5 <title>Test for Bug
341604</title>
6 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css"/>
9 function ok(result
, message
) {
10 window
.parent
.postMessage({ok
: result
, desc
: message
}, "*");
14 // Standard URL should be blocked as we have a unique origin.
15 var xhr
= new XMLHttpRequest();
16 xhr
.open("GET", "file_iframe_sandbox_b_if1.html");
17 xhr
.onreadystatechange = function (oEvent
) {
19 if (xhr
.readyState
== 4) {
20 if (xhr
.status
== 0) {
23 ok(result
, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
28 // Blob URL should work as it will have our unique origin.
29 var blobXhr
= new XMLHttpRequest();
30 var blobUrl
= URL
.createObjectURL(new Blob(["wibble"], {type
: "text/plain"}));
31 blobXhr
.open("GET", blobUrl
);
32 blobXhr
.onreadystatechange = function () {
33 if (this.readyState
== 4) {
34 ok(this.status
== 200 && this.response
== "wibble", "XHR for a blob URL created in this document should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
40 ok(false, "failed to send XHR for blob URL: error: " + e
);
43 // Data URL should work as it inherits the loader's origin.
44 var dataXhr
= new XMLHttpRequest();
45 dataXhr
.open("GET", "data:text/html,wibble");
46 dataXhr
.onreadystatechange = function () {
47 if (this.readyState
== 4) {
48 ok(this.status
== 200 && this.response
== "wibble", "XHR for a data URL should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
54 ok(false, "failed to send XHR for data URL: error: " + e
);
60 window
.parent
.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
62 ok(true, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
65 // should NOT be able to access document.cookie
67 var foo
= document
.cookie
;
69 ok(true, "a document sandboxed without allow-same-origin should NOT be able to access document.cookie");
72 // should NOT be able to access localStorage
74 var foo
= window
.localStorage
;
76 ok(true, "a document sandboxed without allow-same-origin should NOT be able to access localStorage");
79 // should NOT be able to access sessionStorage
81 var foo
= window
.sessionStorage
;
83 ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage");
89 <body onLoad=
"doStuff()">
90 I am sandboxed but with
"allow-scripts"