Fenced frames: Make same-origin fenced frame redaction check consistent

Fix at least one potential cause of a BadMessage where renderer's view of "same-origin to mapped url" and browser's view of "same-origin to mapped url" differ. The origin to be committed is not necessarily the origin of the url to be committed, e.g. for sandboxed iframes. All our browser-side checks are with respect to the last committed origin, so we should use the origin to be committed when redacting fenced frame properties for the renderer. Bug: 1515202, 1508030 Change-Id: I4e1bfde4c0bab7c88a93ae0f01d8568ead3fdc18 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5165532 Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Commit-Queue: Garrett Tanzer <gtanzer@chromium.org> Cr-Commit-Position: refs/heads/main@{#1244665}
web-platform-tests · Jan 9, 2024 · 044dab0 · 044dab0
1 parent 5e042cb
commit 044dab0
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/fenced-frame/report-event-sandboxed-iframe.https.html b/fenced-frame/report-event-sandboxed-iframe.https.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<title>Test that window.fence.reportEvent does not crash in sandboxed iframes</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="resources/utils.js"></script>
+
+<body>
+<script>
+promise_test(async(t) => {
+  const fencedframe = await attachFencedFrameContext({generator_api: 'fledge'});
+  await fencedframe.execute(async () => {
+    const iframe = await attachIFrameContext();
+    await iframe.execute(() => {
+      let event = {};
+      event.eventType = "click";
+      event.eventData = "dummy";
+      event.destination = ["buyer"];
+      window.fence.reportEvent(event);
+    });
+
+    const sandbox_iframe = await attachIFrameContext({attributes: [['sandbox', 'allow-scripts']]});
+    await sandbox_iframe.execute(() => {
+      let event = {};
+      event.eventType = "click";
+      event.eventData = "dummy";
+      event.destination = ["buyer"];
+      window.fence.reportEvent(event);
+    });
+  });
+}, 'window.fence.reportEvent in sandboxed (effectively cross-origin) iframe');
+</script>
+</body>