Add regression test for document.baseURI.
The `document.baseURI` is wrongly implemented in Chrome for about:blank
and about:srcdoc.
It allows leaking cross-origin data. The leak happens only when the two
origin are hosted by the same process.
This patch adds regression tests. I am going to mitigate this bug in a
follow-up.
Bug: 1336904
Change-Id: I027249095fc7ba55dc3f68c772a72f473cfec409
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3723568
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1019052}
diff --git a/html/infrastructure/urls/terminology-0/document-base-url-initiated-grand-parent.https.window.js b/html/infrastructure/urls/terminology-0/document-base-url-initiated-grand-parent.https.window.js
new file mode 100644
index 0000000..1983f02
--- /dev/null
+++ b/html/infrastructure/urls/terminology-0/document-base-url-initiated-grand-parent.https.window.js
@@ -0,0 +1,62 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=/common/utils.js
+// META: script=/common/dispatcher/dispatcher.js
+
+const testBaseUriAboutBlankFromGrandParent = (description, child_origin) => {
+ promise_test(async test => {
+ // Create a child in an iframe.
+ const child_token = token();
+ const child_url = child_origin +
+ '/common/dispatcher/executor.html' +
+ `?uuid=${child_token}`;
+ const iframe = document.createElement("iframe");
+ iframe.src = child_url;
+ document.body.appendChild(iframe);
+
+ // The child creates a grand child in an iframe.
+ const reply_token = token();
+ send(child_token, `
+ const iframe = document.createElement("iframe");
+ location.hash = "interesting-fragment";
+ iframe.src = "/common/blank.html";
+ iframe.onload = () => {
+ send("${reply_token}", "grand child loaded");
+ };
+ document.body.appendChild(iframe);
+ `);
+ assert_equals(await receive(reply_token), "grand child loaded");
+
+ const child = iframe.contentWindow;
+ const grandchild = child[0];
+
+ // Navigate the grand-child toward about:blank.
+ // Navigation are always asynchronous. It doesn't exist a ways to know the
+ // about:blank document committed. A timer is used instead:
+ grandchild.location = "about:blank";
+ await new Promise(r => test.step_timeout(r, /*ms=*/500));
+
+ // The grandchild baseURI must correspond to its grand parent.
+ //
+ // Note: `child_token` is removed, to get a stable failure, in case the
+ // about:blank's document.baseURI reports the parent's URL instead of its
+ // grand-parent.
+ assert_equals(
+ grandchild.document.baseURI.replace(child_token, "child_token"),
+ self.document.baseURI);
+ }, description);
+}
+
+onload = () => {
+ testBaseUriAboutBlankFromGrandParent(
+ "Check the baseURL of an about:blank document same-origin with its parent",
+ get_host_info().HTTPS_ORIGIN,
+ );
+ testBaseUriAboutBlankFromGrandParent(
+ "Check the baseURL of an about:blank document cross-origin with its parent",
+ get_host_info().HTTPS_REMOTE_ORIGIN,
+ );
+ testBaseUriAboutBlankFromGrandParent(
+ "Check the baseURL of an about:blank document cross-site with its parent",
+ get_host_info().HTTPS_NOTSAMESITE_ORIGIN,
+ );
+}