Skip to content

test(sut): hidden cross-origin iframe fixture for A11y Engine P1#49

Open
chikara1608 wants to merge 1 commit into
masterfrom
feat/cross-origin-iframe-p1
Open

test(sut): hidden cross-origin iframe fixture for A11y Engine P1#49
chikara1608 wants to merge 1 commit into
masterfrom
feat/cross-origin-iframe-p1

Conversation

@chikara1608

Copy link
Copy Markdown
Collaborator

Summary

Adds a hidden cross-origin iframe fixture page for the A11y Engine P1 suites (WA P1 + AUT sanity). With the cross-origin iframe capture flag ON, the engine must surface accessibility violations that live inside cross-origin iframes — this page is the team-owned target it scans.

New file: pages/sut/ui/cross-origin-iframes.jsx, served at /sut/ui/cross-origin-iframes.

Why here

Placed in the existing unlinked SUT fixture area (pages/sut/ui/, alongside high-lcp, zero-cls, etc.). It is:

  • Not linked from any existing page, nav, or sitemap (there is no sitemap).
  • Marked <meta name="robots" content="noindex, nofollow">.
  • Reachable only by knowing the direct path.

No existing customer-facing page or asset is modified — this is purely additive.

What it renders

A normal-looking page with two genuinely cross-origin iframes (both cross-origin to bstackdemo.com):

  1. https://browserstack.github.io/bs-a11y-checks/all/index.html — our A11y demo page; the deterministic source of in-iframe violations the P1 assertion is baselined against.
  2. https://www.qualified.com/ — a third-party "ad" slot, to prove capture works across an unrelated external origin too.

Intentional deviation

Unlike the sibling /sut/ui/* pages, this fixture is not gated behind the sutSessionId cookie. Those pages redirect to /sut/login when there's no session; the A11y scanner has no session, so a gate would stop it before the iframes render. Documented inline.

How tested

  • Component server-rendered in isolation (esbuild JSX transform + ReactDOMServer): produces valid markup with exactly two iframes, correct id/src on each, plus the noindex meta. JSX transpiles cleanly.
  • Verified both iframe targets are frameable (neither sends X-Frame-Options / CSP frame-ancestors).
  • Full yarn dev not run locally — the repo pins Node 12 (node-sass native build fails on this machine's Node 18); the fixture is a pure static component with no data/hooks, so isolated render is sufficient.

⚠️ Note for reviewers

www.qualified.com is a live third-party site — the violation count its iframe contributes will drift over time, and it could add framing restrictions at any point (going blank). The consuming P1 assertion should scope to the primary iframe + parent, or accept periodic re-baselining. Flagged in the companion BStackAutomation PR.

Companion PRs (land together): BStackAutomation (P1 wiring), bstackautomation-helper (expected-violation constants), browserstack-cd (Jenkins sanity matrix).

🤖 Generated with Claude Code

Adds pages/sut/ui/cross-origin-iframes.jsx under the existing unlinked SUT
fixture area. Embeds two genuinely cross-origin iframes (our A11y demo page
on browserstack.github.io + www.qualified.com as an "ad" slot) so the A11y
Engine P1 suites can verify in-iframe violation capture with the flag ON.

Not linked from any existing page; reachable only via the direct path
/sut/ui/cross-origin-iframes. Intentionally not gated behind sutSessionId
(sibling SUT pages redirect to /sut/login) so the scanner can render the
iframes without a session.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
@chikara1608
chikara1608 marked this pull request as ready for review July 17, 2026 12:21
@chikara1608
chikara1608 requested a review from a team as a code owner July 17, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants