Commit 5d2fda3f authored by Antonio Sartori's avatar Antonio Sartori Committed by Chromium LUCI CQ

Inherit policy container from parent for about:srcdoc

Since the content of a srcdoc iframe is always created by its parent,
a srcdoc iframe should always inherit its policies (via the policy
container) from the parent, even if the navigation was initiated by
some other document.

Cf. also https://crbug.com/1001283

Bug: 1130587
Change-Id: If77237b663d74eaa739b2c9b8e4bbaa3b3b61360
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2586345
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: default avatarArthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#837004}
parent 56f3f825
...@@ -1079,22 +1079,29 @@ NavigationRequest::NavigationRequest( ...@@ -1079,22 +1079,29 @@ NavigationRequest::NavigationRequest(
policy_container_host_ = std::make_unique<PolicyContainerHost>(); policy_container_host_ = std::make_unique<PolicyContainerHost>();
if (frame_entry && frame_entry->document_policies()) {
// If there is a history entry with some document policies, initialize the // If there is a history entry with some document policies, initialize the
// PolicyContainerHost with them, so that they will get applied to the // PolicyContainerHost with them, so that they will get applied to the
// document created by the navigation. // document created by the navigation.
if (frame_entry && frame_entry->document_policies()) {
policy_container_host_ = std::make_unique<PolicyContainerHost>( policy_container_host_ = std::make_unique<PolicyContainerHost>(
*frame_entry->document_policies()); *frame_entry->document_policies());
} else if (common_params_->url.IsAboutSrcdoc()) {
// Srcdoc iframes inherit their policies from their parent.
// If there is no parent, the navigation will be blocked in BeginNavigation.
if (frame_tree_node_->parent()) {
policy_container_host_ =
frame_tree_node_->parent()->policy_container_host()->Clone();
}
} else if (common_params_->url.SchemeIs(url::kAboutScheme) ||
common_params_->url.SchemeIs(url::kDataScheme) ||
common_params_->url.SchemeIs(url::kBlobScheme) ||
common_params_->url.SchemeIs(url::kFileSystemScheme)) {
// Local schemes inherit the policy container from the initiator. // Local schemes inherit the policy container from the initiator.
// //
// TODO(antoniosartori): Fill up the PolicyContainerHost and/or replace it // TODO(antoniosartori): Fill up the PolicyContainerHost and/or replace it
// with a new one whenever needed (e.g. blob: or filesystem: URLs should get // with a new one whenever needed (e.g. blob: or filesystem: URLs should get
// the policy container from the document which created them and not from // the policy container from the document which created them and not from
// the initiator of the navigation). // the initiator of the navigation).
} else if (common_params_->url.SchemeIs(url::kAboutScheme) ||
common_params_->url.SchemeIs(url::kDataScheme) ||
common_params_->url.SchemeIs(url::kBlobScheme) ||
common_params_->url.SchemeIs(url::kFileSystemScheme)) {
if (initiator_frame_token_) { if (initiator_frame_token_) {
RenderFrameHostImpl* initiator_rfh = RenderFrameHostImpl::FromFrameToken( RenderFrameHostImpl* initiator_rfh = RenderFrameHostImpl::FromFrameToken(
initiator_process_id_, initiator_frame_token_.value()); initiator_process_id_, initiator_frame_token_.value());
......
...@@ -9,19 +9,38 @@ ...@@ -9,19 +9,38 @@
<script src="resources/make-html-script.js"></script> <script src="resources/make-html-script.js"></script>
<meta name="referrer" content="origin"> <meta name="referrer" content="origin">
</head> </head>
<body onload="runTest()"> <body>
<h1>Referrer Policy: iframes srcdoc correctly inherit the ancestor's referrer policy</h1> <h1>Referrer Policy: iframes srcdoc correctly inherit the ancestor's referrer policy</h1>
<script> <script>
var test = async_test("iframes srcdoc correctly inherit the ancestor's referrer policy"); let reportedReferrer = () => {
window.addEventListener("message", test.step_func_done(msg => { return new Promise(resolve => {
assert_equals(msg.data.referrer, self.origin + "/"); window.addEventListener("message", msg => resolve(msg.data.referrer));
})); });
};
function runTest() { const iframe = document.createElement("iframe");
var iframe = document.createElement("iframe");
iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN); promise_test(async t => {
let referrer = reportedReferrer();
iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN,
location.origin + "/custom");
document.body.appendChild(iframe); document.body.appendChild(iframe);
} assert_equals(await referrer, self.origin + "/");
}, "Srcdoc iframe inherits referrer policy from parent on creation.");
promise_test(async t => {
let referrer = reportedReferrer();
// We navigate the iframe to a page that will set referrer
// policy to 'unsafe-url' and then navigate to about:srcdoc.
iframe.contentWindow.location = 'resources/referrer-policy-unsafe-url-navigate-to-srcdoc.html';
// Despite the navigation was initiated by a document with
// referrer policy 'unsafe-url', the srcdoc iframe should
// still inherit the referrer policy from its parent, and
// not the navigation's initiator.
assert_equals(await referrer, self.origin + "/");
}, "Even after a navigation from another initiator, srcdoc iframe still inherits referrer policy from the parent.");
</script> </script>
<div id="log"></div> <div id="log"></div>
</body> </body>
......
<!DOCTYPE html>
<html>
<head>
<meta name="referrer" content="unsafe-url">
</head>
<body>
<script>
window.location = "about:srcdoc";
</script>
</body>
</html>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment