[OutOfBlinkSandbox] Fix CSP + initial renavigation bug.
- Fix crash (issue 1190065).
- Add regression test reproducing the crash.
- Move the internal web-test toward the public wpt repository.
The sandbox flags in between:
- The initial empty document
- The synchronous re-navigation to about:blank
should be the same.
The first [initial empty document] is implemented this way:
```
navigation_params->sandbox_flags = PendingEffectiveSandboxFlags();
for (const auto& csp :
policy_container->GetPolicies().content_security_policies) {
navigation_params->sandbox_flags |= csp->sandbox;
}
```
but the synchronous re-navigation to about:blank was implemented
this way:
```
web_frame_->GetFrame()->Loader().PendingEffectiveSandboxFlags();
```
So, the difference is about the missing inherited CSPs
Fixed: 1190065
Bug: 1190065,1041376
Change-Id: I3f4bce768794ce3fb7bd0b6aada7d32aca966649
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2775562
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865263}
diff --git a/html/semantics/embedded-content/the-iframe-element/resources/post-origin-to-opener.html b/html/semantics/embedded-content/the-iframe-element/resources/post-origin-to-opener.html
new file mode 100644
index 0000000..bb62594
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/resources/post-origin-to-opener.html
@@ -0,0 +1,3 @@
+<script>
+ opener.postMessage({origin: window.origin}, "*");
+</script>
diff --git a/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html b/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html
new file mode 100644
index 0000000..f60ab0d
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html
@@ -0,0 +1,75 @@
+<!--
+Content-Security-Policy: sandbox allow-scripts
+ allow-popups
+ allow-popups-to-escape-sandbox
+-->
+<html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+
+<script>
+
+// Sandbox flags are inherited from a document toward every frame it creates,
+// which then is inherited to every new document created in this frame.
+
+// Using the flag 'allow-popups-to-escape-sandbox' inhibits this inheritance
+// mechanism when the new frame is a popup.
+//
+// Sandbox flags can also be set via CSP. CSP are inherited from a document
+// toward every other documents its creates that are loading with a local scheme.
+// In particular, this includes:
+// - The initial empty document
+// - The first about:blank navigation. See (note)
+// - Any about:blank navigation.
+//
+// Both mechanism are at play here.
+//
+// Note: As of 2021, Chrome handles the very first navigation to about:blank in
+// a frame synchronously instead of asynchronously. This is the only navigation
+// behaving this way. As a result, inheritance of sandbox is different and needs
+// to be tested separately.
+// See also:
+// https://docs.google.com/document/d/1KY0DCaoKjUPbOX28N9KWvBjbnAfQEIRTaLbZUq9EkK8
+
+test(test => {
+ assert_equals(window.origin, 'null');
+}, "Document is sandboxed via its CSP.");
+
+test(test => {
+ // The navigation will be canceled (204 no content). As a result, the
+ // document in the popup must still be the initial empty document.
+ const w = window.open("common/blank.html?pipe=status(204)")
+
+ // The about:blank document is sandboxed, because it inherited CSP from its
+ // opener. However this is impossible to verify. There are cross-origin
+ // access restrictions and an about:blank document can't do much on its own.
+ assert_throws_dom("SecurityError", () => { w.origin });
+
+}, "The initial empty document inherit sandbox via CSP.");
+
+// Regression test for https://crbug.com/1190065
+test(test => {
+ const w = window.open("about:blank");
+
+ // The about:blank document is sandboxed, because it inherited CSP from its
+ // opener. However this is impossible to verify. There are cross-origin
+ // access restrictions and an about:blank document can't do much on its own.
+ assert_throws_dom("SecurityError", () => { w.origin });
+
+}, "The synchronous re-navigation to about:blank inherits sandbox via CSP");
+
+async_test(test => {
+ window.addEventListener("message", test.step_func_done(e => {
+ assert_equals(e.data.origin, (new URL(location)).origin,
+ "popup is not sandboxed");
+ }));
+ window.open("./resources/post-origin-to-opener.html");
+}, "Popup do not inherit sandbox, because of 'allow-popups-to-escape-sandbox'" +
+ " the document doesn't inherit CSP. The document isn't sandboxed")
+
+</script>
+</body>
+</html>
diff --git a/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html.headers b/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html.headers
new file mode 100644
index 0000000..9850d21
--- /dev/null
+++ b/html/semantics/embedded-content/the-iframe-element/sandbox-inherit-to-blank-document-unsandboxed.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox
