test-website-a.pages.dev/local-frames/ — 7 tests — ← All tests
Tests whether a secure HTTPS image loads correctly inside about:blank iframes. This is the secure counterpart to the mixed content test — since the image is loaded over HTTPS, no mixed content blocking should occur.
local-frame-secure-content/Compares geolocation and camera permission-gated API outcomes between the top-level page and an about:blank iframe to detect inconsistent permission handling.
local-frame-permissions/Compares local-network fetch probes from the top-level page and an about:blank iframe using separate buttons to detect whether the frame gets broader local-network reachability than its parent.
local-frame-network-scan/Tests whether mixed content blocking (HTTP image on an HTTPS page) applies correctly inside about:blank iframes. Vulnerable browsers may skip the check when the frame URL is about:blank instead of the inherited HTTPS origin.
local-frame-mixed-content/Definitively checks whether a local (srcdoc) iframe can run JavaScript. The frame's inline document defaults to JS disabled and an inline script flips it to enabled if it runs, on load and independent of the top-level page. If disabling JS at the top level does not also disable it in the frame, the frame still reports enabled.
local-frame-js-run/Tests whether blocking cookies for the top-level page also blocks cookie writes inside a same-origin about:blank iframe. A vulnerable browser may let the frame keep setting cookies after the top-level page cannot.
local-frame-cookies/Tests whether content-filtering rules apply inside about:blank iframes. These frames inherit the parent's security origin, but vulnerable browsers check window.location.href instead, allowing first-party filter rules to be bypassed (brave-browser#40649).
local-frame-content-filtering/