Index: third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
diff --git a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
index 2df838ca7e857bb3c30a276aee042b220dfd6e83..30053b2158045fe602ce4555bfaeb3f6374403f1 100644 |
--- a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
+++ b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
@@ -29,4 +29,80 @@ TEST(HTMLIFrameElementTest, SetAllowAttributeJS) { |
EXPECT_EQ("fullscreen", iframe->getAttribute(HTMLNames::allowAttr)); |
} |
+// Test that the correct origin is used when constructing the container policy, |
+// and that frames which should inherit their parent document's origin do so. |
+TEST(HTMLIFrameElementTest, FramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ document->UpdateSecurityOrigin( |
+ SecurityOrigin::Create(KURL(KURL(), "http://example.com"))); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "about:blank"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
+// Test that a unique origin is used when constructing the container policy in a |
+// sandboxed iframe. |
+TEST(HTMLIFrameElementTest, SandboxFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ document->UpdateSecurityOrigin( |
+ SecurityOrigin::Create(KURL(KURL(), "http://example.com"))); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, "sandbox"); |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
alexmos
2017/04/13 02:09:15
nit: I'd also check that effective_origin->IsUniqu
iclelland
2017/04/13 19:05:31
Done. (And I'd added that to the ContainerPolicy t
|
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
+// Test that the parent document's origin is used when constructing the |
+// container policy in a srcdoc iframe. |
+TEST(HTMLIFrameElementTest, SrcdocFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ document->UpdateSecurityOrigin( |
+ SecurityOrigin::Create(KURL(KURL(), "http://example.com"))); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
+// Test that a unique origin is used when constructing the container policy in a |
+// sandboxed iframe with a srcdoc. |
+TEST(HTMLIFrameElementTest, SandboxedSrcdocFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ document->UpdateSecurityOrigin( |
+ SecurityOrigin::Create(KURL(KURL(), "http://example.com"))); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, "sandbox"); |
+ frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
} // namespace blink |