Uplift of #17979 (squashed) to beta

brave · Apr 13, 2023 · d8fa654 · d8fa654
1 parent db997b9
commit d8fa654
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 1 deletion.
diff --git a/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc b/browser/brave_shields/brave_shields_web_contents_observer_browsertest.cc
@@ -277,4 +277,53 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
   EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 0);
 }
 
+IN_PROC_BROWSER_TEST_F(BraveShieldsWebContentsObserverBrowserTest,
+                       JavaScriptAllowedDataUrls) {
+  const GURL& url = GURL("a.com");
+
+  // Start with JavaScript blocking initially disabled.
+  ContentSetting block_javascript_setting =
+      content_settings()->GetContentSetting(url, url,
+                                            ContentSettingsType::JAVASCRIPT);
+  EXPECT_EQ(CONTENT_SETTING_ALLOW, block_javascript_setting);
+
+  // Enable JavaScript blocking globally now.
+  content_settings()->SetContentSettingCustomScope(
+      ContentSettingsPattern::Wildcard(), ContentSettingsPattern::Wildcard(),
+      ContentSettingsType::JAVASCRIPT, CONTENT_SETTING_BLOCK);
+  block_javascript_setting = content_settings()->GetContentSetting(
+      url, url, ContentSettingsType::JAVASCRIPT);
+  EXPECT_EQ(CONTENT_SETTING_BLOCK, block_javascript_setting);
+
+  // Load a simple HTML that attempts to load some JavaScript with data urls.
+  auto page_url =
+      embedded_test_server()->GetURL("a.com", "/load_js_dataurls.html");
+  EXPECT_TRUE(ui_test_utils::NavigateToURL(browser(), page_url));
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 4);
+  brave_shields_web_contents_observer()->Reset();
+  // Allow subframe script and check we still block his data urls.
+  std::string subframe_script =
+      url::Origin::Create(page_url).Serialize() + "/load_js_dataurls.js";
+  brave_shields_web_contents_observer()->AllowScriptsOnce(
+      std::vector<std::string>({subframe_script}));
+  ClearAllResourcesList();
+  GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+  EXPECT_EQ(GetBlockedJsList().size(), 1u);
+  EXPECT_EQ(GetAllowedJsList().size(), 1u);
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 3);
+  brave_shields_web_contents_observer()->Reset();
+
+  // Allow all scripts for domain.
+  brave_shields_web_contents_observer()->AllowScriptsOnce(
+      std::vector<std::string>({url::Origin::Create(page_url).Serialize()}));
+  ClearAllResourcesList();
+  GetWebContents()->GetController().Reload(content::ReloadType::NORMAL, true);
+  EXPECT_TRUE(WaitForLoadStop(GetWebContents()));
+
+  EXPECT_EQ(GetAllowedJsList().size(), 2u);
+  EXPECT_EQ(brave_shields_web_contents_observer()->block_javascript_count(), 0);
+}
+
 }  // namespace brave_shields
diff --git a/components/content_settings/renderer/brave_content_settings_agent_impl.cc b/components/content_settings/renderer/brave_content_settings_agent_impl.cc
@@ -224,7 +224,15 @@ bool BraveContentSettingsAgentImpl::AllowStorageAccessSync(
 bool BraveContentSettingsAgentImpl::AllowScriptFromSource(
     bool enabled_per_settings,
     const blink::WebURL& script_url) {
-  const GURL secondary_url(script_url);
+  GURL secondary_url(script_url);
+  // For scripts w/o sources it should report the domain / site used for
+  // executing the frame (which most, but not all, of the time will just be from
+  // document.location
+  if (secondary_url.SchemeIsLocal()) {
+    secondary_url =
+        url::Origin(render_frame()->GetWebFrame()->GetSecurityOrigin())
+            .GetURL();
+  }
   bool allow = ContentSettingsAgentImpl::AllowScriptFromSource(
       enabled_per_settings, script_url);
 

diff --git a/test/data/load_js_dataurls.html b/test/data/load_js_dataurls.html
@@ -0,0 +1,9 @@
+<html><head><title>load some js code</title></head>
+<body>
+<!--
+  Just attempt to load a JavaScript to test JavaScript blocking.
+-->
+<script src="data:application/javascript;base64,Y29uc29sZS5sb2coImhlbGxvIGZyb20gYmxvY2tlZCBzY3JpcHQiKQ=="></script>
+<script src="load_js_dataurls.js"></script>
+</body>
+</html>
diff --git a/test/data/load_js_dataurls.js b/test/data/load_js_dataurls.js
@@ -0,0 +1,14 @@
+/* Copyright (c) 2023 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+var iframe = document.createElement('IFRAME');
+iframe.id = iframe.name = 'test_iframe';
+iframe.src = 'about:blank';
+document.body.appendChild(iframe);
+
+var frame = window.frames['test_iframe'];
+frame.document.open();
+frame.document.write('<script>console.log("message from frame:", document.location.href)</script>');
+frame.document.close();