From afacd0b86dbaef437d8ed9af99106109c5a37e83 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Thu, 28 Oct 2021 09:33:12 -0700 Subject: [PATCH] [CSP]: Do not block same-document navigations. A cross-origin initiated same-document navigation caused crash when blocked by CSP. Stop blocking it + WPT regression test. This is #9 Mac crasher on M95 stable. So expect M96 (beta) cherry-pick. That's probably not enough for cherry-pick M95 (stable). Bug: 1262203 Change-Id: Ie70f77bd9ec69ac0659321f2e8e626b2bd091126 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3247135 Commit-Queue: Arthur Sonzogni Reviewed-by: Antonio Sartori Cr-Commit-Position: refs/heads/main@{#935920} --- ...-origin-same-document-navigation.window.js | 45 +++++++++++++++++++ .../frame-src/support/executor.html | 11 +++++ 2 files changed, 56 insertions(+) create mode 100644 content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js create mode 100644 content-security-policy/frame-src/support/executor.html diff --git a/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js b/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js new file mode 100644 index 000000000000000..a03a3108b16f67e --- /dev/null +++ b/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js @@ -0,0 +1,45 @@ +// META: script=/common/get-host-info.sub.js +// META: script=/common/utils.js +// META: script=/common/dispatcher/dispatcher.js + +// Regression test for https://crbug.com/1262203 +// +// A cross-origin document initiates a same-document navigation. This navigation +// is subject to CSP:frame-src 'none', but this doesn't apply, since it's a +// same-document navigation. This test checks this doesn't lead to a crash. + +promise_test(async test => { + const child_token = token(); + const child = new RemoteContext(child_token); + const iframe = document.createElement("iframe"); + iframe.src = get_host_info().REMOTE_ORIGIN + + "/content-security-policy/frame-src/support/executor.html" + + `?uuid=${child_token}`; + document.body.appendChild(iframe); + + // Install a promise waiting for a same-document navigation to happen in the + // child. + await child.execute_script(() => { + window.sameDocumentNavigation = new Promise(resolve => { + window.addEventListener("popstate", resolve); + }); + }); + + // Append a new CSP, disallowing new iframe navigations. + const meta = document.createElement("meta"); + meta.httpEquiv = "Content-Security-Policy"; + meta.content = "frame-src 'none'"; + document.head.appendChild(meta); + + document.addEventListener( + "securitypolicyviolation", + test.unreached_func("same-document navigations aren't subject to CSP")); + + // Create a same-document navigation, inititated cross-origin in the iframe. + // It must not be blocked by the CSP above. + iframe.src += "#foo"; + + // Make sure the navigation succeeded and was indeed a same-document one: + await child.execute_script(() => sameDocumentNavigation); + assert_equals(await child.execute_script(() => location.href), iframe.src); +}) diff --git a/content-security-policy/frame-src/support/executor.html b/content-security-policy/frame-src/support/executor.html new file mode 100644 index 000000000000000..4ab5745905b9bd5 --- /dev/null +++ b/content-security-policy/frame-src/support/executor.html @@ -0,0 +1,11 @@ + + +