Bug 1685126 [wpt PR 27051] - Fix CSP embedded enforcement with sandbox directive., a=testonly

Automatic update from web-platform-tests Fix CSP embedded enforcement with sandbox directive. Due to a bug, CSP embedded enforcement was ignoring the whole CSP directive when it contained one using the sandbox directive. This patch trivially fix it. This is intented to be merged into M89 This patch also adds many tests for the documents: 1. initial empty document 2. about-blank 3. about-srcdoc 4. data-url 5. blob-url 6. same-origin 7. cross-origin (1)(2)(3) are failing, because of https://crbug.com/1163174 Bug: 1163108,1163174 Change-Id: I888ab01009ae914809680451beee37c69b12734f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2611264 Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#840581} -- wpt-commits: b7c0a3e0b78b98c2da7526aaa607e25c2110fff6 wpt-pr: 27051
2021-01-07 09:55:25 +00:00 · 2021-01-07 09:55:25 +00:00 · 1f52b3a38f
--- a/testing/web-platform/tests/html/browsers/sandboxing/sandbox-inherited-from-required-csp.html
+++ b/testing/web-platform/tests/html/browsers/sandboxing/sandbox-inherited-from-required-csp.html
@ -0,0 +1,141 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Inherit sandbox from CSP embedded enforcement</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<body>
+<script>
+// Check sandbox flags are properly defined when its parent requires them and
+// the child allows it.
+
+const same_origin = get_host_info().HTTPS_ORIGIN;
+const cross_origin = get_host_info().HTTPS_REMOTE_ORIGIN;
+const check_sandbox_url =
+  "/html/browsers/sandboxing/resources/check-sandbox-flags.html?pipe=";
+const allow_csp_from_star = "|header(Allow-CSP-From,*)";
+
+// Return a promise, resolving when |element| triggers |event_name| event.
+const future = (element, event_name) => {
+  return new Promise(resolve => {
+    element.addEventListener(event_name, event => resolve(event))
+  });
+};
+
+const check_sandbox_script = `
+  try {
+    document.domain = document.domain;
+    parent.postMessage("document-domain-is-allowed", "*");
+  } catch (exception) {
+    parent.postMessage("document-domain-is-disallowed", "*");
+  }
+`;
+
+const sandbox_policy = "sandbox allow-scripts allow-same-origin";
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+
+  // The <iframe> immediately hosts the initial empty document after being
+  // appended into the DOM. It will, as long as its 'src' isn't loaded. That's
+  // why a page do not load is being used.
+  iframe.src = "/fetch/api/resources/infinite-slow-response.py";
+  document.body.appendChild(iframe);
+
+  const iframe_reply = future(window, "message");
+  iframe.contentWindow.location =
+    `javascript:${encodeURI(check_sandbox_script)}`;
+  const result = await iframe_reply;
+  iframe.remove();
+
+  assert_equals(result.data, "document-domain-is-not-allowed");
+}, "initial empty document");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.src = "data:text/html,dummy";
+
+  const iframe_load_1 = future(iframe, "load");
+  document.body.appendChild(iframe);
+  await iframe_load_1;
+
+  const iframe_load_2 = future(iframe, "load");
+  iframe.csp = sandbox_policy;
+  iframe.src = "about:blank";
+  await iframe_load_2;
+
+  const iframe_reply = future(window, "message");
+  iframe.contentWindow.location =
+    `javascript:${encodeURI(check_sandbox_script)}`;
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-not-allowed");
+}, "about:blank");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+  iframe.src =
+    `data:text/html,<script>${encodeURI(check_sandbox_script)}</scr`+`ipt>`;
+
+  const iframe_reply = future(window, "message");
+  document.body.appendChild(iframe);
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-disallowed");
+}, "data-url");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+  iframe.srcdoc = `<script>${check_sandbox_script}</scr`+`ipt>`;
+
+  const iframe_reply = future(window, "message");
+  document.body.appendChild(iframe);
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-not-allowed");
+}, "srcdoc");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+
+  const blob = new Blob(
+    [ `<script>${check_sandbox_script}</scr`+`ipt>` ], { type: "text/html" });
+
+  iframe.src = URL.createObjectURL(blob);
+
+  const iframe_reply = future(window, "message");
+  document.body.appendChild(iframe);
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-disallowed");
+}, "blob URL");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+  iframe.src = same_origin + check_sandbox_url + allow_csp_from_star;
+
+  const iframe_reply = future(window, "message");
+  document.body.appendChild(iframe);
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-disallowed");
+}, "same-origin");
+
+promise_test(async test => {
+  const iframe = document.createElement("iframe");
+  iframe.csp = sandbox_policy;
+  iframe.src = cross_origin + check_sandbox_url + allow_csp_from_star;
+
+  const iframe_reply = future(window, "message");
+  document.body.appendChild(iframe);
+  const result = await iframe_reply;
+
+  assert_equals(result.data, "document-domain-is-disallowed");
+}, "cross-origin");
+
+</script>