| // Return whether the current context is sandboxed or not. The implementation do |
| // not matter much, but might have to change over time depending on what side |
| // effect sandbox flag have. Feel free to update as needed. |
| const is_sandboxed = () => { |
| try { |
| document.domain = document.domain; |
| return "not sandboxed"; |
| } catch (error) { |
| return "sandboxed"; |
| } |
| }; |
| |
| promise_test(async test => { |
| const message = new Promise(r => window.addEventListener("message", r)); |
| |
| const iframe_unsandboxed = document.createElement("iframe"); |
| document.body.appendChild(iframe_unsandboxed); |
| |
| const iframe_sandboxed = document.createElement("iframe"); |
| iframe_sandboxed.sandbox = "allow-same-origin allow-scripts"; |
| document.body.appendChild(iframe_sandboxed); |
| |
| iframe_sandboxed.srcdoc = ` |
| <script> |
| parent.frames[0].document.write(\` |
| <script> |
| const is_sandboxed = ${is_sandboxed}; |
| window.parent.postMessage(is_sandboxed(), '*'); |
| </scr\`+\`ipt> |
| \`); |
| parent.frames[0].document.close(); |
| </scr`+`ipt> |
| `; |
| assert_equals((await message).data, "not sandboxed"); |
| |
| }, "Using document.open() against a document from a different window must not" + |
| " mutate the other window's sandbox flags"); |
