Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-10 07:55:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Allow browsing contexts to resolve to cross-origin windows.

Browse source
This commit is contained in:
Alan Jeffrey 2017-01-31 08:56:38 -06:00
parent 4a0b730caf
commit e8d765557f
11 changed files with 598 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tests/wpt/mozilla/meta/MANIFEST.json
View file

@ -12721,6 +12721,14 @@
{}
]
],
"mozilla/cross-origin-objects/cross-origin-objects.html": [
[
"/_mozilla/mozilla/cross-origin-objects/cross-origin-objects.html",
{
"timeout": "long"
}
]
],
"mozilla/deterministic-raf.html": [
[
"/_mozilla/mozilla/deterministic-raf.html",
@ -25350,6 +25358,10 @@
"f1029d519aa7017a1a3d18a891a0774b9a39f847",
"testharness"
],
"mozilla/cross-origin-objects/cross-origin-objects.html": [
"5d5a3ba4099dfabddbed1ea98ad8fe1f5c00a3d3",
"testharness"
],
"mozilla/details_ui_closed.html": [
"2acbe3afbec267bad4dd986803e636740a707507",
"reftest"

5
tests/wpt/mozilla/meta/mozilla/cross-origin-objects/cross-origin-objects.html.ini Normal file
View file

@ -0,0 +1,5 @@
[cross-origin-objects.html]
type: testharness
[Parentage of cross-origin windows]
expected: FAIL

118
tests/wpt/mozilla/tests/mozilla/cross-origin-objects/cross-origin-objects.html Normal file
View file

@ -0,0 +1,118 @@
<!doctype html>
<meta charset=utf-8>
<meta name="timeout" content="long">
<title>Cross-origin behavior of Window and Location</title>
<link rel="author" title="Bobby Holley (:bholley)" href="bobbyholley@gmail.com">
<link rel="help" href="https://html.spec.whatwg.org/multipage/#security-window">
<link rel="help" href="https://html.spec.whatwg.org/multipage/#security-location">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<div id=log></div>
<script>
/*
* This is a stripped down version of
* /html/browsers/origin/cross-origin-objects/cross-origin-objects.html,
* which runs the tests in a dissimilar-origin iframe.
* This is a temporary work-around until the web-platform-tests supports
* more than one domain.
*/
var UrlB = "/common/blank.html";
var UrlC = "http://127.0.0.1:8000/common/blank.html";
/*
* Parentage
*/
async_test(function(t) {
var IframeB = document.createElement("iframe");
var IframeC = document.createElement("iframe");
var B = null;
var C = null;
IframeC.onload = t.step_func(function() {
if (!B || !C) {
B = IframeB.contentWindow;
C = IframeC.contentWindow;
IframeB.src = UrlB;
IframeC.src = UrlC;
} else {
assert_equals(B.parent, window, "window.parent works same-origin");
assert_equals(C.parent, window, "window.parent works cross-origin");
assert_equals(B.top, window, "window.top works same-origin");
assert_equals(C.top, window, "window.top works cross-origin");
t.done();
}
});
document.body.appendChild(IframeB);
document.body.appendChild(IframeC);
},"Parentage of cross-origin windows");
/*
* Whitelist behavior.
*
* Also tests for [[GetOwnProperty]] and [[HasOwnProperty]] behavior.
*/
var whitelistedWindowIndices = ['0', '1'];
var whitelistedWindowPropNames = ['location', 'postMessage', 'window', 'frames', 'self', 'top', 'parent',
'opener', 'closed', 'close', 'blur', 'focus', 'length'];
whitelistedWindowPropNames = whitelistedWindowPropNames.concat(whitelistedWindowIndices);
whitelistedWindowPropNames.sort();
var whitelistedLocationPropNames = ['href', 'replace'];
whitelistedLocationPropNames.sort();
var whitelistedSymbols = [Symbol.toStringTag, Symbol.hasInstance,
Symbol.isConcatSpreadable];
var whitelistedWindowProps = whitelistedWindowPropNames.concat(whitelistedSymbols);
async_test(function(t) {
var IframeB = document.createElement("iframe");
var IframeC = document.createElement("iframe");
var B = null;
var C = null;
IframeC.onload = t.step_func(function() {
if (!B || !C) {
B = IframeB.contentWindow;
C = IframeC.contentWindow;
IframeB.src = UrlB;
IframeC.src = UrlC;
} else {
for (var prop in window) {
if (whitelistedWindowProps.indexOf(prop) != -1) {
C[prop]; // Shouldn't throw.
Object.getOwnPropertyDescriptor(C, prop); // Shouldn't throw.
assert_true(Object.prototype.hasOwnProperty.call(C, prop), "hasOwnProperty for " + String(prop));
} else {
assert_throws("SecurityError", function() { C[prop]; }, "Should throw when accessing " + String(prop) + " on Window");
assert_throws("SecurityError", function() { Object.getOwnPropertyDescriptor(C, prop); },
"Should throw when accessing property descriptor for " + prop + " on Window");
assert_throws("SecurityError", function() { Object.prototype.hasOwnProperty.call(C, prop); },
"Should throw when invoking hasOwnProperty for " + prop + " on Window");
}
if (prop != 'location')
assert_throws("SecurityError", function() { C[prop] = undefined; }, "Should throw when writing to " + prop + " on Window");
}
for (var prop in location) {
if (prop == 'replace') {
C.location[prop]; // Shouldn't throw.
Object.getOwnPropertyDescriptor(C.location, prop); // Shouldn't throw.
assert_true(Object.prototype.hasOwnProperty.call(C.location, prop), "hasOwnProperty for " + prop);
}
else {
assert_throws("SecurityError", function() { C[prop]; }, "Should throw when accessing " + prop + " on Location");
assert_throws("SecurityError", function() { Object.getOwnPropertyDescriptor(C, prop); },
"Should throw when accessing property descriptor for " + prop + " on Location");
assert_throws("SecurityError", function() { Object.prototype.hasOwnProperty.call(C, prop); },
"Should throw when invoking hasOwnProperty for " + prop + " on Location");
}
if (prop != 'href')
assert_throws("SecurityError", function() { C[prop] = undefined; }, "Should throw when writing to " + prop + " on Location");
}
t.done();
}
});
document.body.appendChild(IframeB);
document.body.appendChild(IframeC);
}, "Only whitelisted properties are accessible cross-origin");
</script>