Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<html>
<head>
<title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title>
<link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org">
<link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org">
<link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<!-- Common global functions for referrer-policy tests. -->
<script src="/common/security-features/resources/common.sub.js"></script>
<script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<h1>
Referrer Policy: A document with an opaque origin doesn't send referrers
</h1>
<script>
let futureMessage = function() {
return new Promise(resolve => {
window.addEventListener("message", event => resolve(event.data));
});
}
function testSandboxedIframeSubresource(description,
sandboxAttributes,
expectedReferrer) {
promise_test(async test => {
let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
"/common/security-features/subresource/xhr.py";
const iframe = document.createElement("iframe");
iframe.sandbox = sandboxAttributes;
iframe.srcdoc = `
<meta name="referrer" content="always">
<script src="/common/security-features/resources/common.sub.js">
</scr`+`ipt>
<script>
requestViaFetch("${resource_url}").then((msg) => {
parent.postMessage(msg.referrer, '*');
}).catch((e) => {
parent.postMessage("FAILURE", '*');
});
</scr`+`ipt>
`;
const future_message = futureMessage();
document.body.appendChild(iframe);
assert_equals(await future_message, expectedReferrer);
}, description);
}
function testSandboxedIframeMainResource(description,
sandboxAttributes,
expectedReferrer) {
promise_test(async test => {
let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
"/referrer-policy/generic/resources/referrer.py";
const iframe = document.createElement("iframe");
iframe.sandbox = sandboxAttributes;
iframe.srcdoc = `
<meta name="referrer" content="always">
<script>
onload = () => {
location.href = "${document_url}";
}
</scr`+`ipt>
`;
const future_message = futureMessage();
document.body.appendChild(iframe);
assert_equals(await future_message, expectedReferrer);
}, description);
}
testSandboxedIframeSubresource(
"Sandboxed iframe with opaque origin doesn't send referrers to subresources",
"allow-scripts", undefined);
testSandboxedIframeSubresource(
"Sandboxed iframe with tuple origin sends referrers to subresources",
"allow-same-origin allow-scripts", document.location.href);
testSandboxedIframeMainResource(
"Sandboxed iframe with opaque origin doesn't send referrers on navigation",
"allow-scripts", "");
testSandboxedIframeMainResource(
"Sandboxed iframe with tuple origin sends referrers on navigation",
"allow-same-origin allow-scripts", document.location.href);
</script>
</body>
</html>