diff options
author | Florian Bruhin <me@the-compiler.org> | 2022-08-23 20:03:31 +0200 |
---|---|---|
committer | Florian Bruhin <me@the-compiler.org> | 2022-08-23 20:10:57 +0200 |
commit | 815374c6b602e2ad055dabad68cda3c54c1c9739 (patch) | |
tree | 6017343f24359bb9e550660c1bb3ab593b2ae7c8 | |
parent | 1963caa7c77ec8fb985e46e29e1ff79e771ec655 (diff) | |
download | qutebrowser-815374c6b602e2ad055dabad68cda3c54c1c9739.tar.gz qutebrowser-815374c6b602e2ad055dabad68cda3c54c1c9739.zip |
js: Handle stylesheets in cross-origin frames gracefully
Otherwise the exception gets shown since the recent message change.
(cherry picked from commit 73e30e47389cad42944ebd1391ca66375dcd70e6)
-rw-r--r-- | qutebrowser/javascript/stylesheet.js | 13 | ||||
-rw-r--r-- | tests/end2end/features/misc.feature | 7 | ||||
-rw-r--r-- | tests/end2end/features/test_misc_bdd.py | 6 | ||||
-rw-r--r-- | tests/end2end/fixtures/webserver_sub.py | 6 | ||||
-rw-r--r-- | tests/end2end/templates/https-iframe.html | 10 |
5 files changed, 39 insertions, 3 deletions
diff --git a/qutebrowser/javascript/stylesheet.js b/qutebrowser/javascript/stylesheet.js index 21a62b25d..1f1bdbd57 100644 --- a/qutebrowser/javascript/stylesheet.js +++ b/qutebrowser/javascript/stylesheet.js @@ -132,11 +132,18 @@ window._qutebrowser.stylesheet = (function() { css_content = css; } // Propagate the new CSS to all child frames. - // FIXME:qtwebengine This does not work for cross-origin frames. for (let i = 0; i < window.frames.length; ++i) { const frame = window.frames[i]; - if (frame._qutebrowser && frame._qutebrowser.stylesheet) { - frame._qutebrowser.stylesheet.set_css(css); + try { + if (frame._qutebrowser && frame._qutebrowser.stylesheet) { + frame._qutebrowser.stylesheet.set_css(css); + } + } catch (exc) { + if (exc instanceof DOMException && exc.name === "SecurityError") { + // FIXME:qtwebengine This does not work for cross-origin frames. + } else { + throw exc; + } } } }; diff --git a/tests/end2end/features/misc.feature b/tests/end2end/features/misc.feature index 94c564c16..5c74647f6 100644 --- a/tests/end2end/features/misc.feature +++ b/tests/end2end/features/misc.feature @@ -148,6 +148,13 @@ Feature: Various utility commands. When I open restrictive-csp Then the javascript message "Refused to apply inline style because it violates the following Content Security Policy directive: *" should be logged + @qtwebkit_skip + Scenario: Third-party iframes in qutebrowser stylesheet script + When I load a third-party iframe + # rerun set_css in stylesheet.js + And I set content.user_stylesheets to [] + Then the javascript message "Uncaught SecurityError: Blocked a frame with origin * from accessing a frame with origin *. *" should be logged + # :debug-webaction Scenario: :debug-webaction with valid value diff --git a/tests/end2end/features/test_misc_bdd.py b/tests/end2end/features/test_misc_bdd.py index 44920d19f..a4bae5c2d 100644 --- a/tests/end2end/features/test_misc_bdd.py +++ b/tests/end2end/features/test_misc_bdd.py @@ -21,6 +21,12 @@ import pytest_bdd as bdd bdd.scenarios('misc.feature') +@bdd.when("I load a third-party iframe") +def load_iframe(quteproc, server, ssl_server): + quteproc.set_setting('content.tls.certificate_errors', 'load-insecurely') + quteproc.open_path(f'https-iframe/{ssl_server.port}', port=server.port) + + @bdd.then(bdd.parsers.parse('the PDF {filename} should exist in the tmpdir')) def pdf_exists(quteproc, tmpdir, filename): path = tmpdir / filename diff --git a/tests/end2end/fixtures/webserver_sub.py b/tests/end2end/fixtures/webserver_sub.py index d7e030c3f..2bc83a38d 100644 --- a/tests/end2end/fixtures/webserver_sub.py +++ b/tests/end2end/fixtures/webserver_sub.py @@ -267,6 +267,12 @@ def https_script(port): return flask.render_template('https-script.html', port=port) +@app.route('/https-iframe/<int:port>') +def https_iframe(port): + """Get an iframe loaded via HTTPS.""" + return flask.render_template('https-iframe.html', port=port) + + @app.route('/response-headers') def response_headers(): """Return a set of response headers from the query string.""" diff --git a/tests/end2end/templates/https-iframe.html b/tests/end2end/templates/https-iframe.html new file mode 100644 index 000000000..5abe7ae91 --- /dev/null +++ b/tests/end2end/templates/https-iframe.html @@ -0,0 +1,10 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title>HTTPS iframe</title> + </head> + <body> + <iframe src="https://localhost:{{ port }}/"></iframe> + </body> +</html> |