Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/merge_pr_7238^! / .
commit9543eaf92974df52d30365e767d27e3df386ee28[log] [tgz]
authorAustin James Ahlstrom <aahlstrom@google.com>Tue Sep 12 09:19:43 2017
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Tue Sep 12 09:28:16 2017
treebb1927c9d4b5ba91bad48f4aceb38d7edb670859
parent8f30dbe39b329027d64625e7f94e0314e8512a60 [diff]
Porting access-control-sandboxed-iframe-denied-without-wildcard to WPT

Bug: 745385
Change-Id: I4eb69d0acfdeafecff59251f53179bfd5241d8cd
Reviewed-on: https://chromium-review.googlesource.com/647392
Commit-Queue: Austin James Ahlstrom <aahlstrom@google.com>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#501222}

diff --git a/XMLHttpRequest/access-control-sandboxed-iframe-denied-without-wildcard.htm b/XMLHttpRequest/access-control-sandboxed-iframe-denied-without-wildcard.htm
new file mode 100644
index 0000000..7c375f6
--- /dev/null
+++ b/XMLHttpRequest/access-control-sandboxed-iframe-denied-without-wildcard.htm

@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Tests that sandboxed iframe does not have CORS XHR access to server with "Access-Control-Allow-Origin" set to the original origin</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+  </head>
+  <body>
+    <script type="text/javascript">
+const path = "/XMLHttpRequest/resources/pass.txt?pipe=" +
+    "header(Cache-Control,no-store)|" +
+    "header(Content-Type,text/plain)" +
+    "header(Access-Control-Allow-Credentials,true)|" +
+    "header(Access-Control-Allow-Origin," + get_host_info().HTTP_ORIGIN + ")";
+
+async_test((test) => {
+  const xhr = new XMLHttpRequest;
+  xhr.open("GET", get_host_info().HTTP_REMOTE_ORIGIN + path);
+  xhr.send();
+  xhr.onerror = test.unreached_func("Unexpected error");
+  xhr.onload = test.step_func_done(() => {
+    assert_equals(xhr.status, 200);
+    assert_equals(xhr.responseText.trim(), "PASS");
+  });
+}, "Check that path exists and is accessible via CORS XHR request");
+
+async_test((test) => {
+  window.addEventListener("message", test.step_func((evt) => {
+    if (evt.data === "ready") {
+      document.getElementById("frame").contentWindow.postMessage(
+          get_host_info().HTTP_REMOTE_ORIGIN + path, "*");
+    } else {
+      assert_equals(evt.data, "Exception thrown. Sandboxed iframe XHR access was denied in 'send'.");
+      test.done();
+    }
+  }), false);
+}, "Sandboxed iframe is denied CORS access to server that allows parent origin");
+    </script>
+    <iframe id="frame" sandbox="allow-scripts" src="/XMLHttpRequest/resources/access-control-sandboxed-iframe.html">
+    </iframe>
+  </body>
+</html>