Fix "blocked-iframe-are-cross-origin.html".

Reported by antoniosartori@, there was an error in the test: "blocked_iframe-are-cross-origin.html" In Javascript, lambda capture is done by reference. The reference was the loop 'variable'. As a result the second test case was run twice. The first test case couldn't work, because embedded enforcement do not apply to same-origin iframes. The patch fixes the test. [email protected] Bug: 1041376 Change-Id: Id5f223aa138470cb263eea5b0af9f616a314a374 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2218049 Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#774065}
web-platform-tests · Jun 2, 2020 · 2e45d16 · 2e45d16
1 parent 5cf5c99
commit 2e45d16
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 17 deletions.
diff --git a/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html b/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <title>Embedded Enforcement: blocked iframe are cross-origin.</title>
+  <title>Embedded Enforcement: blocked iframes are cross-origin.</title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="support/testharness-helper.sub.js"></script>
@@ -11,22 +11,48 @@
 
 let SecurityError = 18;
 
-let tests = [
-  {name: "Same-origin" , origin: getOrigin()},
-  {name: "Cross-origin", origin: getCrossOrigin()},
-];
-
-for(test of tests) {
-  promise_test(async () => {
-    let iframe = document.createElement("iframe");
-    let loaded = new Promise(r => iframe.onload = r);
-    iframe.csp = "script-src 'none'";
-    iframe.src = test.origin +  "common/blank.html";
-    document.body.appendChild(iframe);
-    await loaded;
-    assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
-  }, `${test.name} document blocked by embedded enforcement must appear cross-origin`);
-}
+promise_test(async () => {
+  let iframe = document.createElement("iframe");
+  let loaded = new Promise(r => iframe.onload = r);
+  iframe.csp = "script-src 'none'";
+  iframe.src = getCrossOrigin() +  "common/blank.html";
+  document.body.appendChild(iframe);
+  await loaded;
+  assert_throws_dom(SecurityError, () => iframe.contentWindow.document);
+}, "Document blocked by embedded enforcement and its parent are cross-origin");
+
+promise_test(async () => {
+  // Create an iframe that would have been same-origin with the blocked iframe
+  // if it wasn't blocked.
+  let helper_frame = document.createElement("iframe");
+  let loaded_helper = new Promise(r => helper_frame.onload = r);
+  helper_frame.src = getCrossOrigin() +
+    "content-security-policy/embedded-enforcement/support/executor.html"
+  document.body.appendChild(helper_frame);
+  await loaded_helper;
+
+  let reply = new Promise(r => window.onmessage = r);
+  helper_frame.contentWindow.postMessage(`
+    let test = function() {
+      if (parent.frames.length != 2)
+        return "Error: Wrong number of iframes";
+
+      if (parent.frames[1] != window)
+        return "Error: Wrong frame index for the second iframe";
+
+      // Try to access frames[0] from frames[1]. This must fail.
+      try {
+        parent.frames[0].contentWindow;
+        return "Error: The error page appears same-origin";
+      } catch(dom_exception) {
+        return dom_exception.code;
+      }
+    };
+    parent.postMessage(test(), '*');
+  `, '*');
+
+  assert_equals((await reply).data, SecurityError);
+}, "Two same-origin iframes must appear as cross-origin when one is blocked");
 
 </script>
 </body>

diff --git a/content-security-policy/embedded-enforcement/support/executor.html b/content-security-policy/embedded-enforcement/support/executor.html
@@ -0,0 +1,3 @@
+<script>
+  window.onmessage = event => eval(event.data);
+</script>