From 730d9181b3de8561c1d87d82ccb923b1859122ae Mon Sep 17 00:00:00 2001 From: Jeremy Spiegel Date: Thu, 8 Sep 2022 17:08:56 -0700 Subject: [PATCH] fix: ensure history navigations are sandboxed-iframe-aware (#35420) --- .../browser/api/electron_api_web_contents.cc | 5 ---- shell/browser/api/electron_api_web_contents.h | 1 - spec/chromium-spec.ts | 28 +++++++++++++++++++ 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/shell/browser/api/electron_api_web_contents.cc b/shell/browser/api/electron_api_web_contents.cc index d4264178cc94..ebf009112155 100755 --- a/shell/browser/api/electron_api_web_contents.cc +++ b/shell/browser/api/electron_api_web_contents.cc @@ -1380,11 +1380,6 @@ bool WebContents::HandleContextMenu(content::RenderFrameHost& render_frame_host, return true; } -bool WebContents::OnGoToEntryOffset(int offset) { - GoToOffset(offset); - return false; -} - void WebContents::FindReply(content::WebContents* web_contents, int request_id, int number_of_matches, diff --git a/shell/browser/api/electron_api_web_contents.h b/shell/browser/api/electron_api_web_contents.h index 1cd800008d63..9cec3ff614f8 100644 --- a/shell/browser/api/electron_api_web_contents.h +++ b/shell/browser/api/electron_api_web_contents.h @@ -534,7 +534,6 @@ class WebContents : public ExclusiveAccessContext, content::RenderWidgetHost* render_widget_host) override; bool HandleContextMenu(content::RenderFrameHost& render_frame_host, const content::ContextMenuParams& params) override; - bool OnGoToEntryOffset(int offset) override; void FindReply(content::WebContents* web_contents, int request_id, int number_of_matches, diff --git a/spec/chromium-spec.ts b/spec/chromium-spec.ts index eb8970ffb39b..0ee64aa1602e 100644 --- a/spec/chromium-spec.ts +++ b/spec/chromium-spec.ts @@ -1812,6 +1812,34 @@ describe('chromium features', () => { expect((w.webContents as any).length()).to.equal(2); }); }); + + describe('window.history.back', () => { + it('should not allow sandboxed iframe to modify main frame state', async () => { + const w = new BrowserWindow({ show: false }); + w.loadURL('data:text/html,'); + await Promise.all([ + emittedOnce(w.webContents, 'navigation-entry-committed'), + emittedOnce(w.webContents, 'did-frame-navigate'), + emittedOnce(w.webContents, 'did-navigate') + ]); + + w.webContents.executeJavaScript('window.history.pushState(1, "")'); + await Promise.all([ + emittedOnce(w.webContents, 'navigation-entry-committed'), + emittedOnce(w.webContents, 'did-navigate-in-page') + ]); + + (w.webContents as any).once('navigation-entry-committed', () => { + expect.fail('Unexpected navigation-entry-committed'); + }); + w.webContents.once('did-navigate-in-page', () => { + expect.fail('Unexpected did-navigate-in-page'); + }); + await w.webContents.mainFrame.frames[0].executeJavaScript('window.history.back()'); + expect(await w.webContents.executeJavaScript('window.history.state')).to.equal(1); + expect((w.webContents as any).getActiveIndex()).to.equal(1); + }); + }); }); describe('chrome://media-internals', () => {