From f068df16180fa2114d9e1ed9c4b66da0426ce969 Mon Sep 17 00:00:00 2001
From: Libor Polčák <ipolcak@fit.vutbr.cz>
Date: Aug 25 2021 15:20:23 +0000
Subject: test page: Add iframes


---

diff --git a/docs/test/iframe.html b/docs/test/iframe.html
new file mode 100644
index 0000000..6da8ec9
--- /dev/null
+++ b/docs/test/iframe.html
@@ -0,0 +1,10 @@
+<html>
+	<head>
+		<title>Iframe content</title>
+		<script language="javascript" src="iframe.js" defer></script>
+	</head>
+
+	<body>
+		<span id="iframe_result"></span>
+	</body>
+</html>
diff --git a/docs/test/iframe.js b/docs/test/iframe.js
new file mode 100644
index 0000000..255d508
--- /dev/null
+++ b/docs/test/iframe.js
@@ -0,0 +1,21 @@
+"use strict";
+
+function createResults(canvas_el, result_id) {
+	var html = "<h3>toDataURL</h3>";
+	html += "<pre>" + canvas_el.toDataURL + "</pre>";
+	html += "<h3>getImageData</h3>";
+	html += "<pre>" + canvas_el.getContext('2d').getImageData + "</pre>";
+	html += "<h3>toBlob</h3>";
+	html += "<pre>" + canvas_el.toBlob + "</pre>";
+
+	var iframe = document.createElement("iframe");
+	document.body.appendChild(iframe);
+	// Native toString function from iframe context which can be used later on.
+	var iframeToString = iframe.contentWindow.window.Function.prototype.toString;
+	iframe.parentNode.removeChild(iframe);
+	html += "<h3>performance.now</h3>";
+	html += "<pre>" + iframeToString.call(performance.now) + "</pre>";
+
+	document.getElementById(result_id).innerHTML = html;
+}
+createResults(document.createElement("canvas"), "iframe_result");
diff --git a/docs/test/poc.js b/docs/test/poc.js
new file mode 100644
index 0000000..680548d
--- /dev/null
+++ b/docs/test/poc.js
@@ -0,0 +1,4 @@
+"use strict";
+
+createResults(document.getElementById("poc_iframe").contentDocument.createElement("canvas"), "poc");
+createResults(document.getElementById("regular_iframe").contentDocument.createElement("canvas"), "regular");
diff --git a/docs/test/test.html b/docs/test/test.html
index 1337b37..aa64a7b 100644
--- a/docs/test/test.html
+++ b/docs/test/test.html
@@ -22,6 +22,8 @@ SPDX-License-Identifier: GPL-3.0-or-later
 	<script type="text/javascript" src="xmlhttprequest.js"></script>
 	<script type="text/javascript" src="hw.js"></script>
 	<script type="text/javascript" src="enumerateDevices.js" defer></script>
+	<script language="javascript" src="iframe.js" defer></script>
+	<script language="javascript" src="poc.js" defer></script>
 	<link rel="stylesheet" type="text/css" href="global.css">
 </head>
 <body onload="initClock(); updatePerformanceLabelEvery(200); getHW();">
@@ -209,5 +211,26 @@ SPDX-License-Identifier: GPL-3.0-or-later
 	<h2>window.XMLHttpRequest example</h2>
 	<button onclick="runRequest();">Run XMLHttpRequest on a test URL</button>
 	<p id="placeToOutput" type="text/x-frozen-html"></p>
+	<br><br><br><hr>
+
+	<h2>Wrappers and iframes</h2>
+	<p>Iframes can be misused to evade wrappers. Prior to 0.5, jShelter limited some wrappers but not
+	all. To be fully protected, you should see <tt>[native code]</tt> as a body
+	of all displayed functions. Note that you should see the same content even if you do not use any
+	extension that modifies the calls. We want not to be distinguishable even if fully protected to
+	limit fingerprinting.</p>
+	<h3>JavaScript executed in the main page</h3>
+	<span id="iframe_result"></span>
+
+
+	<h3>JavaScript executed in a regular iframe</h3>
+	<iframe src="iframe.html" id="regular_iframe">
+	</iframe>
+	<span id="regular"></span>
+
+	<h3>JavaScript executed in a same origin iframe</h3>
+	<iframe sandbox="allow-same-origin" src="iframe.html" id="poc_iframe">
+	</iframe>
+	<span id="poc"></span>
 </body>
 </html>