Test sandbox flags vs document.open()

Two new regression tests about a bug waiting to happen. I was about to introduce a regression with patchset: https://chromium-review.googlesource.com/c/chromium/src/+/2578902/6 without triggering any test. This checks that after using document.open(), the sandbox flags are still applying. Bug: 1041376 Change-Id: I8654177e7edb040b9f34f948540b697af84a92d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2582318Reviewed-by: Ian Clelland <iclelland@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#835673}

Test sandbox flags vs document.open()
Two new regression tests about a bug waiting to happen. I was about to introduce a regression with patchset: https://chromium-review.googlesource.com/c/chromium/src/+/2578902/6 without triggering any test. This checks that after using document.open(), the sandbox flags are still applying. Bug: 1041376 Change-Id: I8654177e7edb040b9f34f948540b697af84a92d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2582318Reviewed-by: Ian Clelland <iclelland@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#835673}
2966c7f8 · arthursonzogni · Chromium LUCI CQ · 62726b73 · 2966c7f8 · 2966c7f8
Commit 2966c7f8 authored Dec 10, 2020 by arthursonzogni Committed by Chromium LUCI CQ Dec 10, 2020
2 changed files
--- a/third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/resources/document-open.html
+++ b/third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/resources/document-open.html
+<script>
+  onload = () => {
+    document.open();
+    document.write(`
+      <script>
+        try {
+          document.domain = document.domain;
+          parent.postMessage('document-domain-is-allowed', '*');
+        } catch (error) {
+          parent.postMessage('document-domain-is-disallowed', '*');
+        }
+      </sc`+`ript>
+    `);
+    document.close();
+  }
+</script>
--- a/third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/sandbox-document-open.html
+++ b/third_party/blink/web_tests/external/wpt/html/browsers/sandboxing/sandbox-document-open.html
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>
+  Check sandbox-flags aren't lost after using document.open().
+</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+promise_test(async test => {
+  let message = new Promise(resolve =>
+    window.addEventListener("message", event => resolve(event.data))
+  );
+
+  let iframe = document.createElement("iframe");
+  iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
+  iframe.setAttribute("src", "./resources/document-open.html")
+  document.body.appendChild(iframe);
+
+  assert_equals(await message, "document-domain-is-disallowed");
+}, "document.open()");
+
+promise_test(async test => {
+  let iframe = document.createElement("iframe");
+  iframe.setAttribute("sandbox", "allow-scripts allow-same-origin");
+  iframe.setAttribute("src", "/common/blank.html");
+  let loaded = new Promise(resolve => {iframe.onload = resolve; });
+  document.body.appendChild(iframe);
+  await loaded;
+
+  let message = new Promise(resolve =>
+    window.addEventListener("message", event => resolve(event.data))
+  );
+
+  iframe.contentDocument.open();
+  iframe.contentDocument.write(`
+    <script>
+      try {
+        document.domain = document.domain;
+        parent.postMessage('document-domain-is-allowed', '*');
+      } catch (error) {
+        parent.postMessage('document-domain-is-disallowed', '*');
+      }
+    </sc`+`ript>
+  `);
+  iframe.contentDocument.close();
+
+  assert_equals(await message, "document-domain-is-disallowed");
+}, "other_document.open()");
+</script>
+</body>
+</html>