commit | e24dca9515527665160f775aeca5d05a71277bdd | [log] [tgz] |
---|---|---|
author | Liam Brady <lbrady@google.com> | Tue Oct 11 17:12:05 2022 |
committer | Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> | Tue Oct 11 17:28:33 2022 |
tree | fdface5d450a0db68669f34e49d1baca74b17388 | |
parent | 04ee132a7c7cf5f6c59b1a5819facef62f54a371 [diff] |
Stop frames from allowing themselves to navigate top without gesture A previous CL stopped a sandboxed iframe from navigating the top document if its ancestor was not allowed to navigate top[1]. However, there is still a corner case that allows a sandboxed frame to give itself permission to navigate top if the top-level page doesn't have any sandbox flags set. For this attack, a cross origin iframe is embedded in a page. At creation time, both the main page and the iframe are unsandboxed, which means that the iframe requires sticky user activation to be able to navigate the top frame. Then, this iframe loads a page whose response header's CSP includes `sandbox allow-top-navigation`. The cross-origin page just gave itself permission to navigate the top-level frame without sticky user activation. This is problematic because it allows a cross-origin iframe to circumvent our framebust intervention and navigate the top page to a potentially malicious page. Before this CL, there is no way for the renderer to detect this. It can't distinguish between sandbox flags set on the frame itself by the embedding page and sandbox flags delivered in the response headers. There are 2 checks in LocalFrame::CanNavigate that are looking at the 2 top navigation sandbox flags, but by that point the frame sandbox flags and delivered sandbox flags have been squashed into one place, so there's no way to know if the `allow-top-navigation` flag came from the frame or the response header. This CL's original approach involved downgrading the allow-top-navigation sandbox flag to allow-top-navigation-by-user-activation specifically when the browser process detected that the document's response headers were attempting to give it that extra ability when the embedder-supplied sandbox flags did not. We ultimately decided against it so that we wouldn't be setting a new precedent of dynamically re-interpreting sandbox flags. The fix we decided on: Add a bit to the PolicyContainerPolicies struct to track if a document can navigate the top-level frame without sticky user activation. If any of the following conditions hold: - The document is cross-origin to the root document, and the document's parent document is not allowed to navigate top without sticky user activation - The document is cross-origin to the root document, and the frame hosting the document is either unsandboxed or sandboxed without the allow-top-navigation flag The bit will be set to false and the document will require sticky user activation to navigate top. This will end up having the same behavior as the downgrading approach, without needing to have the browser change sandbox flags. [1] https://chromium-review.googlesource.com/c/chromium/src/+/2688360 Bug: 1251790 Change-Id: I7406d631d6b9c4bdbfc71c433db50b2fca2f0c21 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3842458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Commit-Queue: Liam Brady <lbrady@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1057526}
The web-platform-tests Project is a cross-browser test suite for the Web-platform stack. Writing tests in a way that allows them to be run in all browsers gives browser projects confidence that they are shipping software that is compatible with other implementations, and that later implementations will be compatible with their implementations. This in turn gives Web authors/developers confidence that they can actually rely on the Web platform to deliver on the promise of working across browsers and devices without needing extra layers of abstraction to paper over the gaps left by specification editors and implementors.
The most important sources of information and activity are:
wpt:matrix.org
matrix channel; includes participants located around the world, but busiest during the European working day.If you'd like clarification about anything, don't hesitate to ask in the chat room or on the mailing list.
Clone or otherwise get https://github.com/web-platform-tests/wpt.
Note: because of the frequent creation and deletion of branches in this repo, it is recommended to “prune” stale branches when fetching updates, i.e. use git pull --prune
(or git fetch -p && git merge
).
See the documentation website and in particular the system setup for running tests locally.
The wpt
command provides a frontend to a variety of tools for working with and running web-platform-tests. Some of the most useful commands are:
wpt serve
- For starting the wpt http serverwpt run
- For running tests in a browserwpt lint
- For running the lint against all testswpt manifest
- For updating or generating a MANIFEST.json
test manifestwpt install
- For installing the latest release of a browser or webdriver server on the local machine.wpt serve-wave
- For starting the wpt http server and the WAVE test runner. For more details on how to use the WAVE test runner see the documentation.On Windows wpt
commands must be prefixed with python
or the path to the python binary (if python
is not in your %PATH%
).
python wpt [command]
Alternatively, you may also use Bash on Ubuntu on Windows in the Windows 10 Anniversary Update build, then access your windows partition from there to launch wpt
commands.
Please make sure git and your text editor do not automatically convert line endings, as it will cause lint errors. For git, please set git config core.autocrlf false
in your working tree.
The master branch is automatically synced to wpt.live and w3c-test.org.
Save the Web, Write Some Tests!
Absolutely everyone is welcome to contribute to test development. No test is too small or too simple, especially if it corresponds to something for which you've noted an interoperability bug in a browser.
The way to contribute is just as usual:
git checkout -b topic
../wpt lint
as described above.If you spot an issue with a test and are not comfortable providing a pull request per above to fix it, please file a new issue. Thank you!