Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run CORP on nested frame navigations #21943

Merged
merged 1 commit into from
Mar 2, 2020
Merged

Run CORP on nested frame navigations #21943

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 29 additions & 2 deletions html/cross-origin-embedder-policy/none.https.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@
assert_equals(win, null);
}, `"require-corp" top-level noopener popup: navigating to "none" should succeed`);

// CORP is checked because COEP of the frame is "require-corp". The parent
// frame's COEP value doesn't matter.
async_test(t => {
const frame = document.createElement("iframe");
const id = token();
Expand All @@ -94,8 +96,33 @@
t.done();
}
}));
frame.src = `${HOST.HTTPS_NOTSAMESITE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
// REMOTE_ORIGIN is cross-origin, same-site.
frame.src = `${HOST.HTTPS_REMOTE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
document.body.append(frame);
}, 'CORP: same-site is not checked.');
}, 'CORP: same-site is checked and allowed.');

// CORP is checked because COEP of the frame is "require-corp". The parent
// frame's COEP value doesn't matter.
async_test(t => {
const frame = document.createElement("iframe");
const id = token();
t.add_cleanup(() => frame.remove());
let loaded = false;
window.addEventListener('message', t.step_func((e) => {
if (e.data === id) {
loaded = true;
}
}));
t.step_timeout(() => {
// Make sure the iframe didn't load. See https://github.com/whatwg/html/issues/125 for why a
// timeout is used here. Long term all network error handling should be similar and have a
// reliable event.
assert_false(loaded);
t.done();
}, 2000);

// NOTESAMESITE_ORIGIN is cross-origin, cross-site.
frame.src = `${HOST.HTTPS_NOTSAMESITE_ORIGIN}${BASE}/navigate-require-corp-same-site.sub.html?token=${id}`;
document.body.append(frame);
}, 'CORP: same-site is checked and blocked.');
</script>
1 change: 1 addition & 0 deletions html/cross-origin-opener-policy/resources/postback.html.headers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin
1 change: 1 addition & 0 deletions html/infrastructure/safe-passing-of-structured-data/resources/echo-iframe.html.headers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: cross-origin