Log in
Log in
Log in
Book a Demo
Get Started
628.2K 455.7K 7.8K
Back to Repositories

Validating Remote iframe Security Context Isolation in NW.js

This test suite validates the security behavior of remote iframes in NW.js applications, specifically testing Node.js context isolation. It ensures that Node.js APIs are properly disabled in remote iframe content while remaining enabled in the main window context.

Test Coverage Overview

The test verifies critical security boundaries between main window and remote iframe contexts.

Key areas covered:
  • Node.js API accessibility in main window
  • Node.js API isolation in remote iframe
  • Cross-origin iframe loading and initialization
  • Dynamic DOM element verification

Implementation Analysis

The test implements a Selenium WebDriver approach using Python to automate browser interactions. It creates a local test server and HTML content dynamically, then validates DOM elements across different contexts. The implementation leverages frame switching and element discovery patterns specific to Selenium’s Python bindings.

Key patterns include:
  • Dynamic test server creation
  • Frame context switching
  • Polling-based element discovery
  • Assertion-based validation

Technical Details

Testing tools and configuration:
  • Selenium WebDriver with Chrome
  • Python HTTP server for remote content
  • Dynamic port allocation
  • Custom Chrome options for NW.js testing
  • Implicit and explicit wait mechanisms
  • Frame switching capabilities

Best Practices Demonstrated

The test exhibits robust testing practices for browser automation and security validation.

Notable practices include:
  • Resource cleanup in finally blocks
  • Dynamic port allocation for test isolation
  • Timeout-based polling for async operations
  • Cross-context security validation
  • Proper exception handling

nwjs/nwJs

test/sanity/iframe-remote-neg/test.py

            
import time
import os
import subprocess
import sys

from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.common import utils
sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
from nw_util import *

chrome_options = Options()
chrome_options.add_argument("nwapp=" + os.path.dirname(os.path.abspath(__file__)))

testdir = os.path.dirname(os.path.abspath(__file__))
os.chdir(testdir)

port = str(utils.free_port())
server = subprocess.Popen(['python3', 'http-server.py', port])

html = open('index.html', 'w')
html.write('''
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf8">
    <title>iframe-remote negative test</title>
  </head>
  <body>
    <iframe src="http://localhost:%s/test.html"></iframe>
    <script>
      document.write('<h1 id="res1">Node is ' + (typeof nw === 'undefined' ? 'DISABLED': 'ENABLED') + '</h1>');
    </script>
  </body>
</html>
''' % (port))
    
html.close()

driver = webdriver.Chrome(executable_path=os.environ['CHROMEDRIVER'], chrome_options=chrome_options, service_log_path="log", service_args=["--verbose"])
driver.implicitly_wait(5)
try:
    print(driver.current_url)
    result = driver.find_element_by_id('res1').get_attribute('innerHTML')
    print(result)
    assert("ENABLED" in result)
    timeout = 10
    ret = ''
    elem_id = 'res2'
    while timeout > 0:
        try:
            driver.switch_to.frame(driver.find_element_by_tag_name("iframe"))
            ret = driver.find_element_by_id(elem_id).get_attribute('innerHTML')
            break
        except selenium.common.exceptions.NoSuchElementException:
            pass
        time.sleep(1)
        timeout = timeout - 1
        if timeout <= 0:
             raise Exception('Timeout when waiting for element' + elem_id)
    print(ret)
    assert("DISABLED" in ret)
finally:
    server.terminate()
    driver.quit()