Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[COOP] Fix noopener not being applied to same-origin-plus-coep cases
COOP requires that when a frame opens a popup, if that frame is cross-origin with its top frame, and its top frame COOP value is same-origin, that popup should be opened with noopener. This fixes the case where we have COOP: same-origin plus COEP: require-corp, in which case COOP.value will be same-origin-plus-coep. This fix also corrects the sandbox crash reported initially in the linked bug. Indeed sandboxed iframes have an opaque origin, and are therefore cross origin with their top frame. Applying noopener ensures the initial empty document is not cross origin isolated, which was the root cause of the crash (before this, the initial empty document had coop:unsafe-none, but was cross origin isolated) Bug: 1181673 Fixed: 1181673 Change-Id: Iaef658778ac25da0c84763b6115ff40c105e618a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2712945 Commit-Queue: Pâris Meuleman <pmeuleman@chromium.org> Auto-Submit: Pâris Meuleman <pmeuleman@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#858605}
- Loading branch information
1 parent
b39c5bb
commit 727b4fd
Showing
4 changed files
with
123 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
...blink/web_tests/external/wpt/html/cross-origin-opener-policy/coop-coep-sandbox.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
<!doctype html> | ||
<title>Sandboxed Cross-Origin-Opener-Policy popup should result in a network error</title> | ||
<script src=/resources/testharness.js></script> | ||
<script src=/resources/testharnessreport.js></script> | ||
<script src="/common/utils.js"></script> <!-- Use token() to allow running tests in parallel --> | ||
<div id=log> | ||
<script> | ||
[ | ||
"allow-popups allow-scripts allow-same-origin", | ||
"allow-popups allow-scripts", | ||
].forEach(sandboxValue => { | ||
async_test(t => { | ||
const frame = document.createElement("iframe"); | ||
const channel = new BroadcastChannel(token()); | ||
channel.onmessage = t.unreached_func("A COOP popup was created from a sandboxed frame"); | ||
t.add_cleanup(() => frame.remove()); | ||
frame.sandbox = sandboxValue; | ||
frame.srcdoc = `<script> | ||
const popup = window.open("resources/coop-coep.py?coop=same-origin&coep=&channel=${channel.name}"); | ||
<\/script>`; | ||
document.body.append(frame); | ||
addEventListener('load', t.step_func(() => { | ||
// This uses a timeout to give some time for incorrect implementations to broadcast. A | ||
// theoretical testdriver.js API for browsing contexts could be used to speed this up. | ||
t.step_timeout(() => { | ||
t.done() | ||
}, 1500); | ||
})); | ||
}, `<iframe sandbox="${sandboxValue}"> ${document.title}`); | ||
}); | ||
|
||
// Verify that the popup does not have sandboxing flags set | ||
async_test(t => { | ||
const frame = document.createElement("iframe"); | ||
const channel = new BroadcastChannel(token()); | ||
channel.onmessage = t.step_func_done(); | ||
t.add_cleanup(() => frame.remove()); | ||
frame.sandbox = "allow-popups allow-scripts allow-popups-to-escape-sandbox"; | ||
frame.srcdoc = `<script> | ||
window.open("resources/coop-coep.py?coop=same-origin&coep=require-corp&channel=${channel.name}"); | ||
<\/script>`; | ||
document.body.append(frame); | ||
}, `<iframe sandbox="allow-popups allow-scripts allow-popups-to-escape-sandbox"> ${document.title}`); | ||
|
||
async_test(t => { | ||
const frame = document.createElement("iframe"); | ||
const channel = new BroadcastChannel(token()); | ||
frame.sandbox = "allow-scripts allow-same-origin"; | ||
frame.name = `iframe-${channel.name}`; | ||
frame.src = `resources/coop-coep.py?coop=same-origin&coep=require-corp&channel=${channel.name}`; | ||
channel.onmessage = t.step_func( event => { | ||
const payload = event.data; | ||
assert_equals(payload.name, frame.name, "name"); | ||
t.done(); | ||
}); | ||
t.add_cleanup(() => frame.remove()); | ||
document.body.append(frame); | ||
}, `Iframe with sandbox and COOP must load.`); | ||
</script> |
2 changes: 2 additions & 0 deletions
2
...b_tests/external/wpt/html/cross-origin-opener-policy/coop-coep-sandbox.https.html.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Cross-Origin-Opener-Policy: same-origin | ||
Cross-Origin-Embedder-Policy: require-corp |