forked from web-platform-tests/wpt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[CSP]: Do not block same-document navigations.
A cross-origin initiated same-document navigation caused crash when blocked by CSP. Stop blocking it + WPT regression test. This is web-platform-tests#9 Mac crasher on M95 stable. So expect M96 (beta) cherry-pick. That's probably not enough for cherry-pick M95 (stable). Bug: 1262203 Change-Id: Ie70f77bd9ec69ac0659321f2e8e626b2bd091126 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3247135 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/main@{#935920}
- Loading branch information
1 parent
f5123ee
commit afacd0b
Showing
2 changed files
with
56 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
// META: script=/common/get-host-info.sub.js | ||
// META: script=/common/utils.js | ||
// META: script=/common/dispatcher/dispatcher.js | ||
|
||
// Regression test for https://crbug.com/1262203 | ||
// | ||
// A cross-origin document initiates a same-document navigation. This navigation | ||
// is subject to CSP:frame-src 'none', but this doesn't apply, since it's a | ||
// same-document navigation. This test checks this doesn't lead to a crash. | ||
|
||
promise_test(async test => { | ||
const child_token = token(); | ||
const child = new RemoteContext(child_token); | ||
const iframe = document.createElement("iframe"); | ||
iframe.src = get_host_info().REMOTE_ORIGIN + | ||
"/content-security-policy/frame-src/support/executor.html" + | ||
`?uuid=${child_token}`; | ||
document.body.appendChild(iframe); | ||
|
||
// Install a promise waiting for a same-document navigation to happen in the | ||
// child. | ||
await child.execute_script(() => { | ||
window.sameDocumentNavigation = new Promise(resolve => { | ||
window.addEventListener("popstate", resolve); | ||
}); | ||
}); | ||
|
||
// Append a new CSP, disallowing new iframe navigations. | ||
const meta = document.createElement("meta"); | ||
meta.httpEquiv = "Content-Security-Policy"; | ||
meta.content = "frame-src 'none'"; | ||
document.head.appendChild(meta); | ||
|
||
document.addEventListener( | ||
"securitypolicyviolation", | ||
test.unreached_func("same-document navigations aren't subject to CSP")); | ||
|
||
// Create a same-document navigation, inititated cross-origin in the iframe. | ||
// It must not be blocked by the CSP above. | ||
iframe.src += "#foo"; | ||
|
||
// Make sure the navigation succeeded and was indeed a same-document one: | ||
await child.execute_script(() => sameDocumentNavigation); | ||
assert_equals(await child.execute_script(() => location.href), iframe.src); | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
<!-- | ||
TODO(arthursonzogni) Consider deduplicating all these helper files to | ||
/common/dispatcher/ | ||
--> | ||
<script src="/common/dispatcher/dispatcher.js"></script> | ||
<script> | ||
const params = new URLSearchParams(window.location.search); | ||
const uuid = params.get("uuid"); | ||
const executor = new Executor(uuid); | ||
executor.execute(); | ||
</script> |