javascript content setting not propogating to all subframes |
|||||||
Issue descriptionChrome Version: (copy from chrome://version) OS: (e.g. Win10, MacOS 10.12, etc...) What steps will reproduce the problem? (1) Disable javascript entirely by going to chrome://settings/content/javascript and toggling the tickbox to Off. (2) Enable javascript in chrome://settings/content/javascript for "[*.]telegraph.co.uk" (3) Visit https://secure.telegraph.co.uk/secure/register/ What is the expected result? Captcha displays What happens instead? Captcha does not display and displays an error (eventually). Content setting icon appears in top right saying "JavaScript was blocked for this page". Please use labels and text to provide additional information. I've seen this happen a few times, but never managed to get a reliable repro until now. If this is a regression (i.e., worked before), please consider using the bisect tool (https://www.chromium.org/developers/bisect-builds-py) to help us identify the root cause and more rapidly triage the issue. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Sep 11
,
Sep 17
,
Sep 27
hi - any update on this bug? Should top level site permissions affect all subframes? is this a site isolation issue? adding nasko as I know he knows a bit about this.
,
Oct 1
I don't recall the exact details, but I think during the investigation of issue 496670 I came across that content settings apply differently for blocking JS depending whether they were done with the UI vs an extension API call. It had to do with primary and secondary pattern, involving the fact that subframes had to match the secondary pattern. The behavior was the same with and without Site Isolation IIRC, but I will be happy for someone with more knowledge of the area to confirm.
,
Nov 12
Assigning to msramek to further triage as a SiteSettings issue. msramek: feel free to reassign as appropriate. Also adding platforms (I was able to reproduce on Linux, so this is likely at least happening in all blink platforms).
,
Nov 13
The JavaScript content setting is supposed to only use the primary pattern, and compare it with the main frame origin. Which means that if JS is allowed on the main frame, it's also allowed on all iframes, including cross-origin. If extensions use double-keyed settings (i.e. both the primary and secondary pattern), those generally won't work. Looking at the code search: https://cs.chromium.org/search/?q=GetWebsiteSetting%5C(+CONTENT_SETTINGS_TYPE_JAVASCRIPT we see that in most cases we're really passing the main frame URL as both the primary_url and secondary_url params of GetWebsiteSetting(). I tested this in the following way: 1. Blocking JS. 2. Allowing JS on example.com 3. Loading example.com and document.write()ing a few iframes with sites that require JavaScript, all of them worked. 4. All those same sites didn't work when navigated to. I.e. it didn't reproduce. I didn't try creating an account on telegraph yet. I wonder if the issue there could be nested iframes?
,
Nov 13
In any case, passing back to the permissions team :)
,
Dec 26
Also have this issue: Chromium 71.0.3578.98 (Official Build) (64-bit) Revision 15234034d19b85dcd9a03b164ae89d04145d8368-refs/branch-heads/3578@{#897} OS Windows JavaScript V8 7.1.302.31 Flash 27.0.0.187 Command Line "C:\Users\<user>\AppData\Local\Chromium\Application\chrome.exe" --flag-switches-begin --autoplay-policy=document-user-activation-required --no-pings --enable-smooth-scrolling --top-chrome-md=material-refresh --enable-features=DoodlesOnLocalNtp,Windows10CustomTitlebar --flag-switches-end This happens to me on multiple sites with captcha and youtube videos. Enabling JS for a site then CTRL+F5 still keeps blocking js on some elements.
,
Dec 26
The only thing that seems to be a "workaround" is to enable JS for the site, then open a new incognito session and open the site there.
,
Dec 26
Or restart chrome. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by wfh@chromium.org
, Sep 6