From 038de3e0ddeaf9e20bb3074a270b558559927add Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 28 Oct 2021 09:33:12 -0700
Subject: [PATCH] [CSP]: Do not block same-document navigations.

A cross-origin initiated same-document navigation caused crash when
blocked by CSP.

Stop blocking it + WPT regression test.

This is #9 Mac crasher on M95 stable. So expect M96 (beta) cherry-pick.
That's probably not enough for cherry-pick M95 (stable).

Bug: 1262203
Change-Id: Ie70f77bd9ec69ac0659321f2e8e626b2bd091126
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3247135
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/main@{#935920}
---
 ...-origin-same-document-navigation.window.js | 45 +++++++++++++++++++
 .../frame-src/support/executor.html           | 11 +++++
 2 files changed, 56 insertions(+)
 create mode 100644 content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
 create mode 100644 content-security-policy/frame-src/support/executor.html

diff --git a/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js b/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
new file mode 100644
index 00000000000000..a03a3108b16f67
--- /dev/null
+++ b/content-security-policy/frame-src/frame-src-cross-origin-same-document-navigation.window.js
@@ -0,0 +1,45 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/common/dispatcher/dispatcher.js
+
+// Regression test for https://crbug.com/1262203
+//
+// A cross-origin document initiates a same-document navigation. This navigation
+// is subject to CSP:frame-src 'none', but this doesn't apply, since it's a
+// same-document navigation. This test checks this doesn't lead to a crash.
+
+promise_test(async test => {
+  const child_token = token();
+  const child = new RemoteContext(child_token);
+  const iframe = document.createElement("iframe");
+  iframe.src = get_host_info().REMOTE_ORIGIN +
+      "/content-security-policy/frame-src/support/executor.html" +
+      `?uuid=${child_token}`;
+  document.body.appendChild(iframe);
+
+  // Install a promise waiting for a same-document navigation to happen in the
+  // child.
+  await child.execute_script(() => {
+    window.sameDocumentNavigation = new Promise(resolve => {
+      window.addEventListener("popstate", resolve);
+    });
+  });
+
+  // Append a new CSP, disallowing new iframe navigations.
+  const meta = document.createElement("meta");
+  meta.httpEquiv = "Content-Security-Policy";
+  meta.content = "frame-src 'none'";
+  document.head.appendChild(meta);
+
+  document.addEventListener(
+      "securitypolicyviolation",
+      test.unreached_func("same-document navigations aren't subject to CSP"));
+
+  // Create a same-document navigation, inititated cross-origin in the iframe.
+  // It must not be blocked by the CSP above.
+  iframe.src += "#foo";
+
+  // Make sure the navigation succeeded and was indeed a same-document one:
+  await child.execute_script(() => sameDocumentNavigation);
+  assert_equals(await child.execute_script(() => location.href), iframe.src);
+})
diff --git a/content-security-policy/frame-src/support/executor.html b/content-security-policy/frame-src/support/executor.html
new file mode 100644
index 00000000000000..4ab5745905b9bd
--- /dev/null
+++ b/content-security-policy/frame-src/support/executor.html
@@ -0,0 +1,11 @@
+<!--
+  TODO(arthursonzogni) Consider deduplicating all these helper files to
+  /common/dispatcher/
+-->
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script>
+  const params = new URLSearchParams(window.location.search);
+  const uuid = params.get("uuid");
+  const executor = new Executor(uuid);
+  executor.execute();
+</script>