Added test for subframe

brave · Apr 12, 2023 · 943c7b3 · 943c7b3
1 parent 237bffd
commit 943c7b3
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 7 deletions.
diff --git a/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc b/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc
@@ -286,6 +286,7 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
       content_settings()->GetContentSetting(url, url,
                                             ContentSettingsType::JAVASCRIPT);
   EXPECT_EQ(CONTENT_SETTING_ALLOW, block_javascript_setting);
+
   // Enable JavaScript blocking globally now.
   content_settings()->SetContentSettingCustomScope(
       ContentSettingsPattern::Wildcard(), ContentSettingsPattern::Wildcard(),
@@ -299,11 +300,30 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
       embedded_test_server()->GetURL("a.com", "/load_js_dataurls.html");
   EXPECT_TRUE(ui_test_utils::NavigateToURL(browser(), page_url));
   EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 4);
+  brave_shields_web_contents_observer()->Reset();
+  // Allow subframe script and check we still block his data urls.
+  std::string subframe_script =
+      url::Origin::Create(page_url).Serialize() + "/load_js_dataurls.js";
+  brave_shields_web_contents_observer()->AllowScriptsOnce(
+      std::vector<std::string>({subframe_script}));
+  ClearAllResourcesList();
+  GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_EQ(GetBlockedJsList().size(), 1u);
+  EXPECT_EQ(GetAllowedJsList().size(), 1u);
   EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 3);
-  auto blocked_list = GetBlockedJsList();
-  EXPECT_EQ(blocked_list.size(), 1u);
-  EXPECT_EQ(GURL(blocked_list.front()),
-            GURL(url::Origin::Create(page_url).Serialize()));
+  brave_shields_web_contents_observer()->Reset();
+
+  // Allow all scripts for domain.
+  brave_shields_web_contents_observer()->AllowScriptsOnce(
+      std::vector<std::string>({url::Origin::Create(page_url).Serialize()}));
+  ClearAllResourcesList();
+  GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+
+  EXPECT_EQ(GetAllowedJsList().size(), 2u);
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 0);
 }
 
 }  // namespace brave_shields
diff --git a/components/content_settings/renderer/brave_content_settings_agent_impl.cc b/components/content_settings/renderer/brave_content_settings_agent_impl.cc
@@ -228,7 +228,7 @@ bool BraveContentSettingsAgentImpl::AllowScriptFromSource(
   // For scripts w/o sources it should report the domain / site used for
   // executing the frame (which most, but not all, of the time will just be from
   // document.location
-  if (secondary_url.SchemeIs(url::kDataScheme)) {
+  if (secondary_url.SchemeIsLocal()) {
     secondary_url =
         url::Origin(render_frame()->GetWebFrame()->GetSecurityOrigin())
             .GetURL();

diff --git a/test/data/load_js_dataurls.html b/test/data/load_js_dataurls.html
@@ -3,7 +3,7 @@
 <!--
   Just attempt to load a JavaScript to test JavaScript blocking.
 -->
-<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
-<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
+<script src="data:application/javascript;base64,Y29uc29sZS5sb2coImhlbGxvIGZyb20gYmxvY2tlZCBzY3JpcHQiKQ=="></script>
+<script src="load_js_dataurls.js"></script>
 </body>
 </html>
diff --git a/test/data/load_js_dataurls.js b/test/data/load_js_dataurls.js
@@ -0,0 +1,14 @@
+/* Copyright (c) 2023 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+var iframe = document.createElement('IFRAME');
+iframe.id = iframe.name = 'test_iframe';
+iframe.src = 'about:blank';
+document.body.appendChild(iframe);
+
+var frame = window.frames['test_iframe'];
+frame.document.open();
+frame.document.write('<script>console.log("message from frame:", document.location.href)</script>');
+frame.document.close();