Propagate destination through load_data (#37020)

This way, we don't always set the destination to Document (which is as
the spec is written today). Instead, we set it it in the load_data,
depending on which context we load it from.

Doing so allows us to set the `Destination::IFrame` for navigations in
iframes, enabling all frame-related CSP checks.

While we currently block iframes when `frame-src` or `child-src` is set,
their respective tests don't pass yet. That's because we don't yet
handle the cases
where we fire the correct `load` event.

Also update one WPT test to correctly fail, rather than erroring. That's
because it was using the wrong JS test variable.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Tim van der Lippe 2025-05-17 10:22:11 +02:00 committed by GitHub
parent a028291466
commit ed469fe72f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 17 additions and 14 deletions

View file

@ -11,7 +11,6 @@ use std::cell::Cell;
use base::cross_process_instant::CrossProcessInstant;
use base::id::{BrowsingContextId, PipelineId, WebViewId};
use constellation_traits::LoadData;
use content_security_policy::Destination;
use crossbeam_channel::Sender;
use embedder_traits::ViewportDetails;
use http::header;
@ -202,12 +201,13 @@ impl InProgressLoad {
self.load_data.referrer.clone(),
)
.method(self.load_data.method.clone())
.destination(Destination::Document)
.destination(self.load_data.destination)
.mode(RequestMode::Navigate)
.credentials_mode(CredentialsMode::Include)
.use_url_credentials(true)
.pipeline_id(Some(id))
.referrer_policy(self.load_data.referrer_policy)
.policy_container(self.load_data.policy_container.clone().unwrap_or_default())
.insecure_requests_policy(
self.load_data
.inherited_insecure_requests_policy