Test sandbox flags vs document.open()
Two new regression tests about a bug waiting to happen. I was about to
introduce a regression with patchset:
https://chromium-review.googlesource.com/c/chromium/src/+/2578902/6
without triggering any test.
This checks that after using document.open(), the sandbox flags are
still applying.
Bug: 1041376
Change-Id: I8654177e7edb040b9f34f948540b697af84a92d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2582318
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835673}
diff --git a/html/browsers/sandboxing/resources/document-open.html b/html/browsers/sandboxing/resources/document-open.html
new file mode 100644
index 0000000..c53c9fb
--- /dev/null
+++ b/html/browsers/sandboxing/resources/document-open.html
@@ -0,0 +1,16 @@
+<script>
+ onload = () => {
+ document.open();
+ document.write(`
+ <script>
+ try {
+ document.domain = document.domain;
+ parent.postMessage('document-domain-is-allowed', '*');
+ } catch (error) {
+ parent.postMessage('document-domain-is-disallowed', '*');
+ }
+ </sc`+`ript>
+ `);
+ document.close();
+ }
+</script>
diff --git a/html/browsers/sandboxing/sandbox-document-open.html b/html/browsers/sandboxing/sandbox-document-open.html
new file mode 100644
index 0000000..8c6c220
--- /dev/null
+++ b/html/browsers/sandboxing/sandbox-document-open.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>
+ Check sandbox-flags aren't lost after using document.open().
+</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+promise_test(async test => {
+ let message = new Promise(resolve =>
+ window.addEventListener("message", event => resolve(event.data))
+ );
+
+ let iframe = document.createElement("iframe");
+ iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
+ iframe.setAttribute("src", "./resources/document-open.html")
+ document.body.appendChild(iframe);
+
+ assert_equals(await message, "document-domain-is-disallowed");
+}, "document.open()");
+
+promise_test(async test => {
+ let iframe = document.createElement("iframe");
+ iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
+ iframe.setAttribute("src", "/common/blank.html");
+ let loaded = new Promise(resolve => {iframe.onload = resolve; });
+ document.body.appendChild(iframe);
+ await loaded;
+
+ let message = new Promise(resolve =>
+ window.addEventListener("message", event => resolve(event.data))
+ );
+
+ iframe.contentDocument.open();
+ iframe.contentDocument.write(`
+ <script>
+ try {
+ document.domain = document.domain;
+ parent.postMessage('document-domain-is-allowed', '*');
+ } catch (error) {
+ parent.postMessage('document-domain-is-disallowed', '*');
+ }
+ </sc`+`ript>
+ `);
+ iframe.contentDocument.close();
+
+ assert_equals(await message, "document-domain-is-disallowed");
+}, "other_document.open()");
+</script>
+</body>
+</html>