Source code

Revision control

Copy as Markdown

Other Tools

Test Info: Warnings

<!DOCTYPE html>
<meta charset=utf-8>
<title>Cookie Store API: Opaque origins for cookieStore</title>
<link rel=help href="https://wicg.github.io/cookie-store/">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
const apiCalls = {
'get': 'cookieStore.get("cookie-name")',
'getAll': 'cookieStore.getAll()',
'set': 'cookieStore.set("cookie-name", "cookie-value")',
'delete': 'cookieStore.delete("cookie-name")'
};
const script = `
<script>
"use strict";
window.onmessage = async () => {
try {
await %s;
window.parent.postMessage({result: "no exception"}, "*");
} catch (ex) {
window.parent.postMessage({result: ex.name}, "*");
};
};
<\/script>
`;
function load_iframe(apiCall, sandbox) {
return new Promise(resolve => {
const iframe = document.createElement('iframe');
iframe.onload = () => { resolve(iframe); };
if (sandbox)
iframe.sandbox = sandbox;
iframe.srcdoc = script.replace("%s", apiCalls[apiCall]);
iframe.style.display = 'none';
document.documentElement.appendChild(iframe);
});
}
function wait_for_message(iframe) {
return new Promise(resolve => {
self.addEventListener('message', function listener(e) {
if (e.source === iframe.contentWindow) {
resolve(e.data);
self.removeEventListener('message', listener);
}
});
});
}
promise_test(async t => {
for (apiCall in apiCalls) {
const iframe = await load_iframe(apiCall);
iframe.contentWindow.postMessage({}, '*');
const message = await wait_for_message(iframe);
assert_equals(message.result, 'no exception',
'cookieStore ${apiCall} should not throw');
}
}, 'cookieStore in non-sandboxed iframe should not throw');
promise_test(async t => {
for (apiCall in apiCalls) {
const iframe = await load_iframe(apiCall, 'allow-scripts');
iframe.contentWindow.postMessage({}, '*');
const message = await wait_for_message(iframe);
assert_equals(message.result, 'SecurityError',
'cookieStore ${apiCall} should throw SecurityError');
}
}, 'cookieStore in sandboxed iframe should throw SecurityError');
</script>