js: Handle stylesheets in cross-origin frames gracefully

Otherwise the exception gets shown since the recent message change.

(cherry picked from commit 73e30e47389cad42944ebd1391ca66375dcd70e6)

5 files changed, 39 insertions, 3 deletions

diff --git a/qutebrowser/javascript/stylesheet.js b/qutebrowser/javascript/stylesheet.js
index 21a62b25d..1f1bdbd57 100644
--- a/qutebrowser/javascript/stylesheet.js
+++ b/qutebrowser/javascript/stylesheet.js
@@ -132,11 +132,18 @@ window._qutebrowser.stylesheet = (function() {
             css_content = css;
         }
         // Propagate the new CSS to all child frames.
-        // FIXME:qtwebengine This does not work for cross-origin frames.
         for (let i = 0; i < window.frames.length; ++i) {
             const frame = window.frames[i];
-            if (frame._qutebrowser && frame._qutebrowser.stylesheet) {
-                frame._qutebrowser.stylesheet.set_css(css);
+            try {
+                if (frame._qutebrowser && frame._qutebrowser.stylesheet) {
+                    frame._qutebrowser.stylesheet.set_css(css);
+                }
+            } catch (exc) {
+                if (exc instanceof DOMException && exc.name === "SecurityError") {
+                    // FIXME:qtwebengine This does not work for cross-origin frames.
+                } else {
+                    throw exc;
+                }
             }
         }
     };
diff --git a/tests/end2end/features/misc.feature b/tests/end2end/features/misc.feature
index 94c564c16..5c74647f6 100644
--- a/tests/end2end/features/misc.feature
+++ b/tests/end2end/features/misc.feature
@@ -148,6 +148,13 @@ Feature: Various utility commands.
         When I open restrictive-csp
         Then the javascript message "Refused to apply inline style because it violates the following Content Security Policy directive: *" should be logged
 
+    @qtwebkit_skip
+    Scenario: Third-party iframes in qutebrowser stylesheet script
+        When I load a third-party iframe
+        # rerun set_css in stylesheet.js
+        And I set content.user_stylesheets to []
+        Then the javascript message "Uncaught SecurityError: Blocked a frame with origin * from accessing a frame with origin *. *" should be logged
+
     # :debug-webaction
 
     Scenario: :debug-webaction with valid value
diff --git a/tests/end2end/features/test_misc_bdd.py b/tests/end2end/features/test_misc_bdd.py
index 44920d19f..a4bae5c2d 100644
--- a/tests/end2end/features/test_misc_bdd.py
+++ b/tests/end2end/features/test_misc_bdd.py
@@ -21,6 +21,12 @@ import pytest_bdd as bdd
 bdd.scenarios('misc.feature')
 
 
+@bdd.when("I load a third-party iframe")
+def load_iframe(quteproc, server, ssl_server):
+    quteproc.set_setting('content.tls.certificate_errors', 'load-insecurely')
+    quteproc.open_path(f'https-iframe/{ssl_server.port}', port=server.port)
+
+
 @bdd.then(bdd.parsers.parse('the PDF {filename} should exist in the tmpdir'))
 def pdf_exists(quteproc, tmpdir, filename):
     path = tmpdir / filename
diff --git a/tests/end2end/fixtures/webserver_sub.py b/tests/end2end/fixtures/webserver_sub.py
index d7e030c3f..2bc83a38d 100644
--- a/tests/end2end/fixtures/webserver_sub.py
+++ b/tests/end2end/fixtures/webserver_sub.py
@@ -267,6 +267,12 @@ def https_script(port):
     return flask.render_template('https-script.html', port=port)
 
 
+@app.route('/https-iframe/<int:port>')
+def https_iframe(port):
+    """Get an iframe loaded via HTTPS."""
+    return flask.render_template('https-iframe.html', port=port)
+
+
 @app.route('/response-headers')
 def response_headers():
     """Return a set of response headers from the query string."""
diff --git a/tests/end2end/templates/https-iframe.html b/tests/end2end/templates/https-iframe.html
new file mode 100644
index 000000000..5abe7ae91
--- /dev/null
+++ b/tests/end2end/templates/https-iframe.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>HTTPS iframe</title>
+    </head>
+    <body>
+        <iframe src="https://localhost:{{ port }}/"></iframe>
+    </body>
+</html>