From 815374c6b602e2ad055dabad68cda3c54c1c9739 Mon Sep 17 00:00:00 2001 From: Florian Bruhin Date: Tue, 23 Aug 2022 20:03:31 +0200 Subject: js: Handle stylesheets in cross-origin frames gracefully Otherwise the exception gets shown since the recent message change. (cherry picked from commit 73e30e47389cad42944ebd1391ca66375dcd70e6) --- qutebrowser/javascript/stylesheet.js | 13 ++++++++++--- tests/end2end/features/misc.feature | 7 +++++++ tests/end2end/features/test_misc_bdd.py | 6 ++++++ tests/end2end/fixtures/webserver_sub.py | 6 ++++++ tests/end2end/templates/https-iframe.html | 10 ++++++++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 tests/end2end/templates/https-iframe.html diff --git a/qutebrowser/javascript/stylesheet.js b/qutebrowser/javascript/stylesheet.js index 21a62b25d..1f1bdbd57 100644 --- a/qutebrowser/javascript/stylesheet.js +++ b/qutebrowser/javascript/stylesheet.js @@ -132,11 +132,18 @@ window._qutebrowser.stylesheet = (function() { css_content = css; } // Propagate the new CSS to all child frames. - // FIXME:qtwebengine This does not work for cross-origin frames. for (let i = 0; i < window.frames.length; ++i) { const frame = window.frames[i]; - if (frame._qutebrowser && frame._qutebrowser.stylesheet) { - frame._qutebrowser.stylesheet.set_css(css); + try { + if (frame._qutebrowser && frame._qutebrowser.stylesheet) { + frame._qutebrowser.stylesheet.set_css(css); + } + } catch (exc) { + if (exc instanceof DOMException && exc.name === "SecurityError") { + // FIXME:qtwebengine This does not work for cross-origin frames. + } else { + throw exc; + } } } }; diff --git a/tests/end2end/features/misc.feature b/tests/end2end/features/misc.feature index 94c564c16..5c74647f6 100644 --- a/tests/end2end/features/misc.feature +++ b/tests/end2end/features/misc.feature @@ -148,6 +148,13 @@ Feature: Various utility commands. When I open restrictive-csp Then the javascript message "Refused to apply inline style because it violates the following Content Security Policy directive: *" should be logged + @qtwebkit_skip + Scenario: Third-party iframes in qutebrowser stylesheet script + When I load a third-party iframe + # rerun set_css in stylesheet.js + And I set content.user_stylesheets to [] + Then the javascript message "Uncaught SecurityError: Blocked a frame with origin * from accessing a frame with origin *. *" should be logged + # :debug-webaction Scenario: :debug-webaction with valid value diff --git a/tests/end2end/features/test_misc_bdd.py b/tests/end2end/features/test_misc_bdd.py index 44920d19f..a4bae5c2d 100644 --- a/tests/end2end/features/test_misc_bdd.py +++ b/tests/end2end/features/test_misc_bdd.py @@ -21,6 +21,12 @@ import pytest_bdd as bdd bdd.scenarios('misc.feature') +@bdd.when("I load a third-party iframe") +def load_iframe(quteproc, server, ssl_server): + quteproc.set_setting('content.tls.certificate_errors', 'load-insecurely') + quteproc.open_path(f'https-iframe/{ssl_server.port}', port=server.port) + + @bdd.then(bdd.parsers.parse('the PDF {filename} should exist in the tmpdir')) def pdf_exists(quteproc, tmpdir, filename): path = tmpdir / filename diff --git a/tests/end2end/fixtures/webserver_sub.py b/tests/end2end/fixtures/webserver_sub.py index d7e030c3f..2bc83a38d 100644 --- a/tests/end2end/fixtures/webserver_sub.py +++ b/tests/end2end/fixtures/webserver_sub.py @@ -267,6 +267,12 @@ def https_script(port): return flask.render_template('https-script.html', port=port) +@app.route('/https-iframe/') +def https_iframe(port): + """Get an iframe loaded via HTTPS.""" + return flask.render_template('https-iframe.html', port=port) + + @app.route('/response-headers') def response_headers(): """Return a set of response headers from the query string.""" diff --git a/tests/end2end/templates/https-iframe.html b/tests/end2end/templates/https-iframe.html new file mode 100644 index 000000000..5abe7ae91 --- /dev/null +++ b/tests/end2end/templates/https-iframe.html @@ -0,0 +1,10 @@ + + + + + HTTPS iframe + + + + + -- cgit v1.2.3-54-g00ecf