-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Consolidate SecurityOrigin::GrantUniversalAccess() calls into one place.
In theory, this should make things a bit easier for calculations that need to take universal access into account. New WPT to cover origin inheritance have also been added to document behavior differences between browsers that were discovered while writing this CL. Change-Id: I1dd925fc0255461d8212b3eb4280936c93613f37 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2758255 Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by: James MacLean <wjmaclean@chromium.org> Reviewed-by: Domenic Denicola <domenic@chromium.org> Cr-Commit-Position: refs/heads/master@{#862939}
- Loading branch information
1 parent
961fa62
commit 1575aae
Showing
4 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
<title>about:blank in child browsing context aliases security origin</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
test(() => { | ||
let iframe = document.createElement('iframe'); | ||
document.body.appendChild(iframe); | ||
// Should not throw: srcdoc should always be same-origin. | ||
iframe.contentWindow.document.body.innerHTML = '<p>Hello world!</p>'; | ||
|
||
// Explicitly set `domain` component of origin: any other same-origin | ||
// browsing contexts are now cross-origin unless they also explicitly | ||
// set document.domain to the same value. | ||
document.domain = document.domain; | ||
// Should not throw: the origin should be aliased, so setting | ||
// document.domain in one Document should affect both Documents. | ||
assert_equals( | ||
iframe.contentWindow.document.body.textContent, | ||
'Hello world!'); | ||
}); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
<title>about:blank in auxiliary browsing context aliases security origin</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
test(() => { | ||
let newWindow = window.open(); | ||
// Should not throw: the newly-opened window should be same-origin. | ||
newWindow.document.body.innerHTML = '<p>Hello world!</p>'; | ||
|
||
// Explicitly set `domain` component of origin: any other same-origin | ||
// browsing contexts are now cross-origin unless they also explicitly | ||
// set document.domain to the same value. | ||
document.domain = document.domain; | ||
// Should not throw: the origin should be aliased, so setting | ||
// document.domain in one Document should affect both Documents. | ||
assert_equals(newWindow.document.body.textContent, 'Hello world!'); | ||
}); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
<title>about:srcdoc aliases security origin</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
test(() => { | ||
let iframe = document.createElement('iframe'); | ||
iframe.srcdoc = '<body></body>'; | ||
document.body.appendChild(iframe); | ||
// Should not throw: srcdoc should always be same-origin. | ||
iframe.contentWindow.document.body.innerHTML = '<p>Hello world!</p>'; | ||
|
||
// Explicitly set `domain` component of origin: any other same-origin | ||
// browsing contexts are now cross-origin unless they also explicitly | ||
// set document.domain to the same value. | ||
document.domain = document.domain; | ||
// Should not throw: the origin should be aliased, so setting | ||
// document.domain in one Document should affect both Documents. | ||
assert_equals( | ||
iframe.contentWindow.document.body.textContent, | ||
'Hello world!'); | ||
}); | ||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
<title>javascript: aliases security origin</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
promise_test(t => { | ||
let iframe = document.createElement('iframe'); | ||
document.body.appendChild(iframe); | ||
// Should not throw: srcdoc should always be same-origin. | ||
iframe.contentDocument; | ||
|
||
iframe.contentWindow.location = 'javascript:"Hello world!"'; | ||
return new Promise(resolve => { | ||
iframe.addEventListener('load', resolve); | ||
}).then(() => { | ||
// Explicitly set `domain` component of origin: any other same-origin | ||
// browsing contexts are now cross-origin unless they also explicitly | ||
// set document.domain to the same value. | ||
document.domain = document.domain; | ||
// Should not throw: the origin should be aliased, so setting | ||
// document.domain in one Document should affect both Documents. | ||
assert_equals( | ||
iframe.contentWindow.document.body.textContent, | ||
'Hello world!'); | ||
}); | ||
}); | ||
</script> | ||
</body> | ||
</html> |