Add web platform tests for cross-origin parent navigation attempts.
These replace the old text dump tests in http/test/security, one of
which has been flaky recently.
I placed the new tests alongside the same-origin child -> parent
navigation tests, but I could also see them belonging in
html/browsers/history/the-location-interface/.
Fixed: chromium:1267551
Change-Id: I67c0cae630acc7c17959ae6de2dba3a64c267798
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3350656
Auto-Submit: Titouan Rigoudy <titouan@chromium.org>
Reviewed-by: Arthur Hemery <ahemery@chromium.org>
Commit-Queue: Titouan Rigoudy <titouan@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953307}
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/child-navigates-parent-cross-origin.window.js b/html/browsers/browsing-the-web/navigating-across-documents/child-navigates-parent-cross-origin.window.js
new file mode 100644
index 0000000..c5bed0f
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/child-navigates-parent-cross-origin.window.js
@@ -0,0 +1,90 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=resources/wait-for-messages.js
+
+function testNavigationFails(params) {
+ return async (t) => {
+ // Start waiting for messages before inserting the child frame, to avoid any
+ // race conditions. Note that this would be racy if we executed tests
+ // concurrently, thankfully `promise_test` executes sequentially. See also:
+ // https://github.com/web-platform-tests/rfcs/pull/75
+ const messagesPromise = waitForMessages(1);
+
+ // Execute the test in an iframe, so that the document executing the test
+ // is not navigated away mid-test in case of failure.
+ const child = document.createElement("iframe");
+ document.body.appendChild(child);
+ t.add_cleanup(() => { document.body.removeChild(child); });
+
+ const url = new URL(
+ "resources/child-navigates-parent-cross-origin-inner.html",
+ window.location);
+
+ // Load the grandchild iframe from a different origin.
+ url.host = get_host_info().REMOTE_HOST;
+
+ for (const key in params || {}) {
+ url.searchParams.set(key, params[key]);
+ }
+
+ const grandchild = child.contentDocument.createElement("iframe");
+ grandchild.src = url;
+ child.contentDocument.body.appendChild(grandchild);
+
+ const messages = await messagesPromise;
+ assert_array_equals(messages, ["error: SecurityError"]);
+ }
+}
+
+promise_test(
+ testNavigationFails(),
+ "Child document attempts to navigate cross-origin parent via location");
+
+promise_test(
+ testNavigationFails({ "property": "hash" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.hash");
+
+promise_test(
+ testNavigationFails({ "property": "host" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.host");
+
+promise_test(
+ testNavigationFails({ "property": "hostname" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.hostname");
+
+promise_test(
+ testNavigationFails({ "property": "href" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.href");
+
+promise_test(
+ testNavigationFails({ "property": "pathname" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.pathname");
+
+promise_test(
+ testNavigationFails({ "property": "protocol" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.protocol");
+
+promise_test(
+ testNavigationFails({ "property": "reload" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.reload()");
+
+promise_test(
+ testNavigationFails({ "property": "replace" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.replace()");
+
+promise_test(
+ testNavigationFails({ "property": "search" }),
+ "Child document attempts to navigate cross-origin parent via "+
+ "location.search");
+
+promise_test(
+ testNavigationFails({ "property": "xxxNonExistent" }),
+ "Child document attempts to navigate cross-origin parent via non-standard "+
+ "location property");
diff --git a/html/browsers/browsing-the-web/navigating-across-documents/resources/child-navigates-parent-cross-origin-inner.html b/html/browsers/browsing-the-web/navigating-across-documents/resources/child-navigates-parent-cross-origin-inner.html
new file mode 100644
index 0000000..72b92c8
--- /dev/null
+++ b/html/browsers/browsing-the-web/navigating-across-documents/resources/child-navigates-parent-cross-origin-inner.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<script>
+const params = new URL(window.location).searchParams;
+const property = params.get("property");
+
+try {
+ if (property === null) {
+ parent.location = "foo";
+ } else if (property === "reload") {
+ parent.location.reload();
+ } else if (property === "replace") {
+ parent.location.replace("foo");
+ } else {
+ parent.location[property] = "foo";
+ }
+ parent.parent.postMessage("success", "*");
+} catch (e) {
+ parent.parent.postMessage(`error: ${e.name}`, "*");
+}
+</script>