Fenced frames: allow CSP to check ancestors for frame-ancestors. #46290
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To prevent information from flowing from an embedder into a fenced
frame, we have previously disabled checking ancestors of fenced frame
roots for the CSP frame-ancestors policy. There is now a need to allow
the frame-ancestors policy to look beyond the fenced frame root so that
embedders can control what is embedded in its page.
window.fence.notifyEvent()
can be used to send information from afenced frame with unpartitioned data access to its embedder. Since 1 bit
is sent every click, a malicious embedder can exploit this and trick the
user into clicking a fenced frame in a certain way that leaks that
unpartitioned data.
The fenced frame can protect against this with the
frame-ancestors
CSP, only allowing itself to be embedded in certain origins. For this to
work, the fenced frame needs to look beyond the fenced frame boundary
when calculating if it can load. Since this results in a data inflow
channel, this will only be allowed for fenced frames created from the
web platform or from Shared Storage, as those are the use cases where
data can flow into the fenced frame. Protected Audience-created fenced
frames will not have this capability, and will continue to not check
beyond the fenced frame root when calculating frame-ancestors.
This CL adds a new field to the fenced frame config/properties that
notes what API created the fenced frame. This is used in the
|AncestorThrottle| class to determine if/how to get the frame's direct
ancestor.
Change-Id: If7b335700319bad79ef3baf26a6d3f376ae22bc2
Bug: 341356673
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539622
Reviewed-by: Garrett Tanzer <[email protected]>
Reviewed-by: Alex Moshchuk <[email protected]>
Commit-Queue: Liam Brady <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1305146}