dom/html/test/file_iframe_sandbox_b_if3.html

   1 <!DOCTYPE HTML>
   2 <html>
   3 <head>
   4   <meta charset="utf-8">
   5   <title>Test for Bug 341604</title>
   6   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
   7 </head>
   8 <script>
   9   function ok(result, message) {
  10     window.parent.postMessage({ok: result, desc: message}, "*");
  11   }
  12
  13   function testXHR() {
  14     // Standard URL should be blocked as we have a unique origin.
  15     var xhr = new XMLHttpRequest();
  16     xhr.open("GET", "file_iframe_sandbox_b_if1.html");
  17     xhr.onreadystatechange = function (oEvent) {
  18       var result = false;
  19       if (xhr.readyState == 4) {
  20         if (xhr.status == 0) {
  21           result = true;
  22         }
  23         ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
  24       }
  25     }
  26     xhr.send(null);
  27
  28     // Blob URL should work as it will have our unique origin.
  29     var blobXhr = new XMLHttpRequest();
  30     var blobUrl = URL.createObjectURL(new Blob(["wibble"], {type: "text/plain"}));
  31     blobXhr.open("GET", blobUrl);
  32     blobXhr.onreadystatechange = function () {
  33       if (this.readyState == 4) {
  34         ok(this.status == 200 && this.response == "wibble", "XHR for a blob URL created in this document should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
  35       }
  36     }
  37     try {
  38       blobXhr.send();
  39     } catch(e) {
  40       ok(false, "failed to send XHR for blob URL: error: " + e);
  41     }
  42
  43     // Data URL should work as it inherits the loader's origin.
  44     var dataXhr = new XMLHttpRequest();
  45     dataXhr.open("GET", "data:text/html,wibble");
  46     dataXhr.onreadystatechange = function () {
  47       if (this.readyState == 4) {
  48         ok(this.status == 200 && this.response == "wibble", "XHR for a data URL should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
  49       }
  50     }
  51     try {
  52       dataXhr.send();
  53     } catch(e) {
  54       ok(false, "failed to send XHR for data URL: error: " + e);
  55     }
  56   }
  57
  58   function doStuff() {
  59     try {
  60       window.parent.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
  61     } catch (error) {
  62       ok(true, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
  63     }
  64
  65     // should NOT be able to access document.cookie
  66     try {
  67       var foo = document.cookie;
  68     } catch(error) {
  69       ok(true, "a document sandboxed without allow-same-origin should NOT be able to access document.cookie");
  70     }
  71
  72     // should NOT be able to access localStorage
  73     try {
  74       var foo = window.localStorage;
  75     } catch(error) {
  76       ok(true, "a document sandboxed without allow-same-origin should NOT be able to access localStorage");
  77     }
  78
  79     // should NOT be able to access sessionStorage
  80     try {
  81       var foo = window.sessionStorage;
  82     } catch(error) {
  83       ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage");
  84     }
  85
  86     testXHR();
  87   }
  88 </script>
  89 <body onLoad="doStuff()">
  90   I am sandboxed but with "allow-scripts"
  91 </body>
  92 </html>