equals(frame.element.sandbox.length, 0); |
| } |
| |
| const result = await Promise.any([ |
| frame.execute(() => { return 'success';}), |
| new Promise(resolve => t.step_timeout(() => resolve('failure'), 2000))]); |
| if (success) { |
| assert_equals(result, 'success'); |
| } else { |
| assert_equals(result, 'failure'); |
| } |
| } |
| |
| // We omit test cases that lack the sandbox attribute, because that's covered |
| // by every other test that doesn't explicitly use the `sandbox` attribute. |
| |
| promise_test(async t => { |
| return runTest(t, '', false); |
| }, 'Navigation fails with no allowed features'); |
| |
| promise_test(async t => { |
| return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation', true); |
| }, 'Navigation succeeds with exactly the required unsandboxed features'); |
| |
| promise_test(async t => { |
| return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-pointer-lock', true); |
| }, 'Navigation succeeds with extra unsandboxed features'); |
| |
| promise_test(async t => { |
| return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox', false); |
| }, 'Navigation fails with too few unsandboxed features'); |
| |
| promise_test(async t => { |
| return runTest(t, 'foo bar baz', false); |
| }, 'Navigation fails with malformed sandbox flags'); |
| |
| promise_test(async t => { |
| return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-foobarbaz', true); |
| }, 'Navigation fails with the required unsandboxed features, plus some malformed ones'); |
| |
| </script> |
| </body> |