-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COOP: test COOP popup from a CSP-sandboxed popup #21111
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd be interesting to also navigate the CSP popup to a COOP document as that should work (since it's the document that's sandboxed and not the browsing context).
<script> | ||
const params = new URL(location).searchParams; | ||
params.delete("sandbox"); | ||
window.open(`${get_host_info().HTTPS_ORIGIN}/html/cross-origin-opener-policy/resources/coop-coep.py?${params}`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this meant to be the same origin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, yes, but I realize now that get_host_info
isn't needed, it can just be a relative URL instead.
Thanks for that comment, it helped clarify a doubt in Chromium's implem: https://crrev.com/c/1995268/3/content/browser/cross_origin_opener_policy_browsertest.cc Hence, I think adding this test is a good idea! |
28ac7a4
to
1fc0b75
Compare
Similarly to #20873 (comment) , changing |
t.step_timeout(() => { | ||
assert_unreached('Navigation from CSP sandbox to COOP document failed') | ||
}, 1500); | ||
})); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you have a reference to the popup and it won't be replaced, can't you assert something about the popup? That it's not closed and that it's document is no longer same-origin? I guess that doesn't work for the case where allow-same-origin isn't set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But closed
should be true after the navigation? The CSP sandbox doesn't have COOP, and then when navigating to the COOP document the browsing context is swapped.
The "is no longer same origin" is interesting. Should it not be same-origin for any of these 2 cases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I misread the test.
This looks good at a high-level, but seems like it still needs conflicts resolved. |
I added a same-origin check, and have different results between Firefox and Chrome:
I'm not sure what is right. Should the popup after navigation (which causes a BC swap) not be same-origin with the opener? |
Co-Authored-By: Anne van Kesteren <annevk@annevk.nl>
a54b24b
to
b2db19d
Compare
Looking at |
@annevk thank you for explaining that, I had misremembered how Window/WindowProxy works on navigation. |
Will you file a bug against Chrome? It seems they made a mistake somewhere (or you/I analyzed incorrectly). |
I'll admin-merge this, see #21111 (comment) |
Part of #18354.