Bug 341604 - tests for iframe sandbox - same origin r=jst

2024-09-13 09:24:08 -07:00 · 2012-08-20 11:34:33 -07:00 · 2012-08-20 11:34:33 -07:00 · 488c17dbef
commit 488c17dbef
parent 06019be17e
5 changed files with 237 additions and 0 deletions
--- a/content/html/content/test/Makefile.in
+++ b/content/html/content/test/Makefile.in
@ -266,6 +266,10 @@ MOCHITEST_FILES = \
 		test_input_file_picker.html \
 		test_bug763626.html \
 		test_bug780993.html \
+		test_iframe_sandbox_same_origin.html \
+		file_iframe_sandbox_b_if1.html \
+		file_iframe_sandbox_b_if2.html \
+		file_iframe_sandbox_b_if3.html \
 		$(NULL)

 MOCHITEST_BROWSER_FILES = \
--- a/content/html/content/test/file_iframe_sandbox_b_if1.html
+++ b/content/html/content/test/file_iframe_sandbox_b_if1.html
@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+  I am sandboxed without any permissions
+</body>
+</html>
--- a/content/html/content/test/file_iframe_sandbox_b_if2.html
+++ b/content/html/content/test/file_iframe_sandbox_b_if2.html
@ -0,0 +1,49 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+  function ok(condition, msg) {
+    window.parent.ok_wrapper(condition, msg);
+  }
+
+  function testXHR() {
+    var xhr = new XMLHttpRequest();
+
+    xhr.open("GET", "file_iframe_sandbox_b_if1.html");
+
+    xhr.onreadystatechange = function (oEvent) {
+      var result = false;
+      if (xhr.readyState == 4) {
+        if (xhr.status == 200) {
+          result = true;
+        }
+        ok(result, "XHR should work normally in an iframe sandboxed with 'allow-same-origin'");
+      }
+    }
+
+    xhr.send(null);
+  }
+
+  function doStuff() {
+    ok(true, "documents sandboxed with 'allow-same-origin' should be able to access their parent");
+
+    // should be able to access document.cookie since we have 'allow-same-origin'
+    ok(document.cookie == "", "a document sandboxed with allow-same-origin should be able to access document.cookie");
+
+    // should be able to access localStorage since we have 'allow-same-origin'
+    ok(window.localStorage, "a document sandboxed with allow-same-origin should be able to access localStorage");
+
+    // should be able to access sessionStorage since we have 'allow-same-origin'
+    ok(window.sessionStorage, "a document sandboxed with allow-same-origin should be able to access sessionStorage");
+
+    testXHR();
+  }
+</script>
+<body onLoad="doStuff()">
+  I am sandboxed but with "allow-same-origin" and "allow-scripts"
+</body>
+</html>
--- a/content/html/content/test/file_iframe_sandbox_b_if3.html
+++ b/content/html/content/test/file_iframe_sandbox_b_if3.html
@ -0,0 +1,65 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script>
+  function ok(result, message) {
+    window.parent.postMessage({ok: result, desc: message}, "*");
+  }
+
+  function testXHR() {
+  var xhr = new XMLHttpRequest();
+
+  xhr.open("GET", "file_iframe_sandbox_if1.html");
+
+  xhr.onreadystatechange = function (oEvent) {
+    var result = false;
+    if (xhr.readyState == 4) {
+      if (xhr.status == 0) {
+        result = true;
+      }
+      ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'");
+    }
+  }
+
+  xhr.send(null);
+}
+
+  function doStuff() {
+    try {
+      window.parent.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
+    } catch (error) {
+      ok(true, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent");
+    }
+
+    // should NOT be able to access document.cookie
+    try {
+      var foo = document.cookie;
+    } catch(error) {
+      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access document.cookie");
+    }
+
+    // should NOT be able to access localStorage
+    try {
+      var foo = window.localStorage;
+    } catch(error) {
+      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access localStorage");
+    }
+
+    // should NOT be able to access sessionStorage
+    try {
+      var foo = window.sessionStorage;
+    } catch(error) {
+      ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage");
+    }
+
+  testXHR();
+  }
+</script>
+<body onLoad="doStuff()">
+  I am sandboxed but with "allow-scripts"
+</body>
+</html>
--- a/content/html/content/test/test_iframe_sandbox_same_origin.html
+++ b/content/html/content/test/test_iframe_sandbox_same_origin.html
@ -0,0 +1,108 @@
+\<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=341604
+Implement HTML5 sandbox attribute for IFRAMEs - same origin tests
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 341604</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<script type="application/javascript">
+/** Test for Bug 341604 - Implement HTML5 sandbox attribute for IFRAMEs **/
+/** Same Origin Tests **/
+
+SimpleTest.waitForExplicitFinish();
+  
+var completedTests = 0;
+var passedTests = 0;
+
+function ok_wrapper(result, desc) {
+  ok(result, desc);
+
+  completedTests++;
+
+  if (result) {
+    passedTests++;
+  }
+
+  if (completedTests == 12) {
+    is(passedTests, 12, "There are 12 same-origin tests that should pass");
+
+    SimpleTest.finish();
+  }
+}
+
+function receiveMessage(event)
+{
+  ok_wrapper(event.data.ok, event.data.desc);
+}
+
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to communicate pass/fail back to this main page.
+// it expects to be called with an object like {ok: true/false, desc:
+// <description of the test> which it then forwards to ok()
+window.addEventListener("message", receiveMessage, false);
+
+function doTest() {
+  // 1) test that we can't access an iframe sandboxed without "allow-same-origin"
+  var if_1 = document.getElementById("if_1");
+  try {
+    var b = if_1.contentDocument.body;
+    ok_wrapper(false, "accessing body of a sandboxed document should not be allowed");
+  } catch (err){
+    ok_wrapper(true, "accessing body of a sandboxed document should not be allowed");
+  }
+
+  // 2) test that we can access an iframe sandboxed with "allow-same-origin"
+  var if_2 = document.getElementById("if_2");
+
+  try {
+    var b = if_2.contentDocument.body;
+    ok_wrapper(true, "accessing body of a sandboxed document with allow-same-origin should be allowed");
+  } catch (err) {
+    ok_wrapper(false, "accessing body of a sandboxed document with allow-same-origin should be allowed");
+  }
+
+  // 3) test that a sandboxed iframe without 'allow-same-origin' cannot access its parent
+  // this is done by file_iframe_b_if3.html which has 'allow-scripts' but not 'allow-same-origin'
+
+  // 4) test that a sandboxed iframe with 'allow-same-origin' can access its parent
+  // this is done by file_iframe_b_if2.html which has 'allow-same-origin' and 'allow-scripts'
+
+  // 5) check that a sandboxed iframe with "allow-same-origin" can access document.cookie
+  // this is done by file_iframe_b_if2.html which has 'allow-same-origin' and 'allow-scripts'
+
+  // 6) check that a sandboxed iframe with "allow-same-origin" can access window.localStorage
+  // this is done by file_iframe_b_if2.html which has 'allow-same-origin' and 'allow-scripts'
+
+  // 7) check that a sandboxed iframe with "allow-same-origin" can access window.sessionStorage
+  // this is done by file_iframe_b_if2.html which has 'allow-same-origin' and 'allow-scripts'
+
+  // 8) check that a sandboxed iframe WITHOUT "allow-same-origin" can NOT access document.cookie
+  // this is done by file_iframe_b_if3.html which has 'allow-scripts' but not 'allow-same-origin'
+
+  // 9) check that a sandboxed iframe WITHOUT "allow-same-origin" can NOT access window.localStorage
+  // this is done by file_iframe_b_if3.html which has 'allow-scripts' but not 'allow-same-origin'
+
+  // 10) check that a sandboxed iframe WITHOUT "allow-same-origin" can NOT access window.sessionStorage
+  // this is done by file_iframe_b_if3.html which has 'allow-scripts' but not 'allow-same-origin'
+
+  // 11) check that XHR works normally in a sandboxed iframe with "allow-same-origin" and "allow-scripts"
+  // this is done by file_iframe_b_if2.html which has 'allow-same-origin' and 'allow-scripts'
+
+  // 12) check that XHR is blocked in a sandboxed iframe with "allow-scripts" but WITHOUT "allow-same-origin"
+  // this is done by file_iframe_b_if3.html which has 'allow-scripts' but not 'allow-same-origin'
+}
+addLoadEvent(doTest);
+</script>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=341604">Mozilla Bug 341604</a> - Implement HTML5 sandbox attribute for IFRAMEs
+<p id="display"></p>
+<div id="content">
+<iframe sandbox="" id="if_1" src="file_iframe_sandbox_b_if1.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-same-origin allow-scripts" id="if_2" src="file_iframe_sandbox_b_if2.html" height="10" width="10"></iframe>
+<iframe sandbox="allow-scripts" id="if_3" src="file_iframe_sandbox_b_if3.html" height="10" width="10"></iframe>
+</div>