referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html

<!DOCTYPE html>
<html>
<head>
  <title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title>
  <link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org">
  <link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org">
  <link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <!-- Common global functions for referrer-policy tests. -->
  <script src="/common/security-features/resources/common.sub.js"></script>
  <script src="/common/get-host-info.sub.js"></script>
</head>
<body>
<h1>
  Referrer Policy: A document with an opaque origin doesn't send referrers
</h1>
<script>

let futureMessage = function() {
  return new Promise(resolve => {
    window.addEventListener("message", event => resolve(event.data));
  });
}

function testSandboxedIframeSubresource(description,
                                        sandboxAttributes,
                                        expectedReferrer) {
  promise_test(async test => {
    let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
      "/common/security-features/subresource/xhr.py";
    const iframe = document.createElement("iframe");
    iframe.sandbox = sandboxAttributes;
    iframe.srcdoc = `
      <meta name="referrer" content="always">
      <script src="/common/security-features/resources/common.sub.js">
      </scr`+`ipt>
      <script>
        requestViaFetch("${resource_url}").then((msg) => {
          parent.postMessage(msg.referrer, '*');
        }).catch((e) => {
          parent.postMessage("FAILURE", '*');
        });
      </scr`+`ipt>
    `;

    const future_message = futureMessage();
    document.body.appendChild(iframe);
    assert_equals(await future_message, expectedReferrer);

  }, description);
}

function testSandboxedIframeMainResource(description,
                                         sandboxAttributes,
                                         expectedReferrer) {
  promise_test(async test => {
    let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
      "/referrer-policy/generic/resources/referrer.py";
    const iframe = document.createElement("iframe");
    iframe.sandbox = sandboxAttributes;
    iframe.srcdoc = `
      <meta name="referrer" content="always">
      <script>
        onload = () => {
          location.href = "${document_url}";
        }
      </scr`+`ipt>
    `;

    const future_message = futureMessage();
    document.body.appendChild(iframe);
    assert_equals(await future_message, expectedReferrer);

  }, description);
}

testSandboxedIframeSubresource(
  "Sandboxed iframe with opaque origin doesn't send referrers to subresources",
  "allow-scripts", undefined);
testSandboxedIframeSubresource(
  "Sandboxed iframe with tuple origin sends referrers to subresources",
  "allow-same-origin allow-scripts", document.location.href);
testSandboxedIframeMainResource(
  "Sandboxed iframe with opaque origin doesn't send referrers on navigation",
  "allow-scripts", "");
testSandboxedIframeMainResource(
  "Sandboxed iframe with tuple origin sends referrers on navigation",
  "allow-same-origin allow-scripts", document.location.href);

</script>
</body>
</html>