Skip to content

Commit

Permalink
[CSP]: Do not block same-document navigations.
Browse files Browse the repository at this point in the history
A cross-origin initiated same-document navigation caused crash when
blocked by CSP.

Stop blocking it + WPT regression test.

This is #9 Mac crasher on M95 stable. So expect M96 (beta) cherry-pick.
That's probably not enough for cherry-pick M95 (stable).

Bug: 1262203
Change-Id: Ie70f77bd9ec69ac0659321f2e8e626b2bd091126
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3247135
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/main@{#935920}
  • Loading branch information
ArthurSonzogni authored and chromium-wpt-export-bot committed Oct 28, 2021
1 parent e7cc1ae commit 038de3e
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 0 deletions.
@@ -0,0 +1,45 @@
// META: script=/common/get-host-info.sub.js
// META: script=/common/utils.js
// META: script=/common/dispatcher/dispatcher.js

// Regression test for https://crbug.com/1262203
//
// A cross-origin document initiates a same-document navigation. This navigation
// is subject to CSP:frame-src 'none', but this doesn't apply, since it's a
// same-document navigation. This test checks this doesn't lead to a crash.

promise_test(async test => {
const child_token = token();
const child = new RemoteContext(child_token);
const iframe = document.createElement("iframe");
iframe.src = get_host_info().REMOTE_ORIGIN +
"/content-security-policy/frame-src/support/executor.html" +
`?uuid=${child_token}`;
document.body.appendChild(iframe);

// Install a promise waiting for a same-document navigation to happen in the
// child.
await child.execute_script(() => {
window.sameDocumentNavigation = new Promise(resolve => {
window.addEventListener("popstate", resolve);
});
});

// Append a new CSP, disallowing new iframe navigations.
const meta = document.createElement("meta");
meta.httpEquiv = "Content-Security-Policy";
meta.content = "frame-src 'none'";
document.head.appendChild(meta);

document.addEventListener(
"securitypolicyviolation",
test.unreached_func("same-document navigations aren't subject to CSP"));

// Create a same-document navigation, inititated cross-origin in the iframe.
// It must not be blocked by the CSP above.
iframe.src += "#foo";

// Make sure the navigation succeeded and was indeed a same-document one:
await child.execute_script(() => sameDocumentNavigation);
assert_equals(await child.execute_script(() => location.href), iframe.src);
})
11 changes: 11 additions & 0 deletions content-security-policy/frame-src/support/executor.html
@@ -0,0 +1,11 @@
<!--
TODO(arthursonzogni) Consider deduplicating all these helper files to
/common/dispatcher/
-->
<script src="/common/dispatcher/dispatcher.js"></script>
<script>
const params = new URLSearchParams(window.location.search);
const uuid = params.get("uuid");
const executor = new Executor(uuid);
executor.execute();
</script>

0 comments on commit 038de3e

Please sign in to comment.