Index: third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
diff --git a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
index 2df838ca7e857bb3c30a276aee042b220dfd6e83..88717bb3d742b5165dd6447ac290d016ab0f51b7 100644 |
--- a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
+++ b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp |
@@ -29,4 +29,253 @@ TEST(HTMLIFrameElementTest, SetAllowAttributeJS) { |
EXPECT_EQ("fullscreen", iframe->getAttribute(HTMLNames::allowAttr)); |
} |
+// Test that the correct origin is used when constructing the container policy, |
+// and that frames which should inherit their parent document's origin do so. |
+TEST(HTMLIFrameElementTest, FramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "about:blank"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, |
+ "data:text/html;base64,PHRpdGxlPkFCQzwvdGl0bGU+"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_TRUE(effective_origin->IsUnique()); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_FALSE(effective_origin->IsUnique()); |
+} |
+ |
+// Test that a unique origin is used when constructing the container policy in a |
+// sandboxed iframe. |
+TEST(HTMLIFrameElementTest, SandboxFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_TRUE(effective_origin->IsUnique()); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_TRUE(effective_origin->IsUnique()); |
+} |
+ |
+// Test that a sandboxed iframe with the allow-same-origin sandbox flag uses the |
+// parent document's origin for the container policy. |
+TEST(HTMLIFrameElementTest, SameOriginSandboxFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin"); |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_FALSE(effective_origin->IsUnique()); |
+} |
+ |
+// Test that the parent document's origin is used when constructing the |
+// container policy in a srcdoc iframe. |
+TEST(HTMLIFrameElementTest, SrcdocFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
+// Test that a unique origin is used when constructing the container policy in a |
+// sandboxed iframe with a srcdoc. |
+TEST(HTMLIFrameElementTest, SandboxedSrcdocFramesUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
+ frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ EXPECT_TRUE(effective_origin->IsUnique()); |
+} |
+ |
+// Test that a iframes with relative src urls correctly construct their origin |
alexmos
2017/04/14 23:42:45
nit: remove "a" before iframes
iclelland
2017/04/15 03:36:06
Done.
|
+// relative to the parent document. |
+TEST(HTMLIFrameElementTest, RelativeURLsUseCorrectOrigin) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ // Host-relative URLs should resolve to the same domain as the parent. |
+ frame_element->setAttribute(HTMLNames::srcAttr, "index2.html"); |
+ RefPtr<SecurityOrigin> effective_origin = |
+ frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_TRUE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+ |
+ // Scheme-relative URLs should not resolve to the same domain as the parent. |
+ frame_element->setAttribute(HTMLNames::srcAttr, "//example.net/index2.html"); |
+ effective_origin = frame_element->GetOriginForFeaturePolicy(); |
+ EXPECT_FALSE( |
+ effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin())); |
+} |
+ |
+// Test that various iframe attribute configurations result in the correct |
+// container policies. |
+ |
+// Test that the correct container policy is constructed on an iframe element. |
+TEST(HTMLIFrameElementTest, DefaultContainerPolicy) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ frame_element->UpdateContainerPolicyForTests(); |
+ |
+ const WebParsedFeaturePolicy& container_policy = |
+ frame_element->ContainerPolicy(); |
+ EXPECT_EQ(container_policy.size(), 0UL); |
alexmos
2017/04/14 23:42:45
nit: reverse order
(should be (expected, actual) -
iclelland
2017/04/15 03:36:06
Thanks, all fixed now.
|
+} |
+ |
+// Test that the allow attribute results in a container policy which is |
+// restricted to the domain in the src attribute. |
+TEST(HTMLIFrameElementTest, AllowAttributeContainerPolicy) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
+ frame_element->UpdateContainerPolicyForTests(); |
+ |
+ const WebParsedFeaturePolicy& container_policy1 = |
+ frame_element->ContainerPolicy(); |
+ |
+ EXPECT_EQ(container_policy1.size(), 1UL); |
+ EXPECT_EQ(container_policy1[0].feature, WebFeaturePolicyFeature::kFullscreen); |
+ EXPECT_FALSE(container_policy1[0].matches_all_origins); |
+ EXPECT_EQ(container_policy1[0].origins.size(), 1UL); |
+ EXPECT_EQ(container_policy1[0].origins[0].ToString(), "http://example.net"); |
+ |
+ frame_element->setAttribute(HTMLNames::allowAttr, "payment fullscreen"); |
+ frame_element->UpdateContainerPolicyForTests(); |
+ |
+ const WebParsedFeaturePolicy& container_policy2 = |
+ frame_element->ContainerPolicy(); |
+ EXPECT_EQ(container_policy2.size(), 2UL); |
+ EXPECT_TRUE( |
+ container_policy2[0].feature == WebFeaturePolicyFeature::kFullscreen || |
+ container_policy2[1].feature == WebFeaturePolicyFeature::kFullscreen); |
+ EXPECT_TRUE( |
+ container_policy2[0].feature == WebFeaturePolicyFeature::kPayment || |
+ container_policy2[1].feature == WebFeaturePolicyFeature::kPayment); |
+ EXPECT_FALSE(container_policy2[0].matches_all_origins); |
+ EXPECT_EQ(container_policy2[0].origins.size(), 1UL); |
+ EXPECT_EQ(container_policy2[0].origins[0].ToString(), "http://example.net"); |
+ EXPECT_FALSE(container_policy2[1].matches_all_origins); |
+ EXPECT_EQ(container_policy2[1].origins.size(), 1UL); |
+ EXPECT_EQ(container_policy2[1].origins[0].ToString(), "http://example.net"); |
+} |
+ |
+// Test that the allow attribute on a sandboxed frame results in a container |
+// policy which is restricted to a unique origin. |
+TEST(HTMLIFrameElementTest, SandboxAttributeContainerPolicy) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, ""); |
+ frame_element->UpdateContainerPolicyForTests(); |
+ |
+ const WebParsedFeaturePolicy& container_policy1 = |
alexmos
2017/04/14 23:42:45
nit: can probably drop the "1" here, also below
iclelland
2017/04/15 03:36:06
Definitely, thanks. Done. (And below)
|
+ frame_element->ContainerPolicy(); |
+ |
+ EXPECT_EQ(container_policy1.size(), 1UL); |
+ EXPECT_EQ(container_policy1[0].feature, WebFeaturePolicyFeature::kFullscreen); |
+ EXPECT_FALSE(container_policy1[0].matches_all_origins); |
+ EXPECT_EQ(container_policy1[0].origins.size(), 1UL); |
+ EXPECT_TRUE(container_policy1[0].origins[0].IsUnique()); |
+} |
+ |
+// Test that the allow attribute on a sandboxed frame with the allow-same-origin |
+// flag results in a container policy which is restricted to the origin of the |
+// containing document. |
+TEST(HTMLIFrameElementTest, SameOriginSandboxAttributeContainerPolicy) { |
+ Document* document = Document::Create(); |
+ KURL document_url = KURL(KURL(), "http://example.com"); |
+ document->SetURL(document_url); |
+ document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url)); |
+ |
+ HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document); |
+ |
+ frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/"); |
+ frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen"); |
+ frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin"); |
+ frame_element->UpdateContainerPolicyForTests(); |
+ |
+ const WebParsedFeaturePolicy& container_policy1 = |
+ frame_element->ContainerPolicy(); |
+ |
+ EXPECT_EQ(container_policy1.size(), 1UL); |
+ EXPECT_EQ(container_policy1[0].feature, WebFeaturePolicyFeature::kFullscreen); |
+ EXPECT_FALSE(container_policy1[0].matches_all_origins); |
+ EXPECT_EQ(container_policy1[0].origins.size(), 1UL); |
+ EXPECT_FALSE(container_policy1[0].origins[0].IsUnique()); |
+ EXPECT_EQ(container_policy1[0].origins[0].ToString(), "http://example.net"); |
+} |
+ |
} // namespace blink |