From b520a7f4197495dc76a3f6e1557cda60900d662a Mon Sep 17 00:00:00 2001
From: Dave Tapuska <dtapuska@chromium.org>
Date: Mon, 12 Aug 2019 10:10:26 -0700
Subject: [PATCH] Add tests to prevent a sandbox iframe from using history APIs

Spec change https://github.com/whatwg/html/pull/4787

BUG=705583

Change-Id: I6fc5fee627156c10c771b63b609d1d25c6fd439c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1749444
Reviewed-by: Domenic Denicola <domenic@chromium.org>
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#686032}
---
 ...me_sandbox_navigate_history_go_back-2.html | 16 +++++++++++
 ...rame_sandbox_navigate_history_go_back.html | 18 ++++++++++++
 ...e_sandbox_navigate_history_go_forward.html | 28 +++++++++++++++++++
 ...rame-tried-to-be-navigated-by-history.html | 18 ++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back-2.html
 create mode 100644 html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back.html
 create mode 100644 html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_forward.html
 create mode 100644 html/semantics/embedded-content/the-iframe-element/support/iframe-tried-to-be-navigated-by-history.html

diff --git a/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back-2.html b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back-2.html
new file mode 100644
index 000000000000000..7a94f1ce4a867ce
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back-2.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Check that sandboxed iframe can navigate their self</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  var t = async_test();
+  onmessage = t.step_func((e) => {
+    if (e.data == 'pushstatebackdone') t.done();
+  });
+
+  function doNavigation() {
+    frames[0].postMessage('pushstateback', '*');
+  }
+</script>
+<iframe id="child_frame" sandbox="allow-scripts" src="support/iframe-tried-to-be-navigated-by-history.html" onload="doNavigation();"></iframe>
diff --git a/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back.html b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back.html
new file mode 100644
index 000000000000000..7026edf8f92b680
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_back.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Check that sandboxed iframe can not navigate their ancestors</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  var t = async_test();
+  onpopstate = t.unreached_func('no pop state');
+
+  function doNavigation() {
+    history.pushState( {state: "one past"}, 'page 2', '');
+    frames[0].postMessage('back', '*');
+    t.step_timeout(() => {
+      t.done();
+    }, 1000);
+  }
+</script>
+<iframe id="child_frame" sandbox="allow-scripts" src="support/iframe-tried-to-be-navigated-by-history.html" onload="doNavigation();"></iframe>
diff --git a/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_forward.html b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_forward.html
new file mode 100644
index 000000000000000..e9d1def099e3a37
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_history_go_forward.html
@@ -0,0 +1,28 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Check that sandboxed iframe can not navigate their ancestors</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+  var t = async_test();
+  var pop_state_count = 0;
+  onpopstate = t.step_func((e) => {
+    pop_state_count++;
+    if (pop_state_count == 1) {
+      // Should not generate a pop state
+      frames[0].postMessage('forward', '*');
+      t.step_timeout(() => {
+        t.done();
+      }, 1000);
+    } else if (pop_state_count > 1) {
+      assert_unreached('no pop state');
+    }
+  });
+
+  function doNavigation() {
+    history.pushState( {state: "one past"}, 'page 2', '');
+    // Should generate a pop state
+    history.back();
+  }
+</script>
+<iframe id="child_frame" sandbox="allow-scripts" src="support/iframe-tried-to-be-navigated-by-history.html" onload="doNavigation();"></iframe>
diff --git a/html/semantics/embedded-content/the-iframe-element/support/iframe-tried-to-be-navigated-by-history.html b/html/semantics/embedded-content/the-iframe-element/support/iframe-tried-to-be-navigated-by-history.html
new file mode 100644
index 000000000000000..c4ba8011f9d288b
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/support/iframe-tried-to-be-navigated-by-history.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<p>This is a frame that tries to navigate via history API.</p>
+<script>
+window.onmessage = (e) => {
+  if (e.data == 'back') {
+    history.back();
+  } else if (e.data == 'forward') {
+    history.forward();
+  } else if (e.data = 'pushstateback') {
+    onpopstate = (e) => {
+      parent.postMessage('pushstatebackdone', '*');
+    };
+
+    history.pushState({someState: 'blah'}, '');
+    history.back();
+  }
+};
+</script>