1896981 - [wpt-sync] Sync PR 46290 - Fenced frames: allow CSP to check ancestors for frame-ancestors.

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, task, P4)

Description

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 46290 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/46290
Details from upstream follow.

Liam Brady <lbrady@google.com> wrote:

Fenced frames: allow CSP to check ancestors for frame-ancestors.

To prevent information from flowing from an embedder into a fenced
frame, we have previously disabled checking ancestors of fenced frame
roots for the CSP frame-ancestors policy. There is now a need to allow
the frame-ancestors policy to look beyond the fenced frame root so that
embedders can control what is embedded in its page.

window.fence.notifyEvent() can be used to send information from a
fenced frame with unpartitioned data access to its embedder. Since 1 bit
is sent every click, a malicious embedder can exploit this and trick the
user into clicking a fenced frame in a certain way that leaks that
unpartitioned data.

The fenced frame can protect against this with the frame-ancestors
CSP, only allowing itself to be embedded in certain origins. For this to
work, the fenced frame needs to look beyond the fenced frame boundary
when calculating if it can load. Since this results in a data inflow
channel, this will only be allowed for fenced frames created from the
web platform or from Shared Storage, as those are the use cases where
data can flow into the fenced frame. Protected Audience-created fenced
frames will not have this capability, and will continue to not check
beyond the fenced frame root when calculating frame-ancestors.

This CL adds a new field to the fenced frame config/properties that
notes what API created the fenced frame. This is used in the
|AncestorThrottle| class to determine if/how to get the frame's direct
ancestor.

Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2
Reviewed-on: https://chromium-review.googlesource.com/5539622
WPT-Export-Revision: 4b2e62fd37fd09b030a51e4d9e8441508db24f80

Comment 1

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=7fc6fd6dc82a40b707ea5bc2efc8af9178e74877

Comment 2

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

CI Results

Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 2 tests and 2 subtests

Status Summary

Firefox

OK : 2
FAIL: 8

Chrome

OK : 2
FAIL: 8

Safari

OK : 2
FAIL: 8

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

• /fenced-frame/ancestor-throttle.https.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: OK, Safari: OK)
  • root(origin1)->fenced(origin2)->iframe(origin1) should honor CSP frame-ancestors headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
  • root(origin1)->fenced(origin2)->iframe(origin1) should honor XFO SAMEORIGIN headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
  • root(origin1)->fenced(origin2)->iframe(origin2) should honor CSP frame-ancestors headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
  • root(origin1)->fenced(origin2)->iframe(origin2) should honor XFO SAMEORIGIN headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
  • root(origin1)->fenced(origin1)->iframe(origin2)->iframe(origin2) should honor CSP frame-ancestors headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
  • root(origin1)->fenced(origin1)->iframe(origin2)->iframe(origin2) should honor XFO SAMEORIGIN headers up until the fenced frame root: FAIL (Chrome: FAIL, Safari: FAIL)
• /fenced-frame/csp-ancestors.https.sub.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: OK, Safari: OK)
  • Fenced frames check beyond fenced boundary for CSP frame-ancestors: FAIL (Chrome: FAIL, Safari: FAIL)
  • Protected Audience fenced frames do not check beyond fenced boundary for CSP frame-ancestors: FAIL (Chrome: FAIL, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

• /fenced-frame/ancestor-throttle.https.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: OK, Safari: OK)
• /fenced-frame/csp-ancestors.https.sub.html [wpt.fyi]: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-2009-qr-debug, Gecko-windows11-32-2009-qr-opt, Gecko-windows11-64-2009-qr-debug, Gecko-windows11-64-2009-qr-opt] (Chrome: OK, Safari: OK)

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1b38c1134971
[wpt PR 46290] - Fenced frames: allow CSP to check ancestors for frame-ancestors., a=testonly

Comment 4

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/1b38c1134971