CSP: form-action is enforced by the CSP of the frame that is navigating, not the one that has initiated the navigation. |
|||
Issue descriptionChrome Version: tested on * 56.0.2924.87 (Official Build) (64-bit) * 59.0.3038.0 (Developer Build) (64-bit) The form-action directive is checked in the frame that has initiated the navigation when the form submission is triggered, this is right behavior. The problem happens after. During the navigation, it is checked against the CSP of the frame where the navigation happens, it uses the CSP of the document that will be replaced by the navigation. This seems wrong. What steps will reproduce the problem? 1) Make 2 windows A and B. 2) Set A's CSP and an url with a redirection such that a form-submission to the url is blocked after the redirect but not before. 3) Make sure that B has already navigated somewhere. 4) Trigger a form submission to the url from A that target B. You can use the test: http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html from https://codereview.chromium.org/2747823002/ What is the expected result? The navigation is blocked after the redirect. A's policy is used for the pre-redirect URL and the post-redirect URL. What happens instead? The navigation is not blocked. A's policy(and maybe B's CSP) is/are used for the pre-redirect URL and B's CSP is used for the post-redirect URL.
,
Mar 13 2017
,
Mar 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/def680801ab5c196b089e67a6e2a1d3768b4a7d3 commit def680801ab5c196b089e67a6e2a1d3768b4a7d3 Author: arthursonzogni <arthursonzogni@chromium.org> Date: Tue Mar 14 08:44:51 2017 CSP: New test with form-action and a redirect into a new window. This test shows that the CSP of the navigating frame are used instead of the CSP of the frame that has initiated the navigation. BUG=700964 Review-Url: https://codereview.chromium.org/2747823002 Cr-Commit-Position: refs/heads/master@{#456656} [add] https://crrev.com/def680801ab5c196b089e67a6e2a1d3768b4a7d3/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window-expected.txt [add] https://crrev.com/def680801ab5c196b089e67a6e2a1d3768b4a7d3/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html
,
Mar 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6d372536c2e57165dc222454188e1f54371c7053 commit 6d372536c2e57165dc222454188e1f54371c7053 Author: arthursonzogni <arthursonzogni@chromium.org> Date: Tue Mar 14 16:46:25 2017 Revert of CSP: New test with form-action and a redirect into a new window. (patchset #1 id:20001 of https://codereview.chromium.org/2747823002/ ) Reason for revert: It looks like the test is passing with site-isolation, so they have the wrong file expectation. There is also a minor problem when accessing namedWindow.location.href. I will fix the test and try to understand why it seems to work with site-isolation. Original issue's description: > CSP: New test with form-action and a redirect into a new window. > > This test shows that the CSP of the navigating frame are used instead of > the CSP of the frame that has initiated the navigation. > > BUG=700964 > > Review-Url: https://codereview.chromium.org/2747823002 > Cr-Commit-Position: refs/heads/master@{#456656} > Committed: https://chromium.googlesource.com/chromium/src/+/def680801ab5c196b089e67a6e2a1d3768b4a7d3 TBR=mkwst@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=700964 Review-Url: https://codereview.chromium.org/2746333004 Cr-Commit-Position: refs/heads/master@{#456731} [delete] https://crrev.com/c582275b87cf75a5467d3afaa74e042baa553b38/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window-expected.txt [delete] https://crrev.com/c582275b87cf75a5467d3afaa74e042baa553b38/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html
,
Mar 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ff9efad9c23a0623f055677bec071f4007b290e1 commit ff9efad9c23a0623f055677bec071f4007b290e1 Author: arthursonzogni <arthursonzogni@chromium.org> Date: Thu Mar 16 09:40:22 2017 CSP: New test with form-action and a redirect into a new window. This test shows that the CSP of the navigating frame are used instead of the CSP of the frame that has initiated the navigation. This is a reland of: https://crrev.com/2747823002/ BUG=700964 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation,linux_chromium_browser_side_navigation_rel Review-Url: https://codereview.chromium.org/2749233002 Cr-Commit-Position: refs/heads/master@{#457385} [add] https://crrev.com/ff9efad9c23a0623f055677bec071f4007b290e1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window-expected.txt [add] https://crrev.com/ff9efad9c23a0623f055677bec071f4007b290e1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-in-new-window.html
,
Jan 25 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by arthurso...@chromium.org
, Mar 13 2017