Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fenced frames: allow CSP to check ancestors for frame-ancestors.
To prevent information from flowing from an embedder into a fenced frame, we have previously disabled checking ancestors of fenced frame roots for the CSP frame-ancestors policy. There is now a need to allow the frame-ancestors policy to look beyond the fenced frame root so that embedders can control what is embedded in its page. `window.fence.notifyEvent()` can be used to send information from a fenced frame with unpartitioned data access to its embedder. Since 1 bit is sent every click, a malicious embedder can exploit this and trick the user into clicking a fenced frame in a certain way that leaks that unpartitioned data. The fenced frame can protect against this with the `frame-ancestors` CSP, only allowing itself to be embedded in certain origins. For this to work, the fenced frame needs to look beyond the fenced frame boundary when calculating if it can load. Since this results in a data inflow channel, this will only be allowed for fenced frames created from the web platform or from Shared Storage, as those are the use cases where data can flow into the fenced frame. Protected Audience-created fenced frames will not have this capability, and will continue to not check beyond the fenced frame root when calculating frame-ancestors. This CL adds a new field to the fenced frame config/properties that notes what API created the fenced frame. This is used in the |AncestorThrottle| class to determine if/how to get the frame's direct ancestor. Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2 Bug: 341356673
- Loading branch information