Use frame url for scripts without sources

brave · Apr 12, 2023 · edf39ee · edf39ee
1 parent 46e8210
commit edf39ee
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc b/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc
@@ -277,4 +277,33 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
   EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 0);
 }
 
+IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
+                       JavaScriptAllowedDataUrls) {
+  const GURL& url = GURL("a.com");
+
+  // Start with JavaScript blocking initially disabled.
+  ContentSetting block_javascript_setting =
+      content_settings()->GetContentSetting(url, url,
+                                            ContentSettingsType::JAVASCRIPT);
+  EXPECT_EQ(CONTENT_SETTING_ALLOW, block_javascript_setting);
+  // Enable JavaScript blocking globally now.
+  content_settings()->SetContentSettingCustomScope(
+      ContentSettingsPattern::Wildcard(), ContentSettingsPattern::Wildcard(),
+      ContentSettingsType::JAVASCRIPT, CONTENT_SETTING_BLOCK);
+  block_javascript_setting = content_settings()->GetContentSetting(
+      url, url, ContentSettingsType::JAVASCRIPT);
+  EXPECT_EQ(CONTENT_SETTING_BLOCK, block_javascript_setting);
+
+  // Load a simple HTML that attempts to load some JavaScript with data urls.
+  auto page_url =
+      embedded_test_server()->GetURL("a.com", "/load_js_dataurls.html");
+  EXPECT_TRUE(ui_test_utils::NavigateToURL(browser(), page_url));
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 3);
+  auto blocked_list = GetBlockedJsList();
+  EXPECT_EQ(blocked_list.size(), 1u);
+  EXPECT_EQ(GURL(blocked_list.front()),
+            GURL(url::Origin::Create(page_url).Serialize()));
+}
+
 }  // namespace brave_shields
diff --git a/components/content_settings/renderer/brave_content_settings_agent_impl.cc b/components/content_settings/renderer/brave_content_settings_agent_impl.cc
@@ -224,7 +224,13 @@ bool BraveContentSettingsAgentImpl::AllowStorageAccessSync(
 bool BraveContentSettingsAgentImpl::AllowScriptFromSource(
     bool enabled_per_settings,
     const blink::WebURL& script_url) {
-  const GURL secondary_url(script_url);
+  GURL secondary_url(script_url);
+  // For scripts w/o sources it should report the domain / site used for
+  // executing the frame (which most, but not all, of the time will just be from
+  // document.location
+  if (secondary_url.SchemeIs(url::kDataScheme)) {
+    secondary_url = render_frame()->GetWebFrame()->GetDocument().Url();
+  }
   bool allow = ContentSettingsAgentImpl::AllowScriptFromSource(
       enabled_per_settings, script_url);
 

diff --git a/test/data/load_js_dataurls.html b/test/data/load_js_dataurls.html
@@ -0,0 +1,9 @@
+<html><head><title>load some js code</title></head>
+<body>
+<!--
+  Just attempt to load a JavaScript to test JavaScript blocking.
+-->
+<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
+<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
+</body>
+</html>