LibWeb: Block opaque origins in CSP frame-ancestors check

This matches the behavior of other engines.
Author: https://github.com/tcl3 Commit: https://github.com/LadybirdBrowser/ladybird/commit/3991555439d Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/7970 Reviewed-by: https://github.com/shannonbooth
2026-04-25 17:25:08 +02:00 · 2026-02-15 20:09:49 +00:00 · 2026-02-21 11:31:51 +00:00
parent 945d7eb452
commit 3991555439
3 changed files with 38 additions and 2 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
@@ -57,8 +57,10 @@ Directive::Result FrameAncestorsDirective::navigation_response_check(GC::Ref<Fet
        // 2. Let origin be the result of executing the URL parser on the ASCII serialization of document’s origin.
        auto origin = DOMURL::parse(document->origin().serialize());

-        // FIXME: What do we do if origin is invalid here?
-        VERIFY(origin.has_value());
+        // AD-HOC: If the origin is opaque, serialization produces "null" which fails URL parsing.
+        //         All major engines block in this case, as an opaque origin can never match any source expression.
+        if (!origin.has_value())
+            return Result::Blocked;

        // 3. If § 6.7.2.7 Does url match source list in origin with redirect count? returns Does Not Match when
        //    executed upon origin, this directive’s value, policy’s self-origin, and 0, return "Blocked".
--- a/Tests/LibWeb/Text/expected/html/csp-frame-ancestors-opaque-origin.txt
+++ b/Tests/LibWeb/Text/expected/html/csp-frame-ancestors-opaque-origin.txt
@@ -0,0 +1 @@
+PASS
--- a/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
+++ b/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    asyncTest(async (done) => {
+        const server = httpTestServer();
+
+        const innerURL = await server.createEcho("GET", "/csp-frame-ancestors-inner", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+                "Content-Security-Policy": "frame-ancestors 'self'",
+            },
+            body: "<html><body>inner</body></html>",
+        });
+
+        const middleURL = await server.createEcho("GET", "/csp-frame-ancestors-middle", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+            },
+            body: `<html><body><iframe src="${innerURL}"></iframe></body></html>`,
+        });
+
+        const iframe = document.createElement("iframe");
+        iframe.sandbox = "allow-scripts";
+        iframe.src = middleURL;
+        iframe.onload = () => {
+            println("PASS");
+            done();
+        };
+        document.body.appendChild(iframe);
+    });
+</script>