test(sut): hidden cross-origin iframe fixture for A11y Engine P1#49
Open
chikara1608 wants to merge 1 commit into
Open
test(sut): hidden cross-origin iframe fixture for A11y Engine P1#49chikara1608 wants to merge 1 commit into
chikara1608 wants to merge 1 commit into
Conversation
Adds pages/sut/ui/cross-origin-iframes.jsx under the existing unlinked SUT fixture area. Embeds two genuinely cross-origin iframes (our A11y demo page on browserstack.github.io + www.qualified.com as an "ad" slot) so the A11y Engine P1 suites can verify in-iframe violation capture with the flag ON. Not linked from any existing page; reachable only via the direct path /sut/ui/cross-origin-iframes. Intentionally not gated behind sutSessionId (sibling SUT pages redirect to /sut/login) so the scanner can render the iframes without a session. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
chikara1608
marked this pull request as ready for review
July 17, 2026 12:21
sunny-se
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a hidden cross-origin iframe fixture page for the A11y Engine P1 suites (WA P1 + AUT sanity). With the cross-origin iframe capture flag ON, the engine must surface accessibility violations that live inside cross-origin iframes — this page is the team-owned target it scans.
New file:
pages/sut/ui/cross-origin-iframes.jsx, served at/sut/ui/cross-origin-iframes.Why here
Placed in the existing unlinked SUT fixture area (
pages/sut/ui/, alongsidehigh-lcp,zero-cls, etc.). It is:<meta name="robots" content="noindex, nofollow">.No existing customer-facing page or asset is modified — this is purely additive.
What it renders
A normal-looking page with two genuinely cross-origin iframes (both cross-origin to
bstackdemo.com):https://browserstack.github.io/bs-a11y-checks/all/index.html— our A11y demo page; the deterministic source of in-iframe violations the P1 assertion is baselined against.https://www.qualified.com/— a third-party "ad" slot, to prove capture works across an unrelated external origin too.Intentional deviation
Unlike the sibling
/sut/ui/*pages, this fixture is not gated behind thesutSessionIdcookie. Those pages redirect to/sut/loginwhen there's no session; the A11y scanner has no session, so a gate would stop it before the iframes render. Documented inline.How tested
ReactDOMServer): produces valid markup with exactly two iframes, correctid/srcon each, plus thenoindexmeta. JSX transpiles cleanly.X-Frame-Options/ CSPframe-ancestors).yarn devnot run locally — the repo pins Node 12 (node-sassnative build fails on this machine's Node 18); the fixture is a pure static component with no data/hooks, so isolated render is sufficient.www.qualified.comis a live third-party site — the violation count its iframe contributes will drift over time, and it could add framing restrictions at any point (going blank). The consuming P1 assertion should scope to the primary iframe + parent, or accept periodic re-baselining. Flagged in the companionBStackAutomationPR.🤖 Generated with Claude Code