Skip to content

Commit

Permalink
Allow appHistory entries that are cross-site-instance, censor the url…
Browse files Browse the repository at this point in the history
… of entries that are noreferrer

While this allows appHistory entries (including URLs) to be sent across
renderer processes on a BrowsingContextGroup switch, it still omits the
URL in cases where a page has expressed that the URL may be sensitive
and shouldn't be exposed (via ReferrerPolicy).

FrameNavigationEntry now stores a |protect_url_in_app_history| bit,
which is updated when the referrer policy is set/changed. If the
most recent referrer policy is "no-referrer" or "origin", the url
will be censored in appHistory, as these policies indicate that the
document set its referrer policy to hide its full url even from other
same-origin documents.

This follows WICG/navigation-api#71

Fixed: 1280010
Change-Id: I07e7ff1376dd9eca34b4493a06a658f1b72da027
  • Loading branch information
natechapin authored and chromium-wpt-export-bot committed Jan 19, 2022
1 parent 6718627 commit 3f1dd3d
Show file tree
Hide file tree
Showing 7 changed files with 103 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app-history/app-history-entry/entry-after-detach.html
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
window.onload = t.step_func_done(() => {
let i_entry = i.contentWindow.appHistory.current;
assert_true(i_entry.sameDocument);
assert_not_equals(i_entry.url, "");
assert_not_equals(i_entry.url, null);
assert_not_equals(i_entry.key, "");
assert_not_equals(i_entry.id, "");
i.remove();
assert_false(i_entry.sameDocument);
assert_equals(i_entry.url, "");
assert_equals(i_entry.url, null);
assert_equals(i_entry.key, "");
assert_equals(i_entry.id, "");
});
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<iframe id="i" src="/common/blank.html"></iframe>
<script>
promise_test(async (t) => {
// Wait for after the load event so that the navigation doesn't get converted
// into a replace navigation.
await new Promise(r => window.onload = () => t.step_timeout(r, 0));

// The entry for the first document has a visible url.
i.contentWindow.appHistory.navigate("/common/blank.html?2");
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);

// Apply no-referrer, the url should now be censored when no longer on that document.
i.contentWindow.appHistory.back();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
i.contentDocument.head.innerHTML = `<meta name="referrer" content="no-referrer">`;
assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);
i.contentWindow.appHistory.forward();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_equals(i.contentWindow.appHistory.entries()[0].url, null);

// Overwrite the referrer policy, the url should be visible again.
i.contentWindow.appHistory.back();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
i.contentDocument.head.innerHTML = `<meta name="referrer" content="same-origin">`;
i.contentWindow.appHistory.forward();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_not_equals(i.contentWindow.appHistory.entries()[0].url, null);
}, "The url of a document is censored by a no-referrer policy dynamically");
</script>
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<iframe id="i" src="resources/no-referrer-meta.html"></iframe>
<script>
promise_test(async (t) => {
// Wait for after the load event so that the navigation doesn't get converted
// into a replace navigation.
await new Promise(r => window.onload = () => t.step_timeout(r, 0));

await i.contentWindow.appHistory.navigate("#hash");
assert_equals(i.contentWindow.appHistory.entries().length, 2);

// The entries for no-referrer.html should have the url censored.
i.contentWindow.appHistory.navigate("/common/blank.html");
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_equals(i.contentWindow.appHistory.entries().length, 3);
assert_equals(i.contentWindow.appHistory.current.index, 2);
assert_equals(i.contentWindow.appHistory.entries()[0].url, null);
assert_equals(i.contentWindow.appHistory.entries()[1].url, null);

// Navigating back to no-referrer.html should uncensor the urls.
i.contentWindow.appHistory.back();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_equals(i.contentWindow.appHistory.entries().length, 3);
assert_equals(i.contentWindow.appHistory.current.index, 1);
assert_equals(new URL(i.contentWindow.appHistory.entries()[0].url).pathname,
"/app-history/app-history-entry/resources/no-referrer-meta.html");
assert_equals(new URL(i.contentWindow.appHistory.entries()[1].url).pathname,
"/app-history/app-history-entry/resources/no-referrer-meta.html");
}, "The url of a document with no-referrer referrer meta tag is censored in AppHistoryEntry");
</script>
32 changes: 32 additions & 0 deletions app-history/app-history-entry/no-referrer-url-censored.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<iframe id="i" src="resources/no-referrer.html"></iframe>
<script>
promise_test(async (t) => {
// Wait for after the load event so that the navigation doesn't get converted
// into a replace navigation.
await new Promise(r => window.onload = () => t.step_timeout(r, 0));

await i.contentWindow.appHistory.navigate("#hash");
assert_equals(i.contentWindow.appHistory.entries().length, 2);

// The entries for no-referrer.html should have the url censored.
i.contentWindow.appHistory.navigate("/common/blank.html");
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_equals(i.contentWindow.appHistory.entries().length, 3);
assert_equals(i.contentWindow.appHistory.current.index, 2);
assert_equals(i.contentWindow.appHistory.entries()[0].url, null);
assert_equals(i.contentWindow.appHistory.entries()[1].url, null);

// Navigating back to no-referrer.html should uncensor the urls.
i.contentWindow.appHistory.back();
await new Promise(r => i.onload = () => t.step_timeout(r, 0));
assert_equals(i.contentWindow.appHistory.entries().length, 3);
assert_equals(i.contentWindow.appHistory.current.index, 1);
assert_equals(new URL(i.contentWindow.appHistory.entries()[0].url).pathname,
"/app-history/app-history-entry/resources/no-referrer.html");
assert_equals(new URL(i.contentWindow.appHistory.entries()[1].url).pathname,
"/app-history/app-history-entry/resources/no-referrer.html");
}, "The url of a document with no-referrer referrer policy is censored in AppHistoryEntry");
</script>
2 changes: 2 additions & 0 deletions app-history/app-history-entry/resources/no-referrer-meta.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<meta name="referrer" content="no-referrer">
<body></body>
1 change: 1 addition & 0 deletions app-history/app-history-entry/resources/no-referrer.html
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<body></body>
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Referrer-Policy: no-referrer

0 comments on commit 3f1dd3d

Please sign in to comment.