[FedCM] Perform CSP checks on the provider URL
Bug: 1233548
Change-Id: I043caf897ef5c344181b86a2773a5c669029f871
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3440497
Commit-Queue: Christian Biesinger <cbiesinger@chromium.org>
Reviewed-by: Yi Gu <yigu@chromium.org>
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/main@{#969514}
diff --git a/credential-management/fedcm-logout-rps.https.html b/credential-management/fedcm-logout-rps.https.html
index dc35992..d949526 100644
--- a/credential-management/fedcm-logout-rps.https.html
+++ b/credential-management/fedcm-logout-rps.https.html
@@ -26,4 +26,13 @@
url: "https://rp.example/logout.php"
}]);
}, "FederatedCredential.logoutRps() success.");
+
+ fedcm_test(async (t, mock) => {
+ return promise_rejects_dom(t, "NetworkError",
+ FederatedCredential.logoutRps([{
+ accountId: "1234",
+ url: "https://other-rp.example/logout.php"
+ }])
+ );
+ }, "Logout URL should honor Content-Security-Policy.");
</script>
diff --git a/credential-management/fedcm-logout.https.html.headers b/credential-management/fedcm-logout.https.html.headers
new file mode 100644
index 0000000..90454db
--- /dev/null
+++ b/credential-management/fedcm-logout.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://rp.example
diff --git a/credential-management/fedcm-revoke.https.html b/credential-management/fedcm-revoke.https.html
index c014724..73ccb85 100644
--- a/credential-management/fedcm-revoke.https.html
+++ b/credential-management/fedcm-revoke.https.html
@@ -25,4 +25,14 @@
const result = FederatedCredential.revoke("foo@bar.com", provider);
return promise_rejects_dom(t, "NetworkError", result);
}, "Error should reject the promise.");
+
+ fedcm_test(async (t, mock) => {
+ var provider = {
+ url: "https://other-idp.example/",
+ clientId: "1",
+ nonce: "1",
+ };
+ const result = FederatedCredential.revoke("foo@bar.com", provider);
+ return promise_rejects_dom(t, "NetworkError", result);
+ }, "Provider URL should honor Content-Security-Policy.");
</script>
diff --git a/credential-management/fedcm-revoke.https.html.headers b/credential-management/fedcm-revoke.https.html.headers
new file mode 100644
index 0000000..fd82d50
--- /dev/null
+++ b/credential-management/fedcm-revoke.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.example
diff --git a/credential-management/fedcm.https.html b/credential-management/fedcm.https.html
index 618f0ec..688212e 100644
--- a/credential-management/fedcm.https.html
+++ b/credential-management/fedcm.https.html
@@ -5,6 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script type="module">
import {fedcm_test} from './support/fedcm-helper.js';
+
const test_options = {
federated: {
providers: [{
@@ -152,4 +153,18 @@
const token = await navigator.credentials.get(test_options);
assert_equals(token, "a_token");
}, "get after abort should work");
+
+ promise_test(async t => {
+ const result = navigator.credentials.get({
+ federated: {
+ providers: [{
+ url: 'https://other-idp.test/',
+ clientId: '1',
+ nonce: '1',
+ }]
+ }
+ });
+ return promise_rejects_dom(t, "NetworkError", result);
+ }, "Provider URL should honor Content-Security-Policy.");
+
</script>
diff --git a/credential-management/fedcm.https.html.headers b/credential-management/fedcm.https.html.headers
new file mode 100644
index 0000000..e907cdd
--- /dev/null
+++ b/credential-management/fedcm.https.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.test
