-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pass NavigationDownloadPolicy in CreateNewWindowParams
When opening popups with noopener, navigations are performed directly by the CreateNewWindow mojo call. This mojo call was not sending the NavigationDownloadPolicy parameter, allowing in this way to bypass sandbox for download. Bug: 1100761 Change-Id: I4f212738f8145460fb0bb3c420020c6cdbfa5551 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3033504 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Yao Xiao <yaoxia@chromium.org> Cr-Commit-Position: refs/heads/main@{#915500}
- Loading branch information
1 parent
26cc928
commit 00829b4
Showing
6 changed files
with
179 additions
and
81 deletions.
There are no files selected for viewing
31 changes: 0 additions & 31 deletions
31
...tent/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.sub.tentative.html
This file was deleted.
Oops, something went wrong.
48 changes: 48 additions & 0 deletions
48
...-content/the-iframe-element/iframe_sandbox_anchor_download_allow_downloads.tentative.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title><a download> triggered download in sandbox is allowed by allow-downloads.</title> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox"> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element"> | ||
<script src="/common/utils.js"></script> | ||
<script src="/resources/testharness.js"></script> | ||
<script src='/resources/testharnessreport.js'></script> | ||
<script src="support/iframe_sandbox_download_helper.js"></script> | ||
<body> | ||
<script> | ||
"use strict"; | ||
|
||
const attributes_list = [ | ||
'', | ||
'target="_blank"', | ||
'target="_blank" rel="noopener"', | ||
]; | ||
|
||
const download_flags = [false, true]; | ||
|
||
attributes_list.forEach(attributes => | ||
download_flags.forEach(download_flag => | ||
async_test(t => { | ||
const download_token = token(); | ||
let iframe = document.createElement("iframe"); | ||
iframe.srcdoc = `<a ${attributes}>Download</a>`; | ||
iframe.sandbox = "allow-same-origin allow-popups allow-downloads"; | ||
iframe.addEventListener('load', t.step_func(function () { | ||
if (attributes !== '' || download_flag) { | ||
// Specifiying `download` or a `target` should not trigger a | ||
// navigation in this iframe. | ||
iframe.contentWindow.addEventListener( | ||
"unload", t.unreached_func("Unexpected navigation.")); | ||
} | ||
let anchor = iframe.contentDocument.getElementsByTagName('a')[0]; | ||
anchor.href = "support/download_stash.py?token=" + download_token; | ||
if (download_flag) anchor.download = null; | ||
anchor.click(); | ||
AssertDownloadSuccess(t, download_token, DownloadVerifyDelay()); | ||
}), { once: true }); | ||
|
||
document.body.appendChild(iframe); | ||
}, `<a ${attributes} ${download_flag ? "download" : ""}> triggered ` + | ||
`download in sandbox is allowed by allow-downloads.`))); | ||
|
||
</script> | ||
</body> |
50 changes: 0 additions & 50 deletions
50
...tent/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.sub.tentative.html
This file was deleted.
Oops, something went wrong.
73 changes: 73 additions & 0 deletions
73
...-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title><a download> triggered download in sandbox is blocked.</title> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox"> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element"> | ||
<script src="/common/utils.js"></script> | ||
<script src="/resources/testharness.js"></script> | ||
<script src='/resources/testharnessreport.js'></script> | ||
<script src="support/iframe_sandbox_download_helper.js"></script> | ||
<body> | ||
<script> | ||
"use strict"; | ||
|
||
async_test(t => { | ||
const download_token = token(); | ||
var iframe = document.createElement("iframe"); | ||
iframe.srcdoc = "<a>Download</a>"; | ||
iframe.sandbox = "allow-same-origin"; | ||
iframe.onload = t.step_func(function () { | ||
iframe.contentWindow.addEventListener( | ||
"unload", t.unreached_func("Unexpected navigation.")); | ||
let anchor = iframe.contentDocument.getElementsByTagName('a')[0]; | ||
anchor.href = `support/download_stash.py?token=${download_token}` + | ||
`&finish-delay=${StreamDownloadFinishDelay()}`; | ||
anchor.download = null; | ||
anchor.click(); | ||
AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() + | ||
DownloadVerifyDelay()); | ||
}); | ||
|
||
document.body.appendChild(iframe); | ||
}, "<a download> triggered download in sandbox is blocked."); | ||
|
||
async_test(t => { | ||
const download_token = token(); | ||
let iframe = document.createElement("iframe"); | ||
iframe.srcdoc = '<a>Download</a>'; | ||
iframe.sandbox = "allow-same-origin"; | ||
iframe.onload = t.step_func(function () { | ||
iframe.contentWindow.addEventListener( | ||
"unload", t.unreached_func("Unexpected navigation.")); | ||
let anchor = iframe.contentDocument.getElementsByTagName('a')[0]; | ||
anchor.href = `support/download_stash.py?token=${download_token}`; | ||
anchor.download = null; | ||
anchor.click(); | ||
AssertDownloadFailure(t, download_token, DownloadVerifyDelay()); | ||
}); | ||
|
||
document.body.appendChild(iframe); | ||
}, '<a download> triggered download in sandbox is blocked ' + | ||
'before a request is made.'); | ||
|
||
['', 'target="_blank" ', 'target="_blank" rel="noopener" '].forEach( | ||
attributes => async_test(t => { | ||
const download_token = token(); | ||
let iframe = document.createElement("iframe"); | ||
iframe.srcdoc = `<a ${attributes}>Download</a>`; | ||
iframe.sandbox = "allow-same-origin allow-popups"; | ||
iframe.onload = t.step_func(function () { | ||
iframe.contentWindow.addEventListener( | ||
"unload", t.unreached_func("Unexpected navigation.")); | ||
let anchor = iframe.contentDocument.getElementsByTagName('a')[0]; | ||
anchor.href = `support/download_stash.py?token=${download_token}` + | ||
`&finish-delay=${StreamDownloadFinishDelay()}`; | ||
anchor.click(); | ||
AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() + | ||
DownloadVerifyDelay()); | ||
}); | ||
|
||
document.body.appendChild(iframe); | ||
}, `<a ${attributes}> triggered download in sandbox is blocked.`)); | ||
</script> | ||
</body> |
29 changes: 29 additions & 0 deletions
29
...ent/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title>Downloads triggered by window.open from sandbox are blocked.</title> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox"> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element"> | ||
<script src="/common/utils.js"></script> | ||
<script src="/resources/testharness.js"></script> | ||
<script src='/resources/testharnessreport.js'></script> | ||
<script src="support/iframe_sandbox_download_helper.js"></script> | ||
<body> | ||
<script> | ||
"use strict"; | ||
|
||
['', '"_blank"', '"_blank", "noopener"'].forEach(options => | ||
async_test(t => { | ||
const download_token = token(); | ||
let iframe = document.createElement("iframe"); | ||
const download_link = `support/download_stash.py?token=${download_token}` + | ||
`&finish-delay=${StreamDownloadFinishDelay()}`; | ||
iframe.srcdoc = `<script>window.open("${download_link}", ${options})</scr` + | ||
`ipt>`; | ||
iframe.sandbox = "allow-same-origin allow-popups allow-scripts " + | ||
"allow-downloads"; | ||
AssertDownloadSuccess(t, download_token, DownloadVerifyDelay()); | ||
document.body.appendChild(iframe); | ||
}, `window.open(download, ${options}) triggering download in ` + | ||
'sandbox is allowed by allow-downloads.')); | ||
</script> | ||
</body> |
29 changes: 29 additions & 0 deletions
29
...ent/the-iframe-element/iframe_sandbox_window_open_download_block_downloads.tentative.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"> | ||
<title>Downloads triggered by window.open from sandbox are blocked.</title> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#attr-iframe-sandbox"> | ||
<link rel="help" href="https://html.spec.whatwg.org/multipage/#the-iframe-element"> | ||
<script src="/common/utils.js"></script> | ||
<script src="/resources/testharness.js"></script> | ||
<script src='/resources/testharnessreport.js'></script> | ||
<script src="support/iframe_sandbox_download_helper.js"></script> | ||
<body> | ||
<script> | ||
"use strict"; | ||
|
||
['', '"_blank"', '"_blank", "noopener"'].forEach(options => | ||
async_test(t => { | ||
const download_token = token(); | ||
let iframe = document.createElement("iframe"); | ||
const download_link = `support/download_stash.py?token=${download_token}` + | ||
`&finish-delay=${StreamDownloadFinishDelay()}`; | ||
iframe.srcdoc = `<script>window.open("${download_link}", ${options})</scr` + | ||
`ipt>`; | ||
iframe.sandbox = "allow-same-origin allow-popups allow-scripts"; | ||
AssertDownloadFailure(t, download_token, StreamDownloadFinishDelay() + | ||
DownloadVerifyDelay()); | ||
document.body.appendChild(iframe); | ||
}, `window.open(download, ${options}) triggering download in ` + | ||
'sandbox is blocked.')); | ||
</script> | ||
</body> |