| Index: third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp
|
| index 2df838ca7e857bb3c30a276aee042b220dfd6e83..5a5b3fb565cbd7453b2e5c9430b86743122075b5 100644
|
| --- a/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp
|
| +++ b/third_party/WebKit/Source/core/html/HTMLIFrameElementTest.cpp
|
| @@ -9,8 +9,15 @@
|
|
|
| namespace blink {
|
|
|
| +class HTMLIFrameElementTest : public ::testing::Test {
|
| + public:
|
| + RefPtr<SecurityOrigin> GetOriginForFeaturePolicy(HTMLIFrameElement* element) {
|
| + return element->GetOriginForFeaturePolicy();
|
| + }
|
| +};
|
| +
|
| // Test setting feature policy via the Element attribute (HTML codepath).
|
| -TEST(HTMLIFrameElementTest, SetAllowAttribute) {
|
| +TEST_F(HTMLIFrameElementTest, SetAllowAttribute) {
|
| Document* document = Document::Create();
|
| HTMLIFrameElement* iframe = HTMLIFrameElement::Create(*document);
|
|
|
| @@ -21,7 +28,7 @@ TEST(HTMLIFrameElementTest, SetAllowAttribute) {
|
| }
|
|
|
| // Test setting feature policy via the DOMTokenList (JS codepath).
|
| -TEST(HTMLIFrameElementTest, SetAllowAttributeJS) {
|
| +TEST_F(HTMLIFrameElementTest, SetAllowAttributeJS) {
|
| Document* document = Document::Create();
|
| HTMLIFrameElement* iframe = HTMLIFrameElement::Create(*document);
|
|
|
| @@ -29,4 +36,253 @@ TEST(HTMLIFrameElementTest, SetAllowAttributeJS) {
|
| EXPECT_EQ("fullscreen", iframe->getAttribute(HTMLNames::allowAttr));
|
| }
|
|
|
| +// Test that the correct origin is used when constructing the container policy,
|
| +// and that frames which should inherit their parent document's origin do so.
|
| +TEST_F(HTMLIFrameElementTest, FramesUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "about:blank");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_TRUE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr,
|
| + "data:text/html;base64,PHRpdGxlPkFCQzwvdGl0bGU+");
|
| + effective_origin = GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_TRUE(effective_origin->IsUnique());
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + effective_origin = GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_FALSE(effective_origin->IsUnique());
|
| +}
|
| +
|
| +// Test that a unique origin is used when constructing the container policy in a
|
| +// sandboxed iframe.
|
| +TEST_F(HTMLIFrameElementTest, SandboxFramesUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::sandboxAttr, "");
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_TRUE(effective_origin->IsUnique());
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + effective_origin = GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_TRUE(effective_origin->IsUnique());
|
| +}
|
| +
|
| +// Test that a sandboxed iframe with the allow-same-origin sandbox flag uses the
|
| +// parent document's origin for the container policy.
|
| +TEST_F(HTMLIFrameElementTest, SameOriginSandboxFramesUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin");
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.com/");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_TRUE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_FALSE(effective_origin->IsUnique());
|
| +}
|
| +
|
| +// Test that the parent document's origin is used when constructing the
|
| +// container policy in a srcdoc iframe.
|
| +TEST_F(HTMLIFrameElementTest, SrcdocFramesUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_TRUE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| +}
|
| +
|
| +// Test that a unique origin is used when constructing the container policy in a
|
| +// sandboxed iframe with a srcdoc.
|
| +TEST_F(HTMLIFrameElementTest, SandboxedSrcdocFramesUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::sandboxAttr, "");
|
| + frame_element->setAttribute(HTMLNames::srcdocAttr, "<title>title</title>");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| + EXPECT_TRUE(effective_origin->IsUnique());
|
| +}
|
| +
|
| +// Test that iframes with relative src urls correctly construct their origin
|
| +// relative to the parent document.
|
| +TEST_F(HTMLIFrameElementTest, RelativeURLsUseCorrectOrigin) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + // Host-relative URLs should resolve to the same domain as the parent.
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "index2.html");
|
| + RefPtr<SecurityOrigin> effective_origin =
|
| + GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_TRUE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| +
|
| + // Scheme-relative URLs should not resolve to the same domain as the parent.
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "//example.net/index2.html");
|
| + effective_origin = GetOriginForFeaturePolicy(frame_element);
|
| + EXPECT_FALSE(
|
| + effective_origin->IsSameSchemeHostPort(document->GetSecurityOrigin()));
|
| +}
|
| +
|
| +// Test that various iframe attribute configurations result in the correct
|
| +// container policies.
|
| +
|
| +// Test that the correct container policy is constructed on an iframe element.
|
| +TEST_F(HTMLIFrameElementTest, DefaultContainerPolicy) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + frame_element->UpdateContainerPolicyForTests();
|
| +
|
| + const WebParsedFeaturePolicy& container_policy =
|
| + frame_element->ContainerPolicy();
|
| + EXPECT_EQ(0UL, container_policy.size());
|
| +}
|
| +
|
| +// Test that the allow attribute results in a container policy which is
|
| +// restricted to the domain in the src attribute.
|
| +TEST_F(HTMLIFrameElementTest, AllowAttributeContainerPolicy) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen");
|
| + frame_element->UpdateContainerPolicyForTests();
|
| +
|
| + const WebParsedFeaturePolicy& container_policy1 =
|
| + frame_element->ContainerPolicy();
|
| +
|
| + EXPECT_EQ(1UL, container_policy1.size());
|
| + EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy1[0].feature);
|
| + EXPECT_FALSE(container_policy1[0].matches_all_origins);
|
| + EXPECT_EQ(1UL, container_policy1[0].origins.size());
|
| + EXPECT_EQ("http://example.net", container_policy1[0].origins[0].ToString());
|
| +
|
| + frame_element->setAttribute(HTMLNames::allowAttr, "payment fullscreen");
|
| + frame_element->UpdateContainerPolicyForTests();
|
| +
|
| + const WebParsedFeaturePolicy& container_policy2 =
|
| + frame_element->ContainerPolicy();
|
| + EXPECT_EQ(2UL, container_policy2.size());
|
| + EXPECT_TRUE(
|
| + container_policy2[0].feature == WebFeaturePolicyFeature::kFullscreen ||
|
| + container_policy2[1].feature == WebFeaturePolicyFeature::kFullscreen);
|
| + EXPECT_TRUE(
|
| + container_policy2[0].feature == WebFeaturePolicyFeature::kPayment ||
|
| + container_policy2[1].feature == WebFeaturePolicyFeature::kPayment);
|
| + EXPECT_FALSE(container_policy2[0].matches_all_origins);
|
| + EXPECT_EQ(1UL, container_policy2[0].origins.size());
|
| + EXPECT_EQ("http://example.net", container_policy2[0].origins[0].ToString());
|
| + EXPECT_FALSE(container_policy2[1].matches_all_origins);
|
| + EXPECT_EQ(1UL, container_policy2[1].origins.size());
|
| + EXPECT_EQ("http://example.net", container_policy2[1].origins[0].ToString());
|
| +}
|
| +
|
| +// Test that the allow attribute on a sandboxed frame results in a container
|
| +// policy which is restricted to a unique origin.
|
| +TEST_F(HTMLIFrameElementTest, SandboxAttributeContainerPolicy) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen");
|
| + frame_element->setAttribute(HTMLNames::sandboxAttr, "");
|
| + frame_element->UpdateContainerPolicyForTests();
|
| +
|
| + const WebParsedFeaturePolicy& container_policy =
|
| + frame_element->ContainerPolicy();
|
| +
|
| + EXPECT_EQ(1UL, container_policy.size());
|
| + EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy[0].feature);
|
| + EXPECT_FALSE(container_policy[0].matches_all_origins);
|
| + EXPECT_EQ(1UL, container_policy[0].origins.size());
|
| + EXPECT_TRUE(container_policy[0].origins[0].IsUnique());
|
| +}
|
| +
|
| +// Test that the allow attribute on a sandboxed frame with the allow-same-origin
|
| +// flag results in a container policy which is restricted to the origin of the
|
| +// containing document.
|
| +TEST_F(HTMLIFrameElementTest, SameOriginSandboxAttributeContainerPolicy) {
|
| + Document* document = Document::Create();
|
| + KURL document_url = KURL(KURL(), "http://example.com");
|
| + document->SetURL(document_url);
|
| + document->UpdateSecurityOrigin(SecurityOrigin::Create(document_url));
|
| +
|
| + HTMLIFrameElement* frame_element = HTMLIFrameElement::Create(*document);
|
| +
|
| + frame_element->setAttribute(HTMLNames::srcAttr, "http://example.net/");
|
| + frame_element->setAttribute(HTMLNames::allowAttr, "fullscreen");
|
| + frame_element->setAttribute(HTMLNames::sandboxAttr, "allow-same-origin");
|
| + frame_element->UpdateContainerPolicyForTests();
|
| +
|
| + const WebParsedFeaturePolicy& container_policy =
|
| + frame_element->ContainerPolicy();
|
| +
|
| + EXPECT_EQ(1UL, container_policy.size());
|
| + EXPECT_EQ(WebFeaturePolicyFeature::kFullscreen, container_policy[0].feature);
|
| + EXPECT_FALSE(container_policy[0].matches_all_origins);
|
| + EXPECT_EQ(1UL, container_policy[0].origins.size());
|
| + EXPECT_FALSE(container_policy[0].origins[0].IsUnique());
|
| + EXPECT_EQ("http://example.net", container_policy[0].origins[0].ToString());
|
| +}
|
| +
|
| } // namespace blink
|
|
|
Chromium Code Reviews
Issue 2797813002:
Replicate feature policy container policies. (Closed)
