Pass NavigationDownloadPolicy in CreateNewWindowParams

When opening popups with noopener, navigations are performed directly by the CreateNewWindow mojo call. This mojo call was not sending the NavigationDownloadPolicy parameter, allowing in this way to bypass sandbox for download. Bug: 1100761 Change-Id: I4f212738f8145460fb0bb3c420020c6cdbfa5551 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3033504 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/heads/main@{#915500}
web-platform-tests · Aug 26, 2021 · 00829b4 · 00829b4
1 parent 26cc928
commit 00829b4
Show file tree

Hide file tree

Showing 6 changed files with 179 additions and 81 deletions.
diff --git a/...tent/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.sub.tentative.html b/...tent/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.sub.tentative.html
diff --git a/...-content/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.tentative.html b/...-content/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.tentative.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>&lt;a download&gt; triggered download in sandbox is allowed by allow-downloads.</title>
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src="support/iframe_sandbox_download_helper.js"></script>
+<body>
+<script>
+"use strict";
+
+const attributes_list = [
+  '',
+  'target="_blank"',
+  'target="_blank" rel="noopener"',
+];
+
+const download_flags = [false, true];
+
+attributes_list.forEach(attributes =>
+  download_flags.forEach(download_flag =>
+    async_test(t => {
+      const download_token = token();
+      let iframe = document.createElement("iframe");
+      iframe.srcdoc = `<a ${attributes}>Download</a>`;
+      iframe.sandbox = "allow-same-origin allow-popups allow-downloads";
+      iframe.addEventListener('load', t.step_func(function () {
+        if (attributes !== '' || download_flag) {
+          // Specifiying `download` or a `target` should not trigger a
+          // navigation in this iframe.
+          iframe.contentWindow.addEventListener(
+            "unload", t.unreached_func("Unexpected navigation."));
+        }
+        let anchor = iframe.contentDocument.getElementsByTagName('a')[0];
+        anchor.href = "support/download_stash.py?token=" + download_token;
+        if (download_flag) anchor.download = null;
+        anchor.click();
+        AssertDownloadSuccess(t, download_token, DownloadVerifyDelay());
+      }), { once: true });
+
+      document.body.appendChild(iframe);
+    }, `<a ${attributes} ${download_flag ? "download" : ""}> triggered ` +
+               `download in sandbox is allowed by allow-downloads.`)));
+
+</script>
+</body>
diff --git a/...tent/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.sub.tentative.html b/...tent/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.sub.tentative.html
diff --git a/...-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative.html b/...-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>&lt;a download&gt; triggered download in sandbox is blocked.</title>
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src="support/iframe_sandbox_download_helper.js"></script>
+<body>
+<script>
+"use strict";
+
+async_test(t => {
+  const download_token = token();
+    var iframe = document.createElement("iframe");
+    iframe.srcdoc = "<a>Download</a>";
+    iframe.sandbox = "allow-same-origin";
+    iframe.onload = t.step_func(function () {
+      iframe.contentWindow.addEventListener(
+        "unload", t.unreached_func("Unexpected navigation."));
+      let anchor = iframe.contentDocument.getElementsByTagName('a')[0];
+      anchor.href = `support/download_stash.py?token=${download_token}` +
+        `&finish-delay=${StreamDownloadFinishDelay()}`;
+      anchor.download = null;
+      anchor.click();
+      AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() +
+                            DownloadVerifyDelay());
+    });
+
+  document.body.appendChild(iframe);
+}, "<a download> triggered download in sandbox is blocked.");
+
+async_test(t => {
+  const download_token = token();
+  let iframe = document.createElement("iframe");
+  iframe.srcdoc = '<a>Download</a>';
+  iframe.sandbox = "allow-same-origin";
+  iframe.onload = t.step_func(function () {
+    iframe.contentWindow.addEventListener(
+      "unload", t.unreached_func("Unexpected navigation."));
+    let anchor = iframe.contentDocument.getElementsByTagName('a')[0];
+    anchor.href = `support/download_stash.py?token=${download_token}`;
+    anchor.download = null;
+    anchor.click();
+    AssertDownloadFailure(t, download_token, DownloadVerifyDelay());
+  });
+
+  document.body.appendChild(iframe);
+}, '<a download> triggered download in sandbox is blocked ' +
+           'before a request is made.');
+
+['', 'target="_blank" ', 'target="_blank" rel="noopener" '].forEach(
+  attributes => async_test(t => {
+    const download_token = token();
+    let iframe = document.createElement("iframe");
+    iframe.srcdoc = `<a ${attributes}>Download</a>`;
+    iframe.sandbox = "allow-same-origin allow-popups";
+    iframe.onload = t.step_func(function () {
+      iframe.contentWindow.addEventListener(
+        "unload", t.unreached_func("Unexpected navigation."));
+      let anchor = iframe.contentDocument.getElementsByTagName('a')[0];
+      anchor.href = `support/download_stash.py?token=${download_token}` +
+        `&finish-delay=${StreamDownloadFinishDelay()}`;
+      anchor.click();
+      AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() +
+                            DownloadVerifyDelay());
+    });
+
+    document.body.appendChild(iframe);
+  }, `<a ${attributes}> triggered download in sandbox is blocked.`));
+</script>
+</body>
diff --git a/...ent/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative.html b/...ent/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Downloads triggered by window.open from sandbox are blocked.</title>
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src="support/iframe_sandbox_download_helper.js"></script>
+<body>
+<script>
+"use strict";
+
+['', '"_blank"', '"_blank", "noopener"'].forEach(options =>
+  async_test(t => {
+    const download_token = token();
+    let iframe = document.createElement("iframe");
+    const download_link = `support/download_stash.py?token=${download_token}` +
+          `&finish-delay=${StreamDownloadFinishDelay()}`;
+    iframe.srcdoc = `<script>window.open("${download_link}", ${options})</scr` +
+      `ipt>`;
+    iframe.sandbox = "allow-same-origin allow-popups allow-scripts " +
+      "allow-downloads";
+    AssertDownloadSuccess(t, download_token, DownloadVerifyDelay());
+    document.body.appendChild(iframe);
+  }, `window.open(download, ${options}) triggering download in ` +
+             'sandbox is allowed by allow-downloads.'));
+</script>
+</body>
diff --git a/...ent/the-iframe-element/iframe_sandbox_window_open_download_block_downloads.tentative.html b/...ent/the-iframe-element/iframe_sandbox_window_open_download_block_downloads.tentative.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Downloads triggered by window.open from sandbox are blocked.</title>
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox">
+<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src="support/iframe_sandbox_download_helper.js"></script>
+<body>
+<script>
+"use strict";
+
+['', '"_blank"', '"_blank", "noopener"'].forEach(options =>
+  async_test(t => {
+    const download_token = token();
+    let iframe = document.createElement("iframe");
+    const download_link = `support/download_stash.py?token=${download_token}` +
+          `&finish-delay=${StreamDownloadFinishDelay()}`;
+    iframe.srcdoc = `<script>window.open("${download_link}", ${options})</scr` +
+      `ipt>`;
+    iframe.sandbox = "allow-same-origin allow-popups allow-scripts";
+    AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() +
+                          DownloadVerifyDelay());
+    document.body.appendChild(iframe);
+  }, `window.open(download, ${options}) triggering download in ` +
+             'sandbox is blocked.'));
+</script>
+</body>