Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use frame url for scripts without sources #17979

Merged
merged 3 commits into from
Apr 12, 2023
Merged

Use frame url for scripts without sources #17979

merged 3 commits into from
Apr 12, 2023

Conversation

spylogsster
Copy link
Contributor

@spylogsster spylogsster commented Apr 10, 2023
edited
Loading

Resolves brave/brave-browser#29585

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run lint, npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

  • Steps from issue

@spylogsster spylogsster self-assigned this Apr 10, 2023
@spylogsster spylogsster marked this pull request as ready for review April 10, 2023 11:52
@pes10k
Copy link
Contributor

pes10k commented Apr 10, 2023 

    secondary_url = render_frame()->GetWebFrame()->GetDocument().Url();
  }

What happens if the script is being executed in an iframe with URL of about:blank? Will this report about:blank or the URL of the first non-about:blank parent frame?

@spylogsster
Copy link
Contributor Author 

    secondary_url = render_frame()->GetWebFrame()->GetDocument().Url();
  }

What happens if the script is being executed in an iframe with URL of about:blank? Will this report about:blank or the URL of the first non-about:blank parent frame?

should report about:blank

@pes10k
Copy link
Contributor

pes10k commented Apr 10, 2023

I dont think thats correct then. I will double check, but (I believe) a script in the example I gave should count as executing in the first non-about:blank parent frame

@pes10k
Copy link
Contributor

pes10k commented Apr 10, 2023

yes, I think im correct, you want to base things off of whatever document.domain reports, which, in the case of a nested about:blank iframe, will be the domain of the first non-about:blank parent frame

@spylogsster spylogsster marked this pull request as draft April 10, 2023 15:49
@spylogsster spylogsster marked this pull request as ready for review April 10, 2023 18:05
@spylogsster spylogsster force-pushed the brave-29585 branch 3 times, most recently from 571403b to b8c1163 Compare April 10, 2023 19:14
pes10k
pes10k reviewed Apr 10, 2023
View reviewed changes
components/content_settings/renderer/brave_content_settings_agent_impl.cc Outdated
// For scripts w/o sources it should report the domain / site used for
// executing the frame (which most, but not all, of the time will just be from
// document.location
if (secondary_url.SchemeIs(url::kDataScheme)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't look complete to me. I think what you want is SchemeIsLocal, or maybe just always GetSecurityOrigin()

Copy link
Contributor Author

@spylogsster spylogsster Apr 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SchemeIsLocal looks good, thanks, updated

@pes10k
Copy link
Contributor

pes10k commented Apr 12, 2023

Are there tests for the following cases? If so, then I think this is good:

  1. when scripts are blocked for example.com, that scripts blocking in a local iframe embedded in example.com are also blocked
    1. when scripts are not blocked for example.com, that scripts blocking in a local iframe embedded in example.com are not blocked

@spylogsster
Copy link
Contributor Author

Are there tests for the following cases? If so, then I think this is good:

  1. when scripts are blocked for example.com, that scripts blocking in a local iframe embedded in example.com are also blocked
    1. when scripts are not blocked for example.com, that scripts blocking in a local iframe embedded in example.com are not blocked

yes, they are using a.com with a script without source and with load_js_dataurls.js script which creates about:blank iframe with additional script without source and checks they are blocked or not:

a.com
   <script>without source</script>
   load_js_dataurls.js
      <iframe src=about:blank>
          <script>without source</script>

pes10k
pes10k approved these changes Apr 12, 2023
View reviewed changes
Copy link
Contributor

@pes10k pes10k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm with the additional tests

@spylogsster spylogsster merged commit 63ff7a7 into master Apr 12, 2023
@spylogsster spylogsster deleted the brave-29585 branch April 12, 2023 20:55
@github-actions github-actions bot added this to the 1.52.x - Nightly milestone Apr 12, 2023
stephendonner
stephendonner reviewed Apr 12, 2023
View reviewed changes
components/content_settings/renderer/brave_content_settings_agent_impl.cc
GURL secondary_url(script_url);
// For scripts w/o sources it should report the domain / site used for
// executing the frame (which most, but not all, of the time will just be from
// document.location
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uber-nit, here: you forgot the closing ) in the source comment, after // document.location)

@stephendonner
Copy link
Contributor

Verified PASSED using

Brave 1.52.39 Chromium: 112.0.5615.49 (Official Build) nightly (64-bit)
Revision bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS Windows 10 Version 22H2 (Build 19045.2846)

Steps:

Followed those from brave/brave-browser#29585 (comment)

Confirmed the scripts which previously showed from null are now showing from https://apps.facebook.com

example example example example example
image image image image image

@stephendonner
Copy link
Contributor

@spylogsster mind getting an uplift going to 1.51.x, for the above? Thanks!

@spylogsster spylogsster restored the brave-29585 branch April 13, 2023 05:24
@brave-builds brave-builds mentioned this pull request Apr 13, 2023
Merged
7 tasks
brave-builds added a commit that referenced this pull request Apr 13, 2023
@brave-builds
Uplift of #17979 (squashed) to beta
d8fa654
kjozwiak pushed a commit that referenced this pull request Apr 17, 2023
@brave-builds
Use frame url for scripts without sources (uplift to 1.51.x) (#18040)
94f4683 
Uplift of #17979 (squashed) to beta
@spylogsster spylogsster deleted the brave-29585 branch May 16, 2023 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephendonner stephendonner stephendonner left review comments

@pes10k pes10k pes10k approved these changes

@goodov goodov goodov approved these changes

@bsclifton bsclifton Awaiting requested review from bsclifton

Assignees

@spylogsster spylogsster

Labels
None yet
Projects
None yet
Milestone
1.52.x - Release
Development

Successfully merging this pull request may close these issues.

Manually-blocked script source shows as null in Shields' Blocked count section
4 participants
@spylogsster @pes10k @stephendonner @goodov