← All tests

What this tests

The frame below is a local iframe whose document is embedded inline via srcdoc. That document contains:

  1. A line that reads “JavaScript is DISABLED in this frame” by default.
  2. An inline <script> that, if it runs, rewrites that line to “JavaScript is ENABLED in this frame”.

The detector is part of the frame itself, so it runs on load with no help from the top-level page. Whatever the frame shows is the definitive answer: the wording only changes if the frame’s own script actually executed. No network request and no arithmetic proxy is involved.

Because this iframe document is local to the embedding page, a browser’s script-blocking policy should apply equally to both contexts.

To test: load this page with JavaScript enabled and confirm the frame reports ENABLED. Then disable JavaScript for this page and reload. If the frame still reports ENABLED with JS disabled, the browser’s JS policy is not correctly propagated to local iframe documents.

Frame output

The detector runs automatically when the frame loads.

Reloads the frame so the detector runs again.

Expected results

Scenario Frame output Verdict
JS enabled JavaScript is ENABLED in this frame Expected — JS runs in frame
JS disabled (protected) JavaScript is DISABLED in this frame Pass — JS policy propagates to iframe document
JS disabled (vulnerable) JavaScript is ENABLED in this frame Fail — frame JS runs despite top-level JS being off