Navigation API: Don't allow the javascript: protocol in navigation.navigate()

https://bugs.webkit.org/show_bug.cgi?id=297650
rdar://158867866

Reviewed by Tim Nguyen.

navigation.navigate("javascript:alert(1)") is a new script execution sink that was newly added.
We believe that it would be more useful for new APIs to not support the legacy javascript:
protocol, compared to just keeping it because other APIs like location.href support it.

whatwg/html#11533

* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url-expected.txt: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url.html: Added.
* LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/resources/helpers.js: Added.
(window.assertReturnValue):
(window.assertNeverSettles):
(window.assertBothFulfillEntryNotAvailable.async t):
(window.assertBothFulfill.async t):
(window.assertCommittedFulfillsFinishedRejectsExactly.async t):
(window.assertCommittedFulfillsFinishedRejectsDOM.async t):
(window.waitForAllLenient):
(window.assertBothRejectExactly.async t):
(window.assertBothRejectDOM.async t):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::navigate):

Canonical link: https://commits.webkit.org/299235@main

Author: basuke

LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url-expected.txt

@@ -0,0 +1,3 @@
+
+PASS navigate() to a javascript: URL
+

LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/navigate-javascript-url.html

@@ -0,0 +1,38 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/helpers.js"></script>
+
+<script type="module">
+
+promise_test(async t => {
+  async function ensureWindowLoadEventFired(t) {
+    return new Promise(resolve => {
+      const callback = () => t.step_timeout(resolve, 0);
+      if (document.readyState === 'complete') {
+        callback();
+      } else {
+        window.onload = callback;
+      }
+    });
+  }
+
+  // Wait for after the load event so that we are definitely testing the
+  // javascript: URL as the cause of the rejections.
+  await ensureWindowLoadEventFired(t);
+
+  navigation.onnavigate = t.unreached_func("onnavigate should not be called");
+  navigation.onnavigatesuccess = t.unreached_func("onnavigatesuccess should not be called");
+  navigation.onnavigateerror = t.unreached_func("onnavigateerror should not be called");
+
+  let result;
+  result = navigation.navigate("javascript:'foo'");
+  await assertBothRejectDOM(t, result, "NotSupportedError");
+
+  result = navigation.navigate("javascript:'foo'", { history: "replace" });
+  await assertBothRejectDOM(t, result, "NotSupportedError");
+
+  result = navigation.navigate("javascript:'foo'", { history: "push" });
+  await assertBothRejectDOM(t, result, "NotSupportedError");
+}, "navigate() to a javascript: URL");
+</script>

LayoutTests/http/wpt/navigation-api/navigation-methods/return-value/resources/helpers.js

@@ -0,0 +1,154 @@
+window.assertReturnValue = (result, w = window) => {
+  assert_equals(Object.getPrototypeOf(result), w.Object.prototype, "result object must be from the right realm");
+  assert_array_equals(Reflect.ownKeys(result), ["committed", "finished"]);
+  assert_true(result.committed instanceof w.Promise);
+  assert_true(result.finished instanceof w.Promise);
+  assert_not_equals(result.committed, result.finished);
+};
+
+window.assertNeverSettles = (t, result, w = window) => {
+  assertReturnValue(result, w);
+  result.committed.then(
+    t.unreached_func("committed must not fulfill"),
+    t.unreached_func("committed must not reject")
+  );
+
+  result.finished.then(
+    t.unreached_func("finished must not fulfill"),
+    t.unreached_func("finished must not reject")
+  );
+};
+
+window.assertBothFulfillEntryNotAvailable = async (t, result, w = window) => {
+  assertReturnValue(result, w);
+
+  // Don't use await here so that we can catch out-of-order settlements.
+  let committedValue;
+  result.committed.then(
+    t.step_func(v => { committedValue = v;}),
+    t.unreached_func("committed must not reject")
+  );
+
+  const finishedValue = await result.finished;
+
+  assert_not_equals(committedValue, undefined, "committed must fulfill before finished");
+  assert_equals(finishedValue, committedValue, "committed and finished must fulfill with the same value");
+  assert_true(finishedValue instanceof w.NavigationHistoryEntry, "fulfillment value must be a NavigationHistoryEntry");
+};
+
+window.assertBothFulfill = async (t, result, expected, w = window) => {
+  assertReturnValue(result, w);
+
+  // Don't use await here so that we can catch out-of-order settlements.
+  let committedValue;
+  result.committed.then(
+    t.step_func(v => { committedValue = v; }),
+    t.unreached_func("committed must not reject")
+  );
+
+  const finishedValue = await result.finished;
+
+  assert_not_equals(committedValue, undefined, "committed must fulfill before finished");
+  assert_equals(finishedValue, committedValue, "committed and finished must fulfill with the same value");
+  assert_true(finishedValue instanceof w.NavigationHistoryEntry, "fulfillment value must be a NavigationHistoryEntry");
+  assert_equals(finishedValue, expected);
+};
+
+window.assertCommittedFulfillsFinishedRejectsExactly = async (t, result, expectedEntry, expectedRejection, w = window) => {
+  assertReturnValue(result, w);
+
+  // Don't use await here so that we can catch out-of-order settlements.
+  let committedValue;
+  result.committed.then(
+    t.step_func(v => { committedValue = v; }),
+    t.unreached_func("committed must not reject")
+  );
+
+  await promise_rejects_exactly(t, expectedRejection, result.finished);
+
+  assert_not_equals(committedValue, undefined, "committed must fulfill before finished rejects");
+  assert_true(committedValue instanceof w.NavigationHistoryEntry, "fulfillment value must be a NavigationHistoryEntry");
+  assert_equals(committedValue, expectedEntry);
+};
+
+window.assertCommittedFulfillsFinishedRejectsDOM = async (t, result, expectedEntry, expectedDOMExceptionCode, w = window, domExceptionConstructor = w.DOMException, navigationHistoryEntryConstuctor = w.NavigationHistoryEntry) => {
+  assertReturnValue(result, w);
+
+  let committedValue;
+  result.committed.then(
+    t.step_func(v => { committedValue = v; }),
+    t.unreached_func("committed must not reject")
+  );
+
+  await promise_rejects_dom(t, expectedDOMExceptionCode, domExceptionConstructor, result.finished);
+
+  assert_not_equals(committedValue, undefined, "committed must fulfill before finished rejects");
+  assert_true(committedValue instanceof navigationHistoryEntryConstuctor, "fulfillment value must be an NavigationHistoryEntry");
+  assert_equals(committedValue, expectedEntry);
+};
+
+// We cannot use Promise.all() because the automatic coercion behavior when
+// promises from multiple realms are involved causes it to hang if one of the
+// promises is from a detached iframe's realm. See discussion at
+// https://github.com/whatwg/html/issues/11252#issuecomment-2984143855.
+window.waitForAllLenient = (iterable) => {
+  const { promise: all, resolve, reject } = Promise.withResolvers();
+  let remaining = 0;
+  let results = [];
+  for (const promise of iterable) {
+    let index = remaining++;
+    promise.then(v => {
+      results[index] = v;
+      --remaining;
+      if (!remaining) {
+        resolve(results);
+      }
+      return v;
+    }, v => reject(v));
+  }
+
+  if (!remaining) {
+    resolve(results);
+  }
+
+  return all;
+}
+
+window.assertBothRejectExactly = async (t, result, expectedRejection, w = window) => {
+  assertReturnValue(result, w);
+
+  let committedReason, finishedReason;
+  await waitForAllLenient([
+    result.committed.then(
+      t.unreached_func("committed must not fulfill"),
+      t.step_func(r => { committedReason = r; })
+    ),
+    result.finished.then(
+      t.unreached_func("finished must not fulfill"),
+      t.step_func(r => { finishedReason = r; })
+    )
+  ]);
+
+  assert_equals(committedReason, finishedReason, "committed and finished must reject with the same value");
+  assert_equals(expectedRejection, committedReason);
+};
+
+window.assertBothRejectDOM = async (t, result, expectedDOMExceptionCode, w = window, domExceptionConstructor = w.DOMException) => {
+  assertReturnValue(result, w);
+
+  // Don't use await here so that we can catch out-of-order settlements.
+  let committedReason, finishedReason;
+  await waitForAllLenient([
+    result.committed.then(
+      t.unreached_func("committed must not fulfill"),
+      t.step_func(r => { committedReason = r; })
+    ),
+    result.finished.then(
+      t.unreached_func("finished must not fulfill"),
+      t.step_func(r => { finishedReason = r; })
+    )
+  ]);
+
+  assert_equals(committedReason, finishedReason, "committed and finished must reject with the same value");
+  assert_throws_dom(expectedDOMExceptionCode, domExceptionConstructor, () => { throw committedReason; });
+};

Source/WebCore/page/Navigation.cpp

@@ -430,8 +430,9 @@ Navigation::Result Navigation::navigate(const String& url, NavigateOptions&& opt
     if (!newURL.isValid())
         return createErrorResult(WTFMove(committed), WTFMove(finished), ExceptionCode::SyntaxError, "Invalid URL"_s);
 
-    if (options.history == HistoryBehavior::Push && newURL.protocolIsJavaScript())
-        return createErrorResult(WTFMove(committed), WTFMove(finished), ExceptionCode::NotSupportedError, "A \"push\" navigation was explicitly requested, but only a \"replace\" navigation is possible when navigating to a javascript: URL."_s);
+    // Reject all JavaScript URLs in Navigation API.
+    if (newURL.protocolIsJavaScript())
+        return createErrorResult(WTFMove(committed), WTFMove(finished), ExceptionCode::NotSupportedError, "Navigation API does not support javascript: URLs."_s);
 
     if (options.history == HistoryBehavior::Push && currentURL.isAboutBlank())
         return createErrorResult(WTFMove(committed), WTFMove(finished), ExceptionCode::NotSupportedError, "A \"push\" navigation was explicitly requested, but only a \"replace\" navigation is possible while on an about:blank document."_s);