LibWeb: Block opaque origins in CSP frame-ancestors check

This matches the behavior of other engines.
Author: https://github.com/tcl3 Commit: https://github.com/LadybirdBrowser/ladybird/commit/3991555439d Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/7970 Reviewed-by: https://github.com/shannonbooth
2026-04-26 17:55:07 +02:00 · 2026-02-15 20:09:49 +00:00 · 2026-02-21 11:31:51 +00:00
parent 945d7eb452
commit 3991555439
3 changed files with 38 additions and 2 deletions
--- a/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
+++ b/Tests/LibWeb/Text/input/html/csp-frame-ancestors-opaque-origin.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    asyncTest(async (done) => {
+        const server = httpTestServer();
+
+        const innerURL = await server.createEcho("GET", "/csp-frame-ancestors-inner", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+                "Content-Security-Policy": "frame-ancestors 'self'",
+            },
+            body: "<html><body>inner</body></html>",
+        });
+
+        const middleURL = await server.createEcho("GET", "/csp-frame-ancestors-middle", {
+            status: 200,
+            headers: {
+                "Content-Type": "text/html",
+            },
+            body: `<html><body><iframe src="${innerURL}"></iframe></body></html>`,
+        });
+
+        const iframe = document.createElement("iframe");
+        iframe.sandbox = "allow-scripts";
+        iframe.src = middleURL;
+        iframe.onload = () => {
+            println("PASS");
+            done();
+        };
+        document.body.appendChild(iframe);
+    });
+</script>