| OLD | NEW |
|---|
| (Empty) | |
| 1 <!DOCTYPE html> |
| 2 <meta charset="utf-8"> |
| 3 <script src="../resources/testharness.js"></script> |
| 4 <script src="../resources/testharnessreport.js"></script> |
| 5 <script src="../resources/get-host-info.js?pipe=sub"></script> |
| 6 <script src="resources/test-helpers.js"></script> |
| 7 <title>Insecure parent frame test</title> |
| 8 <body></body> |
| 9 <script> |
| 10 // Asks |worker| to call clients.claim. Returns a promise that resolves when |
| 11 // the worker acks that claim finished. |
| 12 function wait_for_claim(worker) { |
| 13 var saw_message = new Promise(resolve => { |
| 14 var channel = new MessageChannel(); |
| 15 channel.port1.onmessage = (e => resolve(e.data)); |
| 16 worker.postMessage({port: channel.port2}, [channel.port2]); |
| 17 }); |
| 18 |
| 19 return saw_message.then(data => { |
| 20 assert_equals(data, 'PASS', 'claim should finish'); |
| 21 }); |
| 22 } |
| 23 |
| 24 // Asks |frame| whether it has a controller. Returns a promise that resolves |
| 25 // if controller was null. |
| 26 function assert_no_controller(frame, description) { |
| 27 var saw_message = new Promise(resolve => { |
| 28 window.onmessage = (e => resolve(e.data)); |
| 29 frame.contentWindow.postMessage('', '*'); |
| 30 }); |
| 31 |
| 32 return saw_message.then(data => assert_equals(data, 'PASS', description)); |
| 33 } |
| 34 |
| 35 // This test creates https iframes inside insecure http iframes. It registers a |
| 36 // service worker that should not control the in-scope iframes. The iframes |
| 37 // communicate whether they have a controller to the top-level frame. |
| 38 promise_test(t => { |
| 39 var script = 'resources/claim-worker.js'; |
| 40 var scope = 'resources/insecure-inscope'; |
| 41 var registration; |
| 42 var insecure_url = get_host_info().UNAUTHENTICATED_ORIGIN + |
| 43 '/serviceworker/resources/insecure-parent.html'; |
| 44 var pre_registration_frame; |
| 45 var post_registration_frame; |
| 46 |
| 47 return navigator.serviceWorker.getRegistration(scope) |
| 48 // Unregister. |
| 49 .then(reg => { |
| 50 if (reg) |
| 51 return reg.unregister(); |
| 52 }) |
| 53 |
| 54 // Create an iframe prior to registration. |
| 55 .then(() => with_iframe(insecure_url)) |
| 56 |
| 57 // Register. |
| 58 .then(frame => { |
| 59 pre_registration_frame = frame; |
| 60 add_result_callback(() => pre_registration_frame.remove()); |
| 61 return navigator.serviceWorker.register(script, {scope:scope}); |
| 62 }) |
| 63 .then(reg => { |
| 64 registration = reg; |
| 65 return wait_for_state(t, registration.installing, 'activated'); |
| 66 }) |
| 67 |
| 68 // Create an iframe after registration. |
| 69 .then(() => with_iframe(insecure_url)) |
| 70 .then(frame => post_registration_frame = frame) |
| 71 |
| 72 // Check that no frame is controlled. |
| 73 .then(() => assert_no_controller(pre_registration_frame, |
| 74 'pre_registration_frame should not be controlled')) |
| 75 .then(() => assert_no_controller(post_registration_frame, |
| 76 'post_registration_frame should not be controlled')) |
| 77 |
| 78 // Attempt to claim. The iframes should still have no controllers. |
| 79 .then(() => wait_for_claim(registration.active)) |
| 80 .then(() => assert_no_controller(pre_registration_frame, |
| 81 'pre_registration_frame should not be claimed')) |
| 82 .then(() => assert_no_controller(post_registration_frame, |
| 83 'post_registration_frame should not be claimed')); |
| 84 }, 'Service worker does not control a subframe of an insecure frame'); |
| 85 </script> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2061203002:
WIP Reland: service worker: Don't control a subframe of an insecure context
Base URL: https://chromium.googlesource.com/chromium/src.git@master