OOPIFs: console messages mismatch (origin-only VS full-URI) in xss-DENIED-top-navigation-without-user-gesture.html |
|||||
Issue description
Repro steps:
$ DISPLAY=:20 third_party/WebKit/Tools/Scripts/run-webkit-tests \
-t gn -v --additional-drt-flag=--site-per-process \
http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture.html
Test failure:
Expected:
CONSOLE ERROR: line 8: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture.html' ...
Actual:
CONSOLE ERROR: line 8: Unsafe JavaScript attempt to initiate navigation for frame with origin 'http://127.0.0.1:8000' ...
,
Nov 28 2016
I'll put together a CL to disable (for now) the test with --site-per-process flag.
,
Nov 28 2016
Actually, I see that third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture-expected.txt didn't conver the console messages until r434375. So maybe, it would be find to just disable console output for this test. Nevertheless to make the site isolation bot green, I probably should still land first a CL that disables the CL with --site-per-process.
,
Nov 28 2016
,
Nov 28 2016
Also - note that we have other issues around console message differences when OOPIFs are present - for example see issue 619662 and issue 602497 .
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a066b28c6d14ca55c6262f4bfb90084b0a885bdb commit a066b28c6d14ca55c6262f4bfb90084b0a885bdb Author: lukasza <lukasza@chromium.org> Date: Tue Nov 29 00:17:16 2016 OOPIF test expectation for xss-DENIED-top-navigation-without-user-gesture.html BUG=669083 NOTRY=true Review-Url: https://codereview.chromium.org/2537613002 Cr-Commit-Position: refs/heads/master@{#434794} [modify] https://crrev.com/a066b28c6d14ca55c6262f4bfb90084b0a885bdb/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
,
Nov 10 2017
,
Feb 18 2018
,
Mar 9 2018
We are trying to ship Strict Site Isolation (aka site-per-process) "soon" (aiming for M67 at the moment). I assume that there is nothing here that would block this launch (i.e. it is okay it console messages in OOPIFs include only the origin and not the full URL). If the above sounds okay, then the only decision to be made here is to either 1. Forever skip this test in the (soon-to-be-default) site-per-process mode or 2. Update console message emitted by the product code, so that it only includes the origin (even if site-per-process is not enabled) |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by lukasza@chromium.org
, Nov 28 2016Status: Available (was: Untriaged)