Deprecate CSPEE same-origin blanket enforcement
Remove same-origin blanket enforcement from CSPEE. See intent thread[1]
for more details.
[1] https://groups.google.com/a/chromium.org/g/blink-dev/c/VtKJHVgQRzE/m/bTZeRD77AAAJ
Bug: 1263288
Change-Id: I18d46b33ea52fbe60dc000e6d9ed2623d01f9bb2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4850620
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Jun Kokatsu <jkokatsu@google.com>
Cr-Commit-Position: refs/heads/main@{#1209684}
diff --git a/content-security-policy/embedded-enforcement/allow_csp_from-header.html b/content-security-policy/embedded-enforcement/allow_csp_from-header.html
index b2abcbe..ffef7d7 100644
--- a/content-security-policy/embedded-enforcement/allow_csp_from-header.html
+++ b/content-security-policy/embedded-enforcement/allow_csp_from-header.html
@@ -9,29 +9,29 @@
<body>
<script>
var tests = [
- { "name": "Same origin iframes are always allowed.",
+ { "name": "Same origin iframes with correct Allow-CSP-From header are allowed.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
- "allow_csp_from": "¢¥§",
+ "allow_csp_from": getOrigin(),
"expected": IframeLoad.EXPECT_LOAD,
"blockedURI": null},
- { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.",
+ { "name": "Same origin iframes with an empty Allow-CSP-From header get blocked.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": "",
- "expected": IframeLoad.EXPECT_LOAD,
+ "expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
- { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.",
+ { "name": "Same origin iframes without Allow-CSP-From header gets blocked.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": null,
- "expected": IframeLoad.EXPECT_LOAD,
+ "expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
- { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.",
+ { "name": "Same origin iframes are blocked if Allow-CSP-From does not match origin.",
"origin": Host.SAME_ORIGIN,
"csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'",
"allow_csp_from": "http://example.com:888",
- "expected": IframeLoad.EXPECT_LOAD,
+ "expected": IframeLoad.EXPECT_BLOCK,
"blockedURI": null},
{ "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.",
"origin": Host.CROSS_ORIGIN,
diff --git a/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html.headers b/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html.headers
new file mode 100644
index 0000000..eb2fe68
--- /dev/null
+++ b/content-security-policy/embedded-enforcement/support/embed-img-and-message-top.html.headers
@@ -0,0 +1 @@
+Allow-CSP-From: *
diff --git a/content-security-policy/inheritance/support/message-top-and-navigate-back.html.headers b/content-security-policy/inheritance/support/message-top-and-navigate-back.html.headers
new file mode 100644
index 0000000..eb2fe68
--- /dev/null
+++ b/content-security-policy/inheritance/support/message-top-and-navigate-back.html.headers
@@ -0,0 +1 @@
+Allow-CSP-From: *
diff --git a/fenced-frame/cspee.https.html b/fenced-frame/cspee.https.html
index 7df3e88..70c9744 100644
--- a/fenced-frame/cspee.https.html
+++ b/fenced-frame/cspee.https.html
@@ -9,22 +9,32 @@
<body>
<script>
promise_test(async(t) => {
- const iframe = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+ const iframe = attachIFrameContext({
+ attributes: [["csp", "frame-src *"]],
+ headers: [["Allow-CSP-From", "*"]]
+ });
t.step_timeout(() => t.done(), 1000);
await iframe.execute(async (t) => {
- const fencedframe = attachFencedFrameContext();
+ const fencedframe = attachFencedFrameContext({
+ headers: [["Allow-CSP-From", "*"]]
+ });
await fencedframe.execute(() => {});
});
assert_unreached("fenced frame should not be loaded.");
}, 'fenced frame should not be loaded in CSPEE');
promise_test(async(t) => {
- const iframe_a = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+ const iframe_a = attachIFrameContext({
+ attributes: [["csp", "frame-src *"]],
+ headers: [["Allow-CSP-From", "*"]]
+ });
t.step_timeout(() => t.done(), 1000);
await iframe_a.execute(async (t) => {
- const iframe_b = attachIFrameContext();
+ const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
await iframe_b.execute(async (t) => {
- const fencedframe = attachFencedFrameContext();
+ const fencedframe = attachFencedFrameContext({
+ headers: [["Allow-CSP-From", "*"]]
+ });
await fencedframe.execute(() => {});
});
});
@@ -32,16 +42,22 @@
}, 'fenced frame should not be loaded if any ancestor has CSPEE');
promise_test(async(t) => {
- const iframe = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+ const iframe = attachIFrameContext({
+ attributes: [["csp", "frame-src *"]],
+ headers: [["Allow-CSP-From", "*"]]
+ });
await iframe.execute(async (t) => {
assert_false(navigator.canLoadAdAuctionFencedFrame());
});
}, 'canLoadOpaqueURL considers CSPEE headers');
promise_test(async(t) => {
- const iframe_a = attachIFrameContext({attributes:[["csp", "frame-src *"]]});
+ const iframe_a = attachIFrameContext({
+ attributes: [["csp", "frame-src *"]],
+ headers: [["Allow-CSP-From", "*"]]
+ });
await iframe_a.execute(async (t) => {
- const iframe_b = attachIFrameContext();
+ const iframe_b = attachIFrameContext({headers: [["Allow-CSP-From", "*"]]});
await iframe_b.execute(async (t) => {
assert_false(navigator.canLoadAdAuctionFencedFrame());
});
diff --git a/resource-timing/iframe-failed-commit.html b/resource-timing/iframe-failed-commit.html
index 9109407..d3b5cce 100644
--- a/resource-timing/iframe-failed-commit.html
+++ b/resource-timing/iframe-failed-commit.html
@@ -51,15 +51,6 @@
};
// Runs a test (labeled by the given label) to verify that loading an iframe
-// with the given URL, an empty response body and under a "default-src 'none'
-// Content-Security-Policy generates a PerformanceResourceTiming entry and that
-// the entry does expose sensitive timing attributes.
-const empty_unmasked_entry_with_csp_test = (url, label) => {
- return attribute_test(load_iframe_with_csp, url,
- invariants.assert_tao_pass_no_redirect_http_empty, label);
-};
-
-// Runs a test (labeled by the given label) to verify that loading an iframe
// with the given URL under a "default-src 'none' Content-Security-Policy
// generates a PerformanceResourceTiming entry and that the entry does not
// expose sensitive timing attributes.
@@ -68,15 +59,6 @@
invariants.assert_tao_failure_resource, label);
};
-// Runs a test (labeled by the given label) to verify that loading an iframe
-// with the given URL, an empty response body and under a "default-src 'none'
-// Content-Security-Policy generates a PerformanceResourceTiming entry and that
-// the entry does expose sensitive timing attributes.
-const non_navigating_empty_unmasked_entry_with_csp_test = (url, label) => {
- return attribute_test(load_iframe_with_csp_no_navigation, url,
- invariants.assert_tao_pass_no_redirect_http_empty, label);
-};
-
const {REMOTE_ORIGIN, ORIGINAL_HOST, HTTPS_PORT} = get_host_info();
const unhosted_url = `https://nonexistent.${ORIGINAL_HOST}:${HTTPS_PORT}/`;
@@ -91,7 +73,8 @@
unmasked_entry_with_csp_test("/resource-timing/resources/csp-default-none.html",
"Same-origin iframe that complies with CSP attribute gets reported");
-unmasked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
+// masked because this will load an error page which is cross-origin.
+masked_entry_with_csp_test("/resource-timing/resources/green-frame.html",
"Same-origin iframe that doesn't comply with CSP attribute gets reported");
masked_entry_with_csp_test(
@@ -102,7 +85,7 @@
new URL("/resource-timing/resources/green-frame.html", REMOTE_ORIGIN),
"Cross-origin iframe that doesn't comply with CSP attribute gets reported");
-empty_unmasked_entry_with_csp_test(
+masked_entry_with_csp_test(
"/resource-timing/resources/200_empty.asis",
"Same-origin empty iframe with a 200 status gets reported");
@@ -110,11 +93,11 @@
new URL("/resource-timing/resources/200_empty.asis", REMOTE_ORIGIN),
"Cross-origin empty iframe with a 200 status gets reported");
-non_navigating_empty_unmasked_entry_with_csp_test(
+non_navigating_masked_entry_with_csp_test(
new URL("/resource-timing/resources/204_empty.asis", location.origin),
"Same-origin empty iframe with a 204 status gets reported");
-non_navigating_empty_unmasked_entry_with_csp_test(
+non_navigating_masked_entry_with_csp_test(
new URL("/resource-timing/resources/205_empty.asis", location.origin),
"Same-origin empty iframe with a 205 status gets reported");