iframe-contentwindow-injection.sub.window.js

Enable keyboard shortcuts

This test has a WPT meta file that expects 1 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /connection-allowlist/tentative/iframe-contentwindow-injection.sub.window.html - WPT Dashboard Interop Dashboard

// META: script=/common/get-host-info.sub.js

// META: script=/common/utils.js

// META: script=resources/utils.js

// META: timeout=long

//

// Tests that injecting resource hint <link> elements into same-origin iframe

// contentWindows does not bypass Connection-Allowlist enforcement. The policy

// should apply based on the iframe document's policy (inherited for about:blank,

// or from its own response headers for same-origin navigated iframes).

const port = get_host_info().HTTP_PORT_ELIDED;

const BLOCKED_ORIGIN = 'http://{{hosts[][www]}}' + port;

// Helper: inject a <link rel="prefetch"> into an iframe's contentWindow

// and verify the request does not reach the server.

function iframe_injection_test(iframe_setup, description) {

  promise_test(async t => {

    const key = token();

    const value = 'leaked';

    const params = new URLSearchParams();

    params.set('key', key);

    params.set('value', value);

    const url = `${BLOCKED_ORIGIN}${STORE_URL}?${params.toString()}`;

    // Create and configure the iframe.

    const iframe = await iframe_setup(t);

    // Inject a <link rel="prefetch"> into the iframe's document via

    // contentWindow to verify enforcement applies to injected content.

    iframe.contentWindow.document.head.innerHTML =

        `<link rel="prefetch" href="${url}">`;

    // If Connection-Allowlist enforcement is bypassed, the prefetch

    // request will reach the server and store the value. Verify it

    // does not.

    const result = await Promise.race([

      new Promise(r => t.step_timeout(r, 2000)),

      nextValueFromServer(key)

]);

    assert_equals(result, undefined,

        `Prefetch injected into iframe should be blocked.`);

  }, description);

// --- about:blank iframe (inherits parent's policy) ---

iframe_injection_test(async (t) => {

  const iframe = document.createElement('iframe');

  // about:blank is the default; the iframe inherits the parent's

  // Connection-Allowlist policy per spec.

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  // Small delay to ensure the iframe's document is ready.

  await new Promise(r => t.step_timeout(r, 100));

  return iframe;

}, 'Injecting <link rel="prefetch"> into about:blank iframe contentWindow ' +

   'must be blocked by inherited Connection-Allowlist.');

// Variant using explicit src="about:" for the iframe.

iframe_injection_test(async (t) => {

  const iframe = document.createElement('iframe');

  iframe.src = 'about:';

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  await new Promise(r => t.step_timeout(r, 100));

  return iframe;

}, 'Injecting <link rel="prefetch"> into about: iframe contentWindow ' +

   'must be blocked by inherited Connection-Allowlist.');

// Variant using src=" about:" (leading space) for the iframe.

// Browsers typically strip leading whitespace from URLs before navigation,

// so this likely resolves to about: and behaves identically, but we test

// it explicitly to guard against edge cases in URL parsing.

iframe_injection_test(async (t) => {

  const iframe = document.createElement('iframe');

  iframe.src = ' about:';

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  await new Promise(r => t.step_timeout(r, 100));

  return iframe;

}, 'Injecting <link rel="prefetch"> into " about:" (space-prefixed) iframe ' +

   'contentWindow must be blocked by inherited Connection-Allowlist.');

// --- Same-origin iframe with its own Connection-Allowlist ---

// Uses a helper page served with Connection-Allowlist headers

// to ensure the iframe's document has the policy.

iframe_injection_test(async (t) => {

  const iframe = document.createElement('iframe');

  iframe.src = 'resources/blank-with-allowlist.html';

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  // Wait for the iframe to fully load its document.

  await new Promise(resolve => { iframe.onload = resolve; });

  // Clear existing head content before injecting.

  iframe.contentWindow.document.head.innerHTML = '';

  return iframe;

}, 'Injecting <link rel="prefetch"> into same-origin iframe (with its own ' +

   'Connection-Allowlist) contentWindow must be blocked.');

// --- Additional variant: createElement injection instead of innerHTML ---

// Tests that the bypass is not specific to innerHTML parsing.

promise_test(async t => {

  const key = token();

  const value = 'leaked';

  const params = new URLSearchParams();

  params.set('key', key);

  params.set('value', value);

  const url = `${BLOCKED_ORIGIN}${STORE_URL}?${params.toString()}`;

  const iframe = document.createElement('iframe');

  document.body.appendChild(iframe);

  t.add_cleanup(() => iframe.remove());

  await new Promise(r => t.step_timeout(r, 100));

  // Inject via createElement instead of innerHTML.

  const link = iframe.contentWindow.document.createElement('link');

  link.rel = 'prefetch';

  link.href = url;

  iframe.contentWindow.document.head.appendChild(link);

  const result = await Promise.race([

    new Promise(r => t.step_timeout(r, 2000)),

    nextValueFromServer(key)

]);

  assert_equals(result, undefined,

      'Prefetch via createElement in iframe should be blocked.');

}, 'Injecting <link rel="prefetch"> via createElement into about:blank ' +

   'iframe contentWindow must be blocked by inherited Connection-Allowlist.');