chromium/third_party/blink/web_tests/external/wpt/fenced-frame/sandbox-attribute.https.html

<!DOCTYPE html>
<title>Test fenced frame sandbox attribute.</title>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="resources/utils.js"></script>

<body>
<script>

async function runTest(t, sandbox_flags, success) {
  const frame = await attachFencedFrameContext({
      generator_api: 'fledge', resolve_to_config: true,
      attributes: [['sandbox', sandbox_flags]]});

  assert_equals(frame.element.sandbox.value, sandbox_flags);
  if (sandbox_flags) {
    assert_equals(frame.element.sandbox.length, sandbox_flags.split(' ').length);
  } else {
    assert_equals(frame.element.sandbox.length, 0);
  }

  const result = await Promise.any([
    frame.execute(() => { return 'success';}),
    new Promise(resolve => t.step_timeout(() => resolve('failure'), 2000))]);
  if (success) {
    assert_equals(result, 'success');
  } else {
    assert_equals(result, 'failure');
  }
}

// We omit test cases that lack the sandbox attribute, because that's covered
// by every other test that doesn't explicitly use the `sandbox` attribute.

promise_test(async t => {
  return runTest(t, '', false);
}, 'Navigation fails with no allowed features');

promise_test(async t => {
  return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation', true);
}, 'Navigation succeeds with exactly the required unsandboxed features');

promise_test(async t => {
  return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-pointer-lock', true);
}, 'Navigation succeeds with extra unsandboxed features');

promise_test(async t => {
  return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox', false);
}, 'Navigation fails with too few unsandboxed features');

promise_test(async t => {
  return runTest(t, 'foo bar baz', false);
}, 'Navigation fails with malformed sandbox flags');

promise_test(async t => {
  return runTest(t, 'allow-same-origin allow-forms allow-scripts allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-foobarbaz', true);
}, 'Navigation fails with the required unsandboxed features, plus some malformed ones');

</script>
</body>