Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test_runner doesn't report violations of same-origin policy #56772

Open
srujzs opened this issue Sep 23, 2024 · 1 comment
Open

test_runner doesn't report violations of same-origin policy #56772

srujzs opened this issue Sep 23, 2024 · 1 comment
Labels
area-test Cross-cutting test issues (use area- labels for specific failures; not used for package:test). type-enhancement A request for a change that isn't a bug

Comments

@srujzs
Copy link
Contributor

srujzs commented Sep 23, 2024

This is a similar issue as dart-lang/test#2282.

Running the following code:

import 'dart:js_interop';

@JS()
external JSAny? get window;

void main() {
  final w = window.open('https://www.google.com');
  if (w == null) throw Exception();
  w.devicePixelRatio;
}

extension on JSAny? {
  external JSAny? open(String url);
  external int devicePixelRatio;
}

does not result in a SecurityError when run with tools/test.py -r chrome -c dart2js <test_path>. devicePixelRatio is a disallowed API on cross-origin windows. When I single-stepped the test however, the test does throw that error:

SecurityError: Failed to read a named property 'devicePixelRatio' from 'Window': Blocked a frame with origin "http://127.0.0.1:61457" from accessing a cross-origin frame.

It's possible we may need to enable same-origin policy (if possible) for this. It'd be useful to enable this so that we can run interop tests like cross_origin_test correctly.
@dart-github-bot
Copy link
Collaborator

Summary: The test_runner does not report violations of the same-origin policy when running tests that access cross-origin windows using JS interop. This leads to incorrect test results, as the code should throw a SecurityError but does not.

@dart-github-bot dart-github-bot added area-web Use area-web for Dart web related issues, including the DDC and dart2js compilers and JS interop. triage-automation See https://github.com/dart-lang/ecosystem/tree/main/pkgs/sdk_triage_bot. type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) labels Sep 23, 2024
@lrhn lrhn added area-test Cross-cutting test issues (use area- labels for specific failures; not used for package:test). type-enhancement A request for a change that isn't a bug and removed type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) area-web Use area-web for Dart web related issues, including the DDC and dart2js compilers and JS interop. triage-automation See https://github.com/dart-lang/ecosystem/tree/main/pkgs/sdk_triage_bot. labels Sep 23, 2024
copybara-service bot pushed a commit that referenced this issue Sep 23, 2024
@srujzs
Add location rename to locationString in test
dc3b6af 
The SecurityError was being hidden because of
#56772.
With this, single-stepping through the test succeeds.

Change-Id: I47a768e803598d5f918a4d2bed9aa4391377464f
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/386401
Auto-Submit: Srujan Gaddam <[email protected]>
Commit-Queue: Srujan Gaddam <[email protected]>
Commit-Queue: Sigmund Cherem <[email protected]>
Reviewed-by: Sigmund Cherem <[email protected]>
FMorschel pushed a commit to FMorschel/sdk that referenced this issue Sep 25, 2024
@srujzs @FMorschel
Add location rename to locationString in test
4292123 
The SecurityError was being hidden because of
dart-lang#56772.
With this, single-stepping through the test succeeds.

Change-Id: I47a768e803598d5f918a4d2bed9aa4391377464f
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/386401
Auto-Submit: Srujan Gaddam <[email protected]>
Commit-Queue: Srujan Gaddam <[email protected]>
Commit-Queue: Sigmund Cherem <[email protected]>
Reviewed-by: Sigmund Cherem <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-test Cross-cutting test issues (use area- labels for specific failures; not used for package:test). type-enhancement A request for a change that isn't a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lrhn @srujzs @dart-github-bot