Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument.
MozReview-Commit-ID: 8jnewE1eEcc
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -581432,17 +581432,17 @@
"7f982fe347ac7fbc14e853d14a2535685a970395",
"support"
],
"html/browsers/origin/cross-origin-objects/win-documentdomain.sub.html": [
"37d2be417bbc3b8473c2d4bfaa3b7a9973140ce9",
"support"
],
"html/browsers/origin/origin-of-data-document.html": [
- "360415417ed0dadfaf947954fbd0cf801dbd5bdc",
+ "9fec457691ac4b071e9bc8de1ebf6f13dbadd4e5",
"testharness"
],
"html/browsers/origin/relaxing-the-same-origin-restriction/.gitkeep": [
"da39a3ee5e6b4b0d3255bfef95601890afd80709",
"support"
],
"html/browsers/origin/relaxing-the-same-origin-restriction/document_domain.html": [
"9839a9c24ce78ec42da8a60d2175df06e19983c1",
--- a/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
+++ b/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
@@ -5,24 +5,35 @@
<title>Origin of document produced from a 'data:' URL</title>
<link rel="help" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
async_test(function (t) {
+ var i = document.createElement('iframe');
+ i.src = "data:text/html,<script>" +
+ " window.parent.postMessage('Hello!', '*');" +
+ "</scr" + "ipt>";
+
window.addEventListener("message", t.step_func_done(function (e) {
assert_equals(e.origin, "null", "Messages sent from a 'data:' URL should have an opaque origin (which serializes to 'null').");
assert_throws("SecurityError", function () {
var couldAccessCrossOriginProperty = e.source.location.href;
- }, "The 'data:' frame should be cross-origin.")
+ }, "The 'data:' frame should be cross-origin: 'window.location.href'");
+
+ // Try to access contentDocument of the 'data: ' frame. Some browsers
+ // (i.e. Firefox, Safari) will return |null| and some (i.e. Chrome)
+ // will throw an exception.
+ var dataFrameContentDocument = null;
+ try {
+ dataFrameContentDocument = i.contentDocument;
+ } catch (ex) {
+ }
+ assert_equals(dataFrameContentDocument, null, "The 'data:' iframe should be unable to access its contentDocument.");
}));
- var i = document.createElement('iframe');
- i.src = "data:text/html,<script>" +
- " window.parent.postMessage('Hello!', '*');" +
- "</scr" + "ipt>";
document.body.appendChild(i);
}, "The origin of a 'data:' document in a frame is opaque.");
</script>
</body>
</html>