Issue metadata
Sign in to add a comment
|
origin-clean flag not set if js file and css files are from same origin
Reported by
pratyush...@gmail.com,
Dec 16
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Steps to reproduce the problem: 1. Load your js and css in a 3rd party website 2. js files calls the css file's cssRules/insertRule 3. Security exception comes, because origin-clean flag is unset What is the expected behavior? Since js and css files are from same origin, js file should be able to make necessary changes in the css file using insertRule and cssRules. What went wrong? sheet should be accessible from js file of same origin else there has to be some way to update css rules from different browsers dynamically Did this work before? Yes Chrome version: 71.0.3578.98 Channel: stable OS Version: 10.0 Flash Version: it stopped working after this https://chromium.googlesource.com/chromium/src/+/a4ebe08c91e29140e700c7bae9b94f27a786d1ca
,
Dec 17
,
Dec 17
Thanks for filing the issue... @reporter: Could you please provide a sample file/URL that reproduces the issue so that it would be really helpful in triaging the issue.
,
Dec 17
Steps to reproduce in a local build environment you will need a webapplication and ngrok application in web application, add a css, js and html file refer attached samples create ngrok url for local build Sample command : ngrok.exe http 3979 -host-header="localhost:3979" go thru sample html file keep commenting 1 section at a time and see I tried 4 cases ngrok css, ngrok js : cant use add rules ngrok css, local js : cant use add rules local css, ngrok js : can use add rules local css, local js : can use add rules Also if I set “Access-Control-Allow-Origin: *” the result is same but there is another issue because if “Access-Control-Allow-Origin: *” is not there, then other js file should not be able to change different domain css files. should I keep this issue here or create a separate item for it.
,
Dec 17
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 17
I imagine this is intentional but over to the relevant teams to verify.
,
Dec 18
thanks, will wait for an update from them
,
Dec 18
Tried testing the issue on reported chrome version #71.0.3578.98 using Windows 10 by following below steps. Steps: ===== 1.Launched chrome. 2.Download test.js, test.css and test.html. 3.Started localhost. 4.Ran command ngrok.exe http 3979 -host-header="localhost:8000". 5.Opened test.html on localhost. 6.Observed a coloured box. Attached screencast for reference. @reporter: Could you please provide the details of the web application you are using for reproducing the issue and also a screencast/screenshot of the issue so that it would be really helpful in triaging of the issue. Thanks.!
,
Dec 18
Actually you need to make some changes in test.html before running it it has commented section which contains 3 other test cases please uncomment one section at a time and run all the tests (total 4) also you need to set the ngrok path for the js/css files in the test.html If color red comes, then js file failed to add rule in css and you will get an alert too
,
Dec 18
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 19
Mike-- can you help triaging this? (Well after having happy holidays)
,
Dec 19
Bisected to 520003 - 520008 which includes r520005 mentioned by the reporter. https://chromium.googlesource.com/chromium/src/+log/aa599d18..15470d8e?pretty=fuller Additional steps to c#4: 1. replace [ngrok-path] in test.html with the URL displayed by ngrok in the console e.g. https://d66f0918.ngrok.io/ 2. remove everything between <body> and </body> except for the first section without <!-- and --> comments: <link href="https://d66f0918.ngrok.io/test.css" rel="stylesheet" /> <div class="test-add-rule"></div> <script src="https://d66f0918.ngrok.io/test.js"></script> 3. open test.html in the browser Old Chrome: the box turns green New Chrome: the box stays red and an alert is displayed
,
Dec 19
Thank you woxxom for the update... As per comment#12 change log adding appropriate labels. As the owner(meade@chromium.org) and reviewer(nainar@chromium.org) no longer works for chrome, hence marking it as untriaged and requesting someone from dev team to look into the issue. Thanks.!
,
Jan 8
Hoping you all had a great holiday, Is there any update on this issue?
,
Jan 8
Hi! Thanks for the report, and apologies for the delay getting back to you. I believe this is working as intended. If `a.com` loads CSS from `b.com` without using the [crossorigin][1] attribute, then the stylesheet is loaded in `no-cors` mode, which means that it is treated as being opaque to the document in which it's loaded. `a.com` can't access the details of the stylesheet's content, nor should it be able to. This includes script acting on `a.com`'s behalf, no matter where it's loaded from. You should be able to reenable access to the cross-origin stylesheet's contents by loading it with something like `<link ... crossorigin="anonymous">`, and delivering appropriate CORS headers in the response (for example, `Access-Control-Allow-Origin: *`). Thanks! [1]: https://html.spec.whatwg.org/multipage/semantics.html#attr-link-crossorigin |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by phanindra.mandapaka@chromium.org
, Dec 16