Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument. r=ckerschb

MozReview-Commit-ID: 8jnewE1eEcc --HG-- extra : rebase_source : 4c580e32c7e19a241e0f31094fd7c12aff275a72
2017-08-17 09:47:14 +08:00 · 2017-08-17 09:47:14 +08:00 · 1d343fefaa
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@ -581437,7 +581437,7 @@
   "support"
  ],
  "html/browsers/origin/origin-of-data-document.html": [
-   "360415417ed0dadfaf947954fbd0cf801dbd5bdc",
+   "9fec457691ac4b071e9bc8de1ebf6f13dbadd4e5",
   "testharness"
  ],
  "html/browsers/origin/relaxing-the-same-origin-restriction/.gitkeep": [
--- a/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
+++ b/testing/web-platform/tests/html/browsers/origin/origin-of-data-document.html
@ -10,17 +10,28 @@
  <body>
    <script>
      async_test(function (t) {
-        window.addEventListener("message", t.step_func_done(function (e) {
-          assert_equals(e.origin, "null", "Messages sent from a 'data:' URL should have an opaque origin (which serializes to 'null').");
-          assert_throws("SecurityError", function () {
-            var couldAccessCrossOriginProperty = e.source.location.href;
-          }, "The 'data:' frame should be cross-origin.")
-        }));
-
        var i = document.createElement('iframe');
        i.src = "data:text/html,<script>" +
                "  window.parent.postMessage('Hello!', '*');" +
                "</scr" + "ipt>";
+
+        window.addEventListener("message", t.step_func_done(function (e) {
+          assert_equals(e.origin, "null", "Messages sent from a 'data:' URL should have an opaque origin (which serializes to 'null').");
+          assert_throws("SecurityError", function () {
+            var couldAccessCrossOriginProperty = e.source.location.href;
+          }, "The 'data:' frame should be cross-origin: 'window.location.href'");
+
+          // Try to access contentDocument of the 'data: ' frame. Some browsers
+          // (i.e. Firefox, Safari) will return |null| and some (i.e. Chrome)
+          // will throw an exception.
+          var dataFrameContentDocument = null;
+          try {
+            dataFrameContentDocument = i.contentDocument;
+          } catch (ex) {
+          }
+          assert_equals(dataFrameContentDocument, null, "The 'data:' iframe should be unable to access its contentDocument.");
+        }));
+
        document.body.appendChild(i);
      }, "The origin of a 'data:' document in a frame is opaque.");
    </script>