From bbbaff652e2bec67f4d80b4d4c5f337d304bf4fa Mon Sep 17 00:00:00 2001 From: Arjun Chikara Date: Fri, 17 Jul 2026 17:32:40 +0530 Subject: [PATCH] test(sut): add hidden cross-origin iframe fixture for A11y Engine P1 Adds pages/sut/ui/cross-origin-iframes.jsx under the existing unlinked SUT fixture area. Embeds two genuinely cross-origin iframes (our A11y demo page on browserstack.github.io + www.qualified.com as an "ad" slot) so the A11y Engine P1 suites can verify in-iframe violation capture with the flag ON. Not linked from any existing page; reachable only via the direct path /sut/ui/cross-origin-iframes. Intentionally not gated behind sutSessionId (sibling SUT pages redirect to /sut/login) so the scanner can render the iframes without a session. Co-Authored-By: Claude Opus 4.8 (1M context) --- pages/sut/ui/cross-origin-iframes.jsx | 93 +++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 pages/sut/ui/cross-origin-iframes.jsx diff --git a/pages/sut/ui/cross-origin-iframes.jsx b/pages/sut/ui/cross-origin-iframes.jsx new file mode 100644 index 0000000..6937630 --- /dev/null +++ b/pages/sut/ui/cross-origin-iframes.jsx @@ -0,0 +1,93 @@ +import Head from 'next/head'; + +/** + * SUT fixture: cross-origin iframe capture. + * + * Hidden test page (not linked from anywhere in the app) used by the A11y Engine + * P1 sanity/WA suites to verify that, with the cross-origin iframe capture flag + * ON, the engine surfaces accessibility violations that live inside cross-origin + * iframes. Reachable only by direct path: /sut/ui/cross-origin-iframes + * + * NOTE: unlike the sibling /sut/ui/* pages this fixture is intentionally NOT + * gated behind the sutSessionId cookie. The A11y scanner loads it with no + * session, so an auth redirect would stop it before the iframes ever render. + * + * Iframes (both genuinely cross-origin to bstackdemo.com): + * 1. Our A11y demo page (browserstack.github.io) - the deterministic source of + * in-iframe violations the assertion is baselined against. + * 2. https://www.qualified.com/ - stands in as a third-party "ad" slot to prove + * capture works across an unrelated external origin too. + */ +export default function CrossOriginIframes() { + return ( + <> + + Cross-Origin Iframe Fixture - SUT + + + +
+
+

StackDemo Partner Showcase

+

+ A sample page that embeds partner content from other origins. Used to + exercise accessibility scanning across cross-origin iframe boundaries. +

+
+ +
+

Accessibility demo content

+