Use IsSameOriginWith for showPicker cross-origin iframe check

This CL changes from IsSameOriginDomainWith to IsSameOriginWith the check for cross-origin iframes when showPicker() is called following spec change[1]. [1] whatwg/html#7319 (comment) Change-Id: Ic21ec96e241cad730d6e93a7b635cf9107f48023 Bug: 939561 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3310677 Reviewed-by: Domenic Denicola <domenic@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Fr <beaufort.francois@gmail.com> Cr-Commit-Position: refs/heads/main@{#948890}
web-platform-tests · Dec 7, 2021 · e6c8eb0 · e6c8eb0
1 parent 99384c1
commit e6c8eb0
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/html/semantics/forms/the-input-element/resources/show-picker-child-iframe.html b/html/semantics/forms/the-input-element/resources/show-picker-child-iframe.html
@@ -3,6 +3,12 @@
 <script type=module>
 import inputTypes from "./../input-types.js";
 
+const urlParams = new URLSearchParams(location.search);
+const documentDomain = urlParams.get('documentDomain');
+if (documentDomain) {
+  document.domain = documentDomain;
+}
+
 let securityErrors = [];
 for (const inputType of inputTypes) {
   const input = document.createElement("input");

diff --git a/html/semantics/forms/the-input-element/show-picker-cross-origin-iframe.tentative.html b/html/semantics/forms/the-input-element/show-picker-cross-origin-iframe.tentative.html
@@ -43,4 +43,34 @@
     "In cross-origin iframes, showPicker() throws a SecurityError except on file and color."
   );
 });
+
+promise_test(async (t) => {
+  iframe.src =
+    new URL("resources/", self.location).pathname +
+    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
+
+  // Wait for the iframe to report security errors when calling showPicker().
+  const securityErrors = await waitForSecurityErrors();
+  assert_equals(
+    securityErrors,
+    "",
+    "In same-origin but cross-origin-domain iframes, showPicker() does not throw a SecurityError."
+  );
+});
+
+promise_test(async (t) => {
+  document.domain = get_host_info().ORIGINAL_HOST;
+  iframe.src =
+    get_host_info().HTTP_REMOTE_ORIGIN +
+    new URL("resources/", self.location).pathname +
+    "show-picker-child-iframe.html?documentDomain=" + get_host_info().ORIGINAL_HOST;
+
+  // Wait for the iframe to report security errors when calling showPicker().
+  const securityErrors = await waitForSecurityErrors();
+  assert_equals(
+    securityErrors,
+    "button,checkbox,date,datetime-local,email,hidden,image,month,number,password,radio,range,reset,search,submit,tel,text,time,url,week",
+    "In cross-origin but same-origin-domain iframes, showPicker() throws a SecurityError except on file and color."
+  );
+});
 </script>