[Fixit] Make sandbox + COOP break the opener.
Sandbox flags and COOP cannot currently live on the same page. This was
decided when first implementing COOP. If COOP and sandboxing flags are
present on the same top level window, we return an error page instead,
and COOP has no effect.
Exploits have been discovered recently about abusing an opened window
and history to be able to guess the cross-origin url using the history
API. See:
https://bugs.chromium.org/p/chromium/issues/detail?id=1208614
Error pages were left out from the fix, because it would be inelegant
to insert error pages into history after a successful reload. That means
error pages can potentially be used to guess a cross-origin URL.
If in general this is acceptable, in our case its worse for two reasons:
- COOP is used to protect pages that are usually more valuable or hold
important data.
- It is possible to reach an error page after response without relying
on timing, etc.
Therefore we'd like to sever the opener when we fail after receiving a
response, if the target page did set COOP. Basically we'd like to change
the spec to enforce COOP even when we fail because of COOP+sandbox.
Spec discussion can be found here:
https://github.com/whatwg/html/issues/7345
On the implementation side, this patch adds the WPTs necessary to the
spec change, and the modified behavior.
We add a setter to the swap parameter to be able to only activate that
without breaking the COOP: Unsafe-none for error pages invariant. This
applies to final responses and redirects.
This does not alter the reload behavior, as this only happens for cases
where reloads would not be successful anyway.
Bug: 1256823
Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3293412
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#946387}
diff --git a/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html b/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html
new file mode 100644
index 0000000..47e6d0d
--- /dev/null
+++ b/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html
@@ -0,0 +1,66 @@
+<!doctype html>
+<title>
+ Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary
+</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/common/utils.js"></script>
+<script src="resources/common.js"></script>
+<body>
+<script>
+const executor_path = "/common/dispatcher/executor.html?pipe=";
+const coop_same_origin_header =
+ '|header(Cross-Origin-Opener-Policy,same-origin)';
+const coop_unsafe_none_header =
+ '|header(Cross-Origin-Opener-Policy,unsafe-none)';
+
+function getExecutorPath(uuid, origin, coop_header) {
+ return origin.origin + executor_path + coop_header + `&uuid=${uuid}`;
+}
+
+[
+ "allow-popups allow-scripts allow-same-origin",
+ "allow-popups allow-scripts",
+].forEach(sandboxValue => {
+ async_test(t => {
+ // Set up dispatcher communications.
+ const iframe_token = token();
+ const popup_token = token();
+ const main_frame_token_for_popup = token();
+ const main_frame_token_for_iframe = token();
+
+ // Create a sandboxed iframe.
+ const iframe = document.createElement("iframe");
+ iframe.sandbox = sandboxValue;
+ iframe.src = getExecutorPath(iframe_token, SAME_ORIGIN,
+ coop_unsafe_none_header);
+ document.body.append(iframe);
+ t.add_cleanup(() => iframe.remove());
+
+ // Open a COOP popup from the sandboxed iframe.
+ const popup_url = getExecutorPath(popup_token,
+ SAME_ORIGIN,
+ coop_same_origin_header);
+ send(iframe_token, `window.popup = window.open('${popup_url}')`);
+
+ // This should fail. We ping the popup, if we get an answer it loaded.
+ send(popup_token, `
+ send('${main_frame_token_for_popup}', 'Popup loaded');
+ `);
+ receive(main_frame_token_for_popup)
+ .then(t.unreached_func("A COOP popup was created from a sandboxed frame"));
+
+ // We delay probing the popup.closed property to give it time to settle.
+ t.step_timeout(() => {
+ send(iframe_token,
+ `send('${main_frame_token_for_iframe}', window.popup.closed);`);
+ }, 1500);
+ receive(main_frame_token_for_iframe)
+ .then(t.step_func_done(data => assert_equals(data, "true")));
+
+ }, `<iframe sandbox="${sandboxValue}"> ${document.title}`);
+});
+</script>
+</body>
