| <!doctype html> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="return-value/resources/helpers.js"></script> |
| <iframe id="i" src="/common/blank.html?startI" sandbox="allow-scripts allow-same-origin"></iframe> |
| |
| <script> |
| // Intended setup: |
| // Step 0: |
| // - Parent: (current URL) |
| // - i: /common/blank.html?startI |
| // Step 1: |
| // - Parent: (current URL) |
| // - i: resources/navigation-back.html |
| // Step 2: |
| // - Parent: (current URL)#end |
| // - i: resources/navigation-back.html |
| // |
| // Then, calling navigation.back() in i will take is from step 2 to step 0, which would navigate the parent. |
| // That is not allowed, so the call to back() must reject. |
| |
| promise_test(async t => { |
| await new Promise(resolve => window.onload = resolve); |
| |
| i.contentWindow.location.href = new URL("resources/navigation-back.html", location.href); |
| await new Promise(resolve => i.onload = resolve); |
| |
| location.hash = "#end"; |
| await new Promise(resolve => window.onhashchange = resolve); |
| |
| navigation.onnavigate = t.unreached_func("navigate must not fire"); |
| navigation.onnavigateerror = t.unreached_func("navigateerror must not fire"); |
| window.onpopstate = t.unreached_func("popstate must not fire"); |
| window.onhashchange = t.unreached_func("hashchange must not fire"); |
| |
| await assertBothRejectDOM(t, i.contentWindow.doNavigationBack(), "SecurityError", i.contentWindow); |
| }, "A sandboxed iframe cannot navigate its parent via its own navigation object by using back()"); |
| </script> |
