disallowed-navigations.https.html

Enable keyboard shortcuts

This test has a WPT meta file that expects 5 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /fenced-frame/disallowed-navigations.https.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<title>Fenced frame disallowed navigations</title>

<meta name="timeout" content="long">

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

<script src="/common/dispatcher/dispatcher.js"></script>

<script src="/common/get-host-info.sub.js"></script>

<script src="/common/utils.js"></script>

<script src="resources/utils.js"></script>

<script src="/fetch/private-network-access/resources/support.sub.js"></script>

<body>

<script>

// Baseline tests:

//   - Embedder can navigate iframe to blob: URL

//   - Embedder can navigate iframe to data: URL

//   - Same-origin embedder can navigate iframe to javascript: URL

//   - Embedder can navigate iframe to http: URL

// Fenced frame tests:

//   - Embedder cannot navigate fenced frame to blob: URL

//   - Embedder cannot navigate fenced frame to data: URL

//   - Same-origin embedder cannot navigate fenced frame to

//     javascript: URL

//   - Embedder cannot navigate fenced frame to http: URL

// Fenced frames are always put in the public IP address space which is the

// least privileged. In case a navigation to a local data: URL or blob: URL

// resource is allowed, they would only be able to fetch things that are *also*

// in the public IP address space. So for the document described by these local

// URLs, we'll set them up to only communicate back to the outer page via

// resources obtained in the public address space.

const kPublicUtils = resolveUrl("resources/utils.js", Server.HTTPS_PUBLIC);

// These are just baseline tests asserting that this test's machinery to load

// blob:, data:, and javascript: URLs work properly in contexts where they are

// expected to.

promise_test(async () => {

  const key = token();

  attachIFrame(`data:text/html, ${createLocalSource(key, kPublicUtils)}`);

  const result = await nextValueFromServer(key);

  assert_equals(result, "LOADED");

}, "iframe data: URL");

promise_test(async () => {

  const key = token();

  const blobURL = URL.createObjectURL(

      new Blob([`${createLocalSource(key, kPublicUtils)}`],

               {type: 'text/html'}));

  attachIFrame(blobURL);

  const result = await nextValueFromServer(key);

  assert_equals(result, "LOADED");

}, "iframe blob: URL");

promise_test(async () => {

  const iframe = attachIFrameContext();

  iframe.src = "javascript:window.jsURLExecuted = true;"

  await iframe.execute(async () => {

    assert_equals(window.jsURLExecuted, true);

});

}, "iframe javascript: URL");

// The following tests ensure that an embedder cannot navigate a fenced frame

// to:

//   - data: URLs

//   - blob: URLs

//   - javascript: URLs

//   - http: URLs

function getTimeoutPromise(t) {

  return new Promise(resolve =>

      t.step_timeout(() => resolve("NOT LOADED"), 2000));

promise_test(async t => {

  const key = token();

  attachFencedFrame(`data:text/html, ${createLocalSource(key, kPublicUtils)}`);

  const loaded_promise = nextValueFromServer(key);

  const result = await Promise.any([loaded_promise, getTimeoutPromise(t)]);

  assert_equals(result, "NOT LOADED");

}, `fenced frame data: URL`);

promise_test(async t => {

  const key = token();

  const blobURL = URL.createObjectURL(

      new Blob([`${createLocalSource(key, kPublicUtils)}`],

               {type: 'text/html'}));

  attachFencedFrame(blobURL);

  const loaded_promise = nextValueFromServer(key);

  const result = await Promise.any([loaded_promise, getTimeoutPromise(t)]);

  assert_equals(result, "NOT LOADED");

}, `fenced frame blob: URL`);

promise_test(async t => {

  const fencedframe = attachFencedFrameContext();

  fencedframe.src = "javascript:window.jsURLExecuted = true;"

  // Just in case the javascript URL executes asynchronously, let's wait for

  // it.

  await getTimeoutPromise(t);

  await fencedframe.execute(async () => {

    assert_equals(window.jsURLExecuted, undefined);

});

}, `fenced frame javascript: URL`);

promise_test(async t => {

  const key = token();

  let http_url = new URL("resources/embeddee.html",

      get_host_info().HTTP_ORIGIN + location.pathname);

  http_url = generateURL(http_url, [key]);

  assert_equals(http_url.protocol, "http:");

  const fencedframe = attachFencedFrame(http_url);

  const loaded_promise = nextValueFromServer(key);

  const result = await Promise.any([loaded_promise, getTimeoutPromise(t)]);

  assert_equals(result, "NOT LOADED");

}, `fenced frame http: URL`);

</script>

</body>