Forward CSP, even for the initial empty document.
Bug 1064676 has been fixed by:
https://chromium-review.googlesource.com/c/chromium/src/+/2111170
And tested by:
https://chromium-review.googlesource.com/c/chromium/src/+/2144012
The bug was fixed for every CSP checked in the renderer process. However
there are still an issue for the one checked in the browser process. It
turns out the CSP in the initial empty document weren't properly
propagated to the browser process.
This patch:
1) Fix the bug by sending the CSP of the initial empty document.
2) Add a regression test (WPT).
This patch can potentially also fix:
- https://crbug.com/1072719
- https://crbug.com/955350
(I haven't checked. I will do it later after landing this patch)
Bug: 1064676, 1072719, 955350
Change-Id: Ie5325035c74d9e2476d6c80af3e5d5c9068ea928
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2159242
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#762769}
diff --git a/content-security-policy/inheritance/frame-src-javascript-url.html b/content-security-policy/inheritance/frame-src-javascript-url.html
new file mode 100644
index 0000000..b08da85
--- /dev/null
+++ b/content-security-policy/inheritance/frame-src-javascript-url.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+
+<script>
+ const iframe_url = new URL("./support/empty.html", location.href);
+
+ // Regression test for: https://crbug.com/1064676
+ promise_test(async (t) => {
+ await new Promise(r => window.onload = r);
+
+ let url = `javascript:
+
+ window.addEventListener('securitypolicyviolation', e => {
+ parent.postMessage({
+ originalPolicy: e.originalPolicy,
+ blockedURI: e.blockedURI,
+ });
+ });
+
+ let iframe = document.createElement('iframe');
+ iframe.src = '${iframe_url}';
+ document.body.appendChild(iframe);
+
+ `;
+
+ let iframe = document.createElement('iframe');
+ iframe.src = encodeURI(url.replace(/\n/g, ""));
+
+ let violation = new Promise(r => window.addEventListener("message", r));
+ document.body.appendChild(iframe);
+ let {data} = await violation;
+
+ assert_equals(data.originalPolicy, "frame-src 'none'");
+ assert_equals(data.blockedURI, iframe_url.toString());
+
+ }, "<iframe src='javascript:...'>'s inherits policy (dynamically inserted <iframe> is blocked)");
+
+</script>
diff --git a/content-security-policy/inheritance/support/empty.html b/content-security-policy/inheritance/support/empty.html
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/content-security-policy/inheritance/support/empty.html
