js: Handle stylesheets in cross-origin frames gracefully

Otherwise the exception gets shown since the recent message change. (cherry picked from commit 73e30e4738)
2022-08-23 20:03:31 +02:00 · 2022-08-23 20:03:31 +02:00 · 815374c6b6
parent 1963caa7c7
commit 815374c6b6
5 changed files with 39 additions and 3 deletions
--- a/qutebrowser/javascript/stylesheet.js
+++ b/qutebrowser/javascript/stylesheet.js
@ -132,11 +132,18 @@ window._qutebrowser.stylesheet = (function() {
            css_content = css;
        }
        // Propagate the new CSS to all child frames.
-        // FIXME:qtwebengine This does not work for cross-origin frames.
        for (let i = 0; i < window.frames.length; ++i) {
            const frame = window.frames[i];
-            if (frame._qutebrowser && frame._qutebrowser.stylesheet) {
-                frame._qutebrowser.stylesheet.set_css(css);
+            try {
+                if (frame._qutebrowser && frame._qutebrowser.stylesheet) {
+                    frame._qutebrowser.stylesheet.set_css(css);
+                }
+            } catch (exc) {
+                if (exc instanceof DOMException && exc.name === "SecurityError") {
+                    // FIXME:qtwebengine This does not work for cross-origin frames.
+                } else {
+                    throw exc;
+                }
            }
        }
    };
--- a/tests/end2end/features/misc.feature
+++ b/tests/end2end/features/misc.feature
@ -148,6 +148,13 @@ Feature: Various utility commands.
        When I open restrictive-csp
        Then the javascript message "Refused to apply inline style because it violates the following Content Security Policy directive: *" should be logged

+    @qtwebkit_skip
+    Scenario: Third-party iframes in qutebrowser stylesheet script
+        When I load a third-party iframe
+        # rerun set_css in stylesheet.js
+        And I set content.user_stylesheets to []
+        Then the javascript message "Uncaught SecurityError: Blocked a frame with origin * from accessing a frame with origin *. *" should be logged
+
    # :debug-webaction

    Scenario: :debug-webaction with valid value
--- a/tests/end2end/features/test_misc_bdd.py
+++ b/tests/end2end/features/test_misc_bdd.py
@ -21,6 +21,12 @@ import pytest_bdd as bdd
 bdd.scenarios('misc.feature')


+@bdd.when("I load a third-party iframe")
+def load_iframe(quteproc, server, ssl_server):
+    quteproc.set_setting('content.tls.certificate_errors', 'load-insecurely')
+    quteproc.open_path(f'https-iframe/{ssl_server.port}', port=server.port)
+
+
@bdd.then(bdd.parsers.parse('the PDF {filename} should exist in the tmpdir'))
 def pdf_exists(quteproc, tmpdir, filename):
    path = tmpdir / filename
--- a/tests/end2end/fixtures/webserver_sub.py
+++ b/tests/end2end/fixtures/webserver_sub.py
@ -267,6 +267,12 @@ def https_script(port):
    return flask.render_template('https-script.html', port=port)


+@app.route('/https-iframe/<int:port>')
+def https_iframe(port):
+    """Get an iframe loaded via HTTPS."""
+    return flask.render_template('https-iframe.html', port=port)
+
+
@app.route('/response-headers')
 def response_headers():
    """Return a set of response headers from the query string."""
--- a/tests/end2end/templates/https-iframe.html
+++ b/tests/end2end/templates/https-iframe.html
@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>HTTPS iframe</title>
+    </head>
+    <body>
+        <iframe src="https://localhost:{{ port }}/"></iframe>
+    </body>
+</html>