Bug 1501204: Update the FeaturePolicy inherit algorithm implementation, r=ckerschb
authorAndrea Marchesini <amarchesini@mozilla.com>
Thu, 25 Oct 2018 19:03:38 +0200
changeset 491320 efe5af408bffa6ef648efd2152405ffa8ddecafe
parent 491319 6d5587e42c0c5812bb38e33219b6c36555cd3494
child 491321 0bc87bd86202e86e7d07ffc3dcea6bc0a0303c2d
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersckerschb
bugs1501204
milestone65.0a1
Bug 1501204: Update the FeaturePolicy inherit algorithm implementation, r=ckerschb
dom/security/featurepolicy/FeaturePolicy.cpp
testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-self.https.sub.html.ini
testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-some.https.sub.html.ini
--- a/dom/security/featurepolicy/FeaturePolicy.cpp
+++ b/dom/security/featurepolicy/FeaturePolicy.cpp
@@ -31,35 +31,35 @@ void
 FeaturePolicy::InheritPolicy(FeaturePolicy* aParentPolicy)
 {
   MOZ_ASSERT(aParentPolicy);
 
   mInheritedDeniedFeatureNames.Clear();
 
   RefPtr<FeaturePolicy> dest = this;
   RefPtr<FeaturePolicy> src = aParentPolicy;
-  nsCOMPtr<nsIPrincipal> origin = mDefaultOrigin;
-  FeaturePolicyUtils::ForEachFeature([dest, src, origin](const char* aFeatureName) {
+  FeaturePolicyUtils::ForEachFeature([dest, src](const char* aFeatureName) {
     nsString featureName;
     featureName.AppendASCII(aFeatureName);
 
     // If the destination has a declared feature (via the HTTP header or 'allow'
-    // attribute) we allow the feature only if both parent FeaturePolicy and this
-    // one allow the current origin.
-    if (dest->HasDeclaredFeature(featureName)) {
-      if (!dest->AllowsFeatureInternal(featureName, origin) ||
-          !src->AllowsFeatureInternal(featureName, origin)) {
+    // attribute) we allow the feature if the destination allows it and the
+    // parent allows its origin or the destinations' one.
+    if (dest->HasDeclaredFeature(featureName) &&
+        dest->AllowsFeatureInternal(featureName, dest->mDefaultOrigin)) {
+      if (!src->AllowsFeatureInternal(featureName, src->mDefaultOrigin) &&
+          !src->AllowsFeatureInternal(featureName, dest->mDefaultOrigin)) {
         dest->SetInheritedDeniedFeature(featureName);
       }
       return;
     }
 
     // If there was not a declared feature, we allow the feature if the parent
     // FeaturePolicy allows the current origin.
-    if (!src->AllowsFeatureInternal(featureName, origin)) {
+    if (!src->AllowsFeatureInternal(featureName, dest->mDefaultOrigin)) {
       dest->SetInheritedDeniedFeature(featureName);
     }
   });
 }
 
 void
 FeaturePolicy::SetInheritedDeniedFeature(const nsAString& aFeatureName)
 {
--- a/testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-self.https.sub.html.ini
+++ b/testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-self.https.sub.html.ini
@@ -1,33 +1,12 @@
 [feature-policy-frame-policy-allowed-for-self.https.sub.html]
+  [Test frame policy on sandboxed iframe with allow="fullscreen https://www.web-platform.test:8443".]
+    expected: FAIL
+
   [Test frame policy on sandboxed iframe with no allow attribute.]
     expected: FAIL
 
-  [Test frame policy on cross origin iframe with allow = "*".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "'self' https://www.web-platform.test:8443 https://www.example.com".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen *;".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'self';".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'none';".]
+  [Test frame policy on data: URL origin iframe with allow = "*".]
     expected: FAIL
 
-  [Test frame policy on cross origin iframe with allow = "'self' https://www.web-platform.test:8443 https://www.example.com" and header policy = "Feature-Policy: fullscreen *;".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "'self' https://www.web-platform.test:8443 https://www.example.com" and header policy = "Feature-Policy: fullscreen 'self';".]
+  [Test frame policy on data: URL origin iframe with allow = "*" and allowfullscreen.]
     expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "'self' https://www.web-platform.test:8443 https://www.example.com" and header policy = "Feature-Policy: fullscreen 'none';".]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "*" and allowfullscreen.]
-    expected: FAIL
-
-  [Test frame policy on cross origin iframe with allow = "'self' https://www.web-platform.test:8443 https://www.example.com" and allowfullscreen.]
-    expected: FAIL
--- a/testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-some.https.sub.html.ini
+++ b/testing/web-platform/meta/feature-policy/feature-policy-frame-policy-allowed-for-some.https.sub.html.ini
@@ -1,28 +1,6 @@
 [feature-policy-frame-policy-allowed-for-some.https.sub.html]
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen *;".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'self';".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'none';".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and allowfullscreen.]
+  [Test frame policy on data: URL cross origin iframe with allow = "*".]
     expected: FAIL
 
-  [Test frame policy on another cross origin iframe with allow = "*".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen *;".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'self';".]
+  [Test frame policy on data: URL cross origin iframe with allow = "*" and allowfullscreen.]
     expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and header policy = "Feature-Policy: fullscreen 'none';".]
-    expected: FAIL
-
-  [Test frame policy on another cross origin iframe with allow = "*" and allowfullscreen.]
-    expected: FAIL
-