Mercurial > mozreview > gecko / changeset / d2e36fc0df5d8c2f7f459a021007d8a44d452dc0
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument. draft
authorHenry Chang <hchang@mozilla.com>
Thu, 17 Aug 2017 09:47:14 +0800
changeset 647895 d2e36fc0df5d8c2f7f459a021007d8a44d452dc0
parent 647817 63ca686c3f1e870649b6d9c559973d100573aec2
child 726658 70a3c2e18a2827ee24c3dcd7f559c5cbbf3fcaea
push id74571
push userhchang@mozilla.com
push dateThu, 17 Aug 2017 02:03:58 +0000
bugs1365157
milestone57.0a1
Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument. MozReview-Commit-ID: 8jnewE1eEcc
testing/web-platform/meta/MANIFEST.json file | annotate | diff | comparison | revisions
testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html file | annotate | diff | comparison | revisions 
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -581432,17 +581432,17 @@
    "7f982fe347ac7fbc14e853d14a2535685a970395",
    "support"
   ],
   "html/browsers/origin/cross-origin-objects/win-documentdomain.sub.html": [
    "37d2be417bbc3b8473c2d4bfaa3b7a9973140ce9",
    "support"
   ],
   "html/browsers/origin/origin-of-data-document.html": [
-   "360415417ed0dadfaf947954fbd0cf801dbd5bdc",
+   "9fec457691ac4b071e9bc8de1ebf6f13dbadd4e5",
    "testharness"
   ],
   "html/browsers/origin/relaxing-the-same-origin-restriction/.gitkeep": [
    "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "support"
   ],
   "html/browsers/origin/relaxing-the-same-origin-restriction/document_domain.html": [
    "9839a9c24ce78ec42da8a60d2175df06e19983c1",
--- a/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
+++ b/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
@@ -5,24 +5,35 @@
     <title>Origin of document produced from a 'data:' URL</title>
     <link rel="help" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
   </head>
   <body>
     <script>
       async_test(function (t) {
+        var i = document.createElement('iframe');
+        i.src = "data:text/html,<script>" +
+                "  window.parent.postMessage('Hello!', '*');" +
+                "</scr" + "ipt>";
+
         window.addEventListener("message", t.step_func_done(function (e) {
           assert_equals(e.origin, "null", "Messages sent from a 'data:' URL should have an opaque origin (which serializes to 'null').");
           assert_throws("SecurityError", function () {
             var couldAccessCrossOriginProperty = e.source.location.href;
-          }, "The 'data:' frame should be cross-origin.")
+          }, "The 'data:' frame should be cross-origin: 'window.location.href'");
+
+          // Try to access contentDocument of the 'data: ' frame. Some browsers
+          // (i.e. Firefox, Safari) will return |null| and some (i.e. Chrome)
+          // will throw an exception.
+          var dataFrameContentDocument = null;
+          try {
+            dataFrameContentDocument = i.contentDocument;
+          } catch (ex) {
+          }
+          assert_equals(dataFrameContentDocument, null, "The 'data:' iframe should be unable to access its contentDocument.");
         }));
 
-        var i = document.createElement('iframe');
-        i.src = "data:text/html,<script>" +
-                "  window.parent.postMessage('Hello!', '*');" +
-                "</scr" + "ipt>";
         document.body.appendChild(i);
       }, "The origin of a 'data:' document in a frame is opaque.");
     </script>
   </body>
 </html>
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.