<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script>
async_test(t => {
var i = document.createElement('iframe');
i.setAttribute("sandbox", "allow-scripts");
i.setAttribute("src", "javascript:top.postMessage('fail', '*');");
window.addEventListener(
"message",
t.unreached_func("The sandboxed 'javascript:' URL should not execute."));
document.body.appendChild(i);
// TODO(mkwst): I would love a better test here, but I don't know how else to
// verify that the script _doesn't_ execute.
setTimeout(t.done.bind(t), 250);
}, "JavaScript URLs in sandboxed iframes should not execute, as the origin is distinct from its opener.");
</script>
Codebase Browser
chromium