// Copyright 2024 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/renderer_host/render_frame_host_impl.h" #include "content/browser/web_contents/web_contents_impl.h" #include "content/public/browser/render_frame_host.h" #include "content/public/browser/web_contents.h" #include "content/public/test/browser_test.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/content_browser_test.h" #include "content/public/test/content_browser_test_utils.h" #include "content/public/test/test_navigation_observer.h" #include "content/shell/browser/shell.h" #include "content/test/content_browser_test_utils_internal.h" #include "net/dns/mock_host_resolver.h" #include "net/test/embedded_test_server/embedded_test_server.h" namespace content { class FramebustingBrowserTest : public ContentBrowserTest { … }; // Verifies that cross-origin iframes cannot navigate the top frame to a // different origin (sometimes called "framebusting") without user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsWithoutUserActivation) { … } // Verifies that cross-origin iframes can navigate the top frame to a different // origin (sometimes called "framebusting") with user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, SucceedsWithUserActivation) { … } // Verifies that cross-origin iframes can navigate the top frame to a different // origin (sometimes called "framebusting") with user activation, even after // a couple `setTimeout()` calls. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, SucceedsWithAsyncUserActivation) { … } // Verifies that cross-origin unsandboxed iframes cannot escalate the // allow-top-navigation sandbox privilege in a child iframe, which would allow // it to navigate the top frame to a different origin (sometimes called // "framebusting") without user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsFromGrandchildPrivilegeEscalationInSandboxFlags) { … } // Verifies that a grandchild cross-origin unsandboxed iframe cannot give itself // allow-top-navigation sandbox privileges via its delivered sandbox flags in // the HTTP response header, which would allow it to navigate the top frame to a // different origin (sometimes called "framebusting") without user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsFromGrandchildPrivilegeEscalationInDeliveredFlags) { … } // Verifies that a child cross-origin unsandboxed iframe document cannot give // itself allow-top-navigation sandbox privileges via its delivered sandbox // flags in the HTTP response header, which would allow it to navigate the top // frame to a different origin (sometimes called "framebusting") without user // activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsFromChildPrivilegeEscalationInDeliveredFlags) { … } // Verifies that a navigation to a cross-site document consumes sticky user // activation, preventing the new document from navigating the top frame to a // different origin (sometimes called "framebusting") without user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsAfterCrossSiteNavigation) { … } // Verifies that a navigation to a same-site document maintains sticky user // activation, allow the new document to navigate the top frame to a // different origin (sometimes called "framebusting") without transient user // activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, SucceedsAfterSameSiteNavigation) { … } // Verifies that a navigation to a same-site document without sticky user // activation keeps the unset activation state, preventing the new document from // navigating the top frame to a different origin (sometimes called // "framebusting") without transient user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, FailsAfterSameSiteNavigationWithoutUserActivation) { … } // Verifies that cross-origin iframes sandboxed with // "allow-top-navigation-by-user-activation" can only navigate the top frame to // a different origin (sometimes called "framebusting") when they have user // activation. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, AllowTopNavigationByUserActivation) { … } // Verifies that cross-origin iframes can navigate the top frame to another URL // belonging to the top frame's origin without user activation. // // This is non-standard, unspecified behavior. // See also https://www.chromestatus.com/features/5851021045661696. IN_PROC_BROWSER_TEST_F(FramebustingBrowserTest, SucceedsInSameOriginWithoutUserActivation) { … } } // namespace content
Codebase Browser
chromium