Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /html/browsers/sandboxing/sandbox-inherited-from-initiator-frame.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<meta charset=utf-8>
<title>Inherit sandbox flags from the initiator's frame</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
// Check sandbox flags are properly inherited when a document initiate a
// navigation inside another frame that it doesn't own directly.
// This check the sandbox flags defined by the frame. See also the other test
// about sandbox flags defined by the response (e.g. CSP sandbox):
// => sandbox-inherited-from-initiators-response.html
// Return a promise, resolving when |element| triggers |event_name| event.
let future = (element, event_name) => {
return new Promise(resolve => {
element.addEventListener(event_name, event => resolve(event))
});
};
promise_test(async test => {
const iframe_1 = document.createElement("iframe");
const iframe_2 = document.createElement("iframe");
iframe_1.id = "iframe_1";
iframe_2.id = "iframe_2";
const iframe_1_script = encodeURI(`
<script>
try {
document.domain = document.domain;
parent.postMessage("not sandboxed", "*");
} catch (exception) {
parent.postMessage("sandboxed", "*");
}
</scr`+`ipt>
`);
const iframe_2_script = `
<script>
const iframe_1 = parent.document.querySelector("#iframe_1");
iframe_1.src = "data:text/html,${iframe_1_script}";
</scr`+`ipt>
`;
iframe_2.sandbox = "allow-scripts allow-same-origin";
iframe_2.srcdoc = iframe_2_script;
// Insert |iframe_1|. It will load the initial empty document, with no sandbox
// flags.
const iframe_1_load_1 = future(iframe_1, "load");
document.body.appendChild(iframe_1);
await iframe_1_load_1;
// Insert |iframe_2|. It will load with sandbox flags. It will make |iframe_1|
// to navigate toward a data-url, which should inherit the sandbox flags.
const iframe_1_reply = future(window, "message");
document.body.appendChild(iframe_2);
const result = await iframe_1_reply;
assert_equals("sandboxed", result.data);
})
</script>