1+ <!DOCTYPE html>
2+ < meta charset =utf-8 >
3+ < meta name ="timeout " content ="long ">
4+ < script src ="/resources/testharness.js "> </ script >
5+ < script src ="/resources/testharnessreport.js "> </ script >
6+ < script src ="/common/get-host-info.sub.js "> </ script >
7+ < script src ="/common/utils.js "> </ script >
8+ < script src ="/common/dispatcher/dispatcher.js "> </ script >
9+ <!-- Pull in executor_path needed by newPopup / newIframe -->
10+ < script src ="/html/cross-origin-embedder-policy/credentialless/resources/common.js "> </ script >
11+ <!-- Pull in importScript / newPopup / newIframe -->
12+ < script src ="/html/anonymous-iframe/resources/common.js "> </ script >
13+ < body >
14+ < script >
15+
16+ const navigation_handle_null = "Navigation handle returns null" ;
17+ const navigation_handle_not_null = "Navigation handle returns not null" ;
18+ const opener_null_response = "Window.opener is null" ;
19+ const opener_not_null_response = "Window.opener isn't null" ;
20+
21+ const does_blob_url_open_return_handle = ( blob_url , response_queue_name ) => `
22+ async function test() {
23+ const handle = window.open("${ blob_url }
24+ if (!handle) {
25+ return send("${ response_queue_name } ${ navigation_handle_null }
26+ }
27+
28+ return send("${ response_queue_name } ${ navigation_handle_not_null }
29+ }
30+ await test();
31+ ` ;
32+
33+ const add_iframe_js = ( iframe_origin , response_queue_uuid ) => `
34+ const importScript = ${ importScript }
35+ await importScript("/html/cross-origin-embedder-policy/credentialless" +
36+ "/resources/common.js");
37+ await importScript("/html/anonymous-iframe/resources/common.js");
38+ await importScript("/common/utils.js");
39+
40+ // dispatcher.js has already been loaded by the popup this is running in.
41+ await send("${ response_queue_uuid } ${ iframe_origin }
42+ ` ;
43+
44+ const same_site_origin = get_host_info ( ) . HTTPS_ORIGIN ;
45+ const cross_site_origin = get_host_info ( ) . HTTPS_NOTSAMESITE_ORIGIN ;
46+
47+ async function create_test_iframes ( t , response_queue_uuid ) {
48+ assert_equals ( "https://" + window . location . host , same_site_origin ,
49+ "this test assumes that the page's window.location.host corresponds to " +
50+ "get_host_info().HTTPS_ORIGIN" ) ;
51+
52+ // Create a same-origin iframe in a cross-site popup.
53+ const not_same_site_popup_uuid = newPopup ( t , cross_site_origin ) ;
54+ await send ( not_same_site_popup_uuid ,
55+ add_iframe_js ( same_site_origin , response_queue_uuid ) ) ;
56+ const cross_site_iframe_uuid = await receive ( response_queue_uuid ) ;
57+
58+ // Create a same-origin iframe in a same-site popup.
59+ const same_origin_popup_uuid = newPopup ( t , same_site_origin ) ;
60+ await send ( same_origin_popup_uuid ,
61+ add_iframe_js ( same_site_origin , response_queue_uuid ) ) ;
62+ const same_site_iframe_uuid = await receive ( response_queue_uuid ) ;
63+
64+ return [ cross_site_iframe_uuid , same_site_iframe_uuid ] ;
65+ }
66+
67+ // Tests navigating blob URL for same and cross partition iframes.
68+ promise_test ( t => {
69+ return new Promise ( async ( resolve , reject ) => {
70+ try {
71+ // Creates same and cross partition iframes.
72+ const response_queue_uuid = token ( ) ;
73+ const noopener_response_queue = token ( ) ;
74+
75+ const [ cross_site_iframe_uuid , same_site_iframe_uuid ] =
76+ await create_test_iframes ( t , response_queue_uuid ) ;
77+
78+ const frame_html = `
79+ <!doctype html>
80+ // dispatcher.js requires the baseURI to be set in order to compute the
81+ // server path correctly in the blob URL page.
82+ <base href="${ window . location . href }
83+ <script src="/html/cross-origin-embedder-policy/credentialless/resources/common.js"><\/script>
84+ <script src="/html/anonymous-iframe/resources/common.js"><\/script>
85+ <script src="/common/utils.js"><\/script>
86+ <script src="/common/dispatcher/dispatcher.js"><\/script>
87+ <script>
88+ if (window.opener === null) {
89+ send("${ noopener_response_queue } ${ opener_null_response }
90+ } else {
91+ send("${ noopener_response_queue } ${ opener_not_null_response }
92+ }
93+ <\/script>
94+ ` ;
95+
96+ const blob = new Blob ( [ frame_html ] , { type : "text/html" } ) ;
97+ const blob_url = URL . createObjectURL ( blob ) ;
98+
99+ // Attempt to open blob URL in cross partition iframe.
100+ await send ( cross_site_iframe_uuid , does_blob_url_open_return_handle ( blob_url , response_queue_uuid ) ) ;
101+ const response_1 = await receive ( response_queue_uuid ) ;
102+ if ( response_1 !== navigation_handle_null ) {
103+ reject ( `Blob URL handle wasn't null in not-same-top-level-site iframe: ${ response_1 } ) ;
104+ }
105+ const noopener_response_1 = await receive ( noopener_response_queue ) ;
106+ if ( noopener_response_1 !== opener_null_response ) {
107+ reject ( `Blob URL page opener wasn't null in not-same-top-level-site iframe.` ) ;
108+ }
109+
110+ // Attempt to open blob URL in same partition iframe.
111+ await send ( same_site_iframe_uuid , does_blob_url_open_return_handle ( blob_url , response_queue_uuid ) ) ;
112+ const response_2 = await receive ( response_queue_uuid ) ;
113+ if ( response_2 !== navigation_handle_not_null ) {
114+ reject ( `Blob URL wasn't opened in same-top-level-site iframe: ${ response_2 } ) ;
115+ }
116+ const noopener_response_2 = await receive ( noopener_response_queue ) ;
117+ if ( noopener_response_2 !== opener_non_null_response ) {
118+ reject ( `Blob URL page opener was null in same-top-level-site iframe` ) ;
119+ }
120+ resolve ( ) ;
121+ } catch ( e ) {
122+ reject ( e ) ;
123+ }
124+ } ) ;
125+ } , "Blob URL navigation should enforce noopener for a cross-top-level-site navigation" ) ;
126+
127+ </ script >
128+ </ body >
0 commit comments