Test mixed content check against a frame that is neither the top fram…

…e or the parent It seems that the mixed content checker only checks the top and the parent frame [1], as concerned raised in https://crbug.com/623486. I thought we could reproduce it if we fetch HTTP in a data: iframe embedded by a HTTPS iframe embedded by a HTTP top level frame because neither the top or parent origin is trustworthy. However, the test passes as-is because we actually check mixed content against the parent frame's `security_origin->GetOriginOrPrecursorOriginIfOpaque()` [2]. In this case, even though the innermost data URL has an opaque origin, its precursor origin is still HTTPS and potentially trustworthy. Regardless, I thought we could keep this test anyway. [1] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/loader/mixed_content_checker.cc;drc=48340c1e35efad5fb0253025dcc36b3a9573e258;l=306,311 [2] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:third_party/blink/renderer/core/loader/mixed_content_checker.cc;l=272;drc=563462e6dee3014de2f13db70d50cc3879c783d9 Bug: 623486 Change-Id: Ib038c79cf7b889837819072611faa6ab1fd1cec8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4388629 Commit-Queue: Jonathan Hao <[email protected]> Reviewed-by: Titouan Rigoudy <[email protected]> Cr-Commit-Position: refs/heads/main@{#1126471}
Tobias710219 · Apr 5, 2023 · 6e77ff7 · 6e77ff7
1 parent 1d3511f
commit 6e77ff7
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/mixed-content/nested-iframes.window.js b/mixed-content/nested-iframes.window.js
@@ -0,0 +1,25 @@
+// META: script=/common/get-host-info.sub.js
+
+const t1 = async_test("HTTP fetch");
+const t2 = async_test("HTTPS fetch");
+
+onmessage = function(e) {
+  const {protocol, success} = e.data;
+  if (protocol == "http:") {
+    t1.step(() => assert_false(success, "success"));
+    t1.done();
+  } else if (protocol == "https:") {
+    t2.step(() => assert_true(success, "success"));
+    t2.done();
+  } else {
+    [t1, t2].forEach(t => {
+      t.step(() => assert_unreached("Unknown message"));
+      t.done();
+    });
+  }
+};
+
+const httpsFrame = document.createElement("iframe");
+httpsFrame.src = get_host_info().HTTPS_ORIGIN + "/mixed-content/resources/middle-frame.html";
+
+document.body.appendChild(httpsFrame);
diff --git a/mixed-content/resources/middle-frame.html b/mixed-content/resources/middle-frame.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script src="/common/get-host-info.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      onmessage = e => parent.postMessage(e.data, "*");
+
+      const path = "/fetch/api/resources/cors-top.txt";
+      const http_url = get_host_info().HTTP_ORIGIN + path;
+      const https_url = get_host_info().HTTPS_ORIGIN + path;
+
+      const ifr = document.createElement("iframe");
+      ifr.src = `data:text/html,
+        <!DOCTYPE html>
+        <script>
+          async function try_fetch(url) {
+            try {
+              const response = await fetch(url);
+              return response.ok;
+            } catch(e) {
+              return false;
+            }
+          }
+          async function try_fetch_and_report(url) {
+            parent.postMessage({
+              protocol: new URL(url).protocol,
+              success: await try_fetch(url),
+            }, "*");
+          }
+          try_fetch_and_report("${http_url}");
+          try_fetch_and_report("${https_url}");
+        <\/script>
+      `;
+      document.body.appendChild(ifr);
+    </script>
+  </body>
+</html>