make file: an effectively unique origin

LayoutTests/security/cannot-read-self-from-file.html

Index: LayoutTests/security/cannot-read-self-from-file.html
diff --git a/LayoutTests/security/cannot-read-self-from-file.html b/LayoutTests/security/cannot-read-self-from-file.html
new file mode 100644
index 0000000000000000000000000000000000000000..473bf5b20fbc1c7ca8b4dfbe3c446770013574d1
--- /dev/null
+++ b/LayoutTests/security/cannot-read-self-from-file.html
@@ -0,0 +1,13 @@
+<html>

[Mike West, 2015/05/17 08:40:48]

Nit: doctype.

[TheJH, 2015/05/17 14:35:19]

Hm, ok, added one to both HTML documents. (Not one the documents
really conform to, as far as I understand, since there's no <title>.)

+<head>
+<script>
+testRunner.dumpAsText();

[Mike West, 2015/05/17 08:40:48]

Rather than setting these manually, please convert this to use `testrunner.js`,
which will set up the environment for you. That is, include:

    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>

at the top of the document, and use the provided assertion mechanisms to execute
your test.
http://darobin.github.io/test-harness-tutorial/docs/using-testharness.html has
details.

[TheJH, 2015/05/17 14:35:19]

Note that I need to use relative URLs because I'm running from file:.
I can't get it to work. That is, the tested code clearly does run, and the
tested code would
print different console output if the test failed, so you'd notice a fail, but
that's just the "CONSOLE ERROR: XMLHttpRequest cannot load
cannot-read-self-from-file.html. Cross origin requests are only supported for
protocol schemes: http, data, https." message. Whether or not code in
assert_throws() throws seems to have no impact on the outcome of the test. To
see it for yourself:

1. Run the test - it passes.
2. Apply this patch:

diff --git a/LayoutTests/security/resources/cannot-read-self-from-file.html
b/LayoutTests/security/resources/cannot-read-self-from-file.html
index ce246fa..12d8969 100644
--- a/LayoutTests/security/resources/cannot-read-self-from-file.html
+++ b/LayoutTests/security/resources/cannot-read-self-from-file.html
@@ -7,7 +7,8 @@
 test(function() {
   var req = new XMLHttpRequest();
   req.open('GET', location);
-  assert_throws("NetworkError", function(){req.send()}, "request should fail");
+  try { req.send() } catch(e) {}
+  assert_throws("NetworkError", function(){}, "request should fail");
 }, "file: URI documents can't request themselves");
 </script>
 </head>

3. Run the test again. Still passes.

Can someone who is a bit more familiar with this stuff tell me what I'm doing
wrong?

+testRunner.setAllowUniversalAccessFromFileURLs(false);
+testRunner.setAllowFileAccessFromFileURLs(false);

[Mike West, 2015/05/17 08:40:48]

These default to `false`, don't they? Why do you need to set them?

[TheJH, 2015/05/17 14:35:19]

See ./content/shell/common/test_runner/test_preferences.cc:

void TestPreferences::Reset() {
[...]
  allow_file_access_from_file_urls = true;
[...]
  // Allow those layout tests running as local files, i.e. under
  // LayoutTests/http/tests/local, to access http server.
  allow_universal_access_from_file_urls = true;
[...]
}

+</script>
+</head>
+<body>
+<iframe src="resources/cannot-read-self-from-file.html"></iframe>

[Mike West, 2015/05/17 08:40:48]

Why do this work in an `<iframe>`? Wouldn't the result be the same if you
executed the same code in this file?

[TheJH, 2015/05/17 14:35:19]

As far as I understand, I need to create a new origin to let
testRunner.setAllowUniversalAccessFromFileURLs(false); and
testRunner.setAllowFileAccessFromFileURLs(false); take effect, which can
be achieved by loading a new document in an iframe. There's a bunch of other
tests that follow the same pattern.

I actually tried it without the iframe first, which didn't work.

+Documents loaded from file: shouldn't be able to access themselves via XHR.
+</body>
+</html>